Data is king but with conditions under Nigeria’s Data Protection Law

Corporations possessing large data of Nigerians must develop data management processes to protect the data.

Affected firms should conduct audits of their data management processes by 25th July 2019.

A Nigerian entity transferring data to a foreign entity must seek appropriate regulatory approvals or consent from the data subjects.

Photo by AbsolutVision on Unsplash

In January 2019, Nigeria joined a growing number of nations fighting to protect the privacy of personal data used in online transactions. Persons obtaining personal data of Nigerians both home and abroad have a duty of care to ensure the data is not compromised either by acts of omission or commission. In a digital economy where cybersecurity is core to a firm's survival, the duty of care isn't an easy one to observe. However, abiding by the rules will save corporations a ton of money in damages arising from misuse of data or penalties from failure to comply. The question is, what are these rules? This article discusses the core aspects of the Nigerian Data Protection Regulation ('The Regulation'), which any person using or controlling personal data of others must observe.

Affected Firms

Any firm in possession of data which is identifiable to a person falls within the scope of the Regulation. Identifiable information includes names, identification numbers, the location of persons, or other methods of identifying a person, whether by physical, physiological, or cultural features. Examples of firms that could be affected include banks, fintech companies, government departments, HR firms; news, entertainment or blogging platforms with subscription forms that collect data from users on their websites; large corporations with a database of their employees, payment platforms that store information of customers, banks, and so on. Affected firms must obtain such data lawfully.

The Regulation only applies when personal data collected relates to Nigerian residents or persons of Nigerian descent who are resident abroad ('Nigerian person').

Affected firms in public and private sectors were required to publish their data protection policies in compliance with the Regulation by 25th April 2019. They are also expected to appoint a data protection officer in charge of ensuring compliance with the Regulation. In recent times Nigeria experienced growth of tech startups primarily in the fintech industry. These firms will be affected by the Regulation because of their access to private information of many Nigerians. Thus it is necessary they develop a unit solely focused on managing the data, and reporting their data protection policies to the National Information Technology Development Agency (the "Agency").

When data processing is lawful

A person in possession of personal data can lawfully process it if granted consent, or if acting according to a legal obligation or a contract with the Nigerian subject, or for the protection of the Nigerian person or the public.

A firm obtains consent validly where there is an absence of fraud, coercion, or undue influence, and the person can give consent. For persons obtaining data through online platforms, it is necessary that data collection forms allow users to accept the collection of their personal information expressly. Users must also know the specific reasons why their data is collected. Some online platforms notify users in their cookie policies that their information is collected to enrich their experience when using the platform. Others notify users in their privacy policy on how they use their data. As a firm interested in collecting data from users, you can include the following clause in your privacy policy, which should be linkable from your contact collection form:

In the course of using our Service, we may ask that you provide personally identifiable information so we can contact or identify you ("Personal Data"). Such information includes, but is not limited to:

  • Email address

  • First name and last name Phone number

  • Cookies and Usage Data

We use your Personal Data for legitimate business purposes to contact you with newsletters, marketing or promotional materials and other information that may be of interest to you. You have the right to decline future receipt of any, or all such communications from us by clicking the unsubscribe link or instructions provided in any email we send.

A firm must restrict the use of such data to the purposes listed in their privacy policies which must be available on their online platforms.

Additionally, the forms should contain opt-in options where users confirm their legal age is above 18 to ensure they have the legal capacity to give such consent.

Safeguards required by the Act

The data held by some firms in Nigeria have enormous value. An example, for instance, is Firm A who has information on software developers and their skill sets. At the moment, they are in high demand in Nigeria because various companies are migrating to the cloud and need persons that can manage their database and information systems. Rather than company B's HR department to engage in a wild goose chase searching for software developers, they can pay Firm A to provide direct information on developers with specific skill sets.

Individuals whose information Firm A controls also need protection. Thus the Regulation imposes a duty of care on Firm A in regards to the data they possess. It must create a system that protects their database from cyber-attacks, thefts, breaches, and any form of manipulation or damage by natural elements such as rain or fire. It is advisable Firm A develops an internal policy for accessing such data. For instance, restricting access to certain persons within the IT department and engaging in continuous training on management of the database. Any policy developed must extend to third parties who process the data.

Over time, it is advisable firms conduct audits of their privacy and data protection practices. The Regulation mandates the first of such audit to be done within six months after the Regulation was published. Since the release of the Regulation on 25th January 2019, affected firms should conduct their first audit by 25th July 2019. The audit summary must be submitted to the Agency if a firm processes data of more than 1000 persons within six months or 2000 persons within a year.

Requirements when transferring data to a foreign country

Any transfer of data from Nigeria to a foreign country is still subject to the Regulation. Additionally, firms would have to seek the permission of the Agency and be supervised by the Attorney General (the “AG”).

Before permitting any transfer, the Agency will determine if adequate safeguards exist in the foreign country to protect such data. On the other hand, the AG looks into the implementation of data protection laws and the effectiveness of the foreign country’s administrative and judicial process.

At the moment, the European Union, Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and the US have implemented data protection laws that similarly regulate the mining and use of data by firms. Nigerian firms dealing with foreign firms in data processing should pay attention to the regulatory environment in which they operate. The Agency and AG are more likely to refuse such transfer where the foreign country has no data protection laws.

Grey areas may exist when dealing with multinational corporations. For instance, a foreign corporation acquires a Nigerian firm. A subsidiary in another foreign country may be handling part of the foreign corporation's data management and processing. In such cases, it is best to seek proper counsel and get authorization during the acquisition process to avoid post-acquisition issues with the Nigerian government.

In the absence of the Agency or AG's consent, a Nigerian firm can still transfer data abroad if the individual owners of the data are informed of the risks and expressly consent to the transfer, or by meeting certain conditions specified by the Regulation.

Implications of violating the Regulation

Criminal and civil penalties may result from not complying with the Regulation. For civil penalties, fines imposed depends on the number of persons whose information is controlled by a firm. If more than 10,000, a firm is liable to pay the greater of 2% of its annual gross revenue for the previous year or NGN 10 Million (USD 27,548). If less than 10,000 the fine is reduced to the greater of 1% of its annual gross revenue in the last year or NGN 2 Million (USD 5,510).


While firms would face increased compliance costs, there are opportunities the Regulation brings. These opportunities include jobs for data analysts, statisticians, database managers, and cybersecurity experts.

There is also likely to be business opportunities for startups involved in cybersecurity, training of technical experts in data management skills, and recruitment of database managers who can assist affected firms in complying with the Regulation.