Beyond compliance: Data protection and privacy concerns in Nigeria’s tech space
By Omoruyi Edoigiawerie, Esq
Nigeria’s tech ecosystem is booming, with digital services shaping the country’s economic landscape.
However, with this rapid growth comes the critical challenge of protecting personal data. Nigerian consumers are increasingly concerned about how their data is collected, stored, and shared and whether businesses are doing enough to safeguard their privacy.
In 2023, the Nigerian government responded to these concerns with the enactment of the Nigeria Data Protection Act (NDPA) and the establishment of the Nigeria Data Protection Commission (NDPC), which morphed from the Nigerian Data Protection Bureau.
These regulatory developments mark a new era in data protection, enforcing stricter rules for how companies handle personal data. A critical upcoming deadline is the 30th of September, 2024, which has been set by the NDPC for the registration of data controllers and processors of major importance. This underscores the importance of businesses aligning themselves with Nigeria’s evolving data privacy landscape.
*Rise of digital services and data privacy concerns
Nigeria’s digital economy is growing fast, with over 108 million internet users and increasing penetration of mobile-first services. Several tech giants like operating in the digital space, handle vast amounts of personal data daily—from payment details to location data, shopping behaviours to social media interactions.
But with the benefits of digitalization comes the risk of data breaches, identity theft, and misuse of personal information. In 2022 alone, Nigeria was one of Africa’s most targeted countries for cyberattacks, with small and medium-sized enterprises (SMEs) especially vulnerable due to weaker security systems. As the digital economy expands, businesses must address the security risks of collecting, processing, and storing personal data.
*Nigeria Data Protection Act and the NDPC’s role
In response to growing privacy concerns, the Nigerian government passed the Nigeria Data Protection Act (NDPA) in 2023, building on the earlier Nigeria Data Protection Regulation (NDPR). While there is room for improvement, the NDPA is more comprehensive. It aims to protect the personal data of Nigerians by setting strict standards for how organizations handle, store, and share personal information. This applies to all organizations—from tech start-ups and small and mid-sized businesses to large corporations—that collect data from Nigerian citizens.
To enforce the NDPA, the government established the Nigeria Data Protection Commission (NDPC), which has sweeping powers to regulate data practices across sectors. A crucial element of the NDPC’s mandate is ensuring that companies comply with the registration mandate of data controllers and processors of major importance. This step is vital in ensuring that the biggest data handlers in Nigeria are held accountable.
The NDPA mandates that organizations:
1. Obtain clear consent from individuals before collecting their data.
2. Provide transparency about how that data is used.
3. Implement strong security measures to prevent unauthorized access or data breaches.
4. Report any data breaches to the NDPC and affected individuals within a specified time.
5. Allow individuals to access, modify, or delete their data when requested.
Failure to comply with the NDPA can result in substantial penalties, with fines ranging from 2% to 5% of annual gross revenue, depending on the severity of the breach.
*Challenges to compliance with the NDPA
Despite the NDPA’s comprehensive framework, businesses in Nigeria face significant challenges in complying with the law:
a) Cost of Compliance
Many Nigerian businesses, especially SMEs, struggle to meet compliance costs. Data protection measures such as encryption, secure storage, and regular security audits require significant investment in technology and personnel. These costs can be prohibitive for startups, forcing them to choose between compliance and growth.
b) Lack of Awareness and Expertise
While larger companies are beginning to adopt data protection policies, many smaller businesses lack awareness of the NDPA and how it affects them. Even when aware, the technical expertise needed to implement the Act’s requirements, such as setting up secure data management systems, is often in short supply.
c) Weak Enforcement Capacity
While the NDPC is critical in enforcing the NDPA, its capacity to regulate thousands of companies across Nigeria remains challenging. Ensuring compliance across a tech ecosystem that spans various sectors is a herculean task. The NDPC will need to develop stronger enforcement mechanisms, such as regular audits and transparent reporting, to ensure that the provisions of the NDPA are effectively implemented.
*The role of Nigerian tech companies in data protection
Some of Nigeria’s most prominent tech companies have already started leading by example in data protection. Flutterwave and Paystack, for instance, have adopted end-to-end encryption and secure storage practices that align with local and global standards like the Payment Card Industry Data Security Standard (PCI-DSS).
Some E-commerce platforms have also revamped their data privacy policies, offering users more control over their data and complying with the NDPA’s consent requirements. These companies are critical players in promoting consumer trust and setting data protection benchmarks for other businesses.
Nigerian cybersecurity start-ups are also stepping in to assist other businesses by offering data protection and cybersecurity solutions, ensuring that businesses can protect user data while maintaining operational security. This effort must be ramped up to bridge the knowledge and implementation gap.
*Privacy concerns and consumer trust
Despite improvements in regulatory frameworks, many Nigerian consumers remain sceptical about how their data is handled. The lack of transparency in how companies collect, store, and use data undermines consumer trust. Many companies still rely on lengthy, opaque privacy policies that few users read or understand. This contributes to an environment where users feel uninformed and powerless over how their data is used.
The NDPA’s consent requirement offers a path forward, but businesses must go beyond simply complying with the law—they need to make data protection a core part of their operations. Clear and simple privacy policies and giving consumers the tools to manage their data will be critical in rebuilding trust in the digital economy.
*The road ahead for data protection in Nigeria
As Nigeria’s digital economy continues to grow, there are several key steps that the country must take to strengthen data protection:
a) Boost Public Awareness and Training
Both businesses and consumers need more education on the importance of data protection. The NDPC, in partnership with tech companies, should launch campaigns to raise awareness about data privacy, consumers’ rights, and businesses’ obligations under the NDPA. Training programs for companies, especially SMEs, would also go a long way in ensuring compliance. While this is currently being done, I believe much more can be done to ensure this awareness permeates the entire business landscape.
b) Strengthening Enforcement by the NDPC
The NDPC must significantly scale its capacity to monitor and enforce compliance with the NDPA. This could include publishing regular reports on enforcement actions taken and conducting random audits of high-risk organizations. Transparency in enforcement will be key to ensuring that all organizations take data protection seriously.
c) Cross-Border Data Protection
As more Nigerian businesses engage in cross-border data transactions, there is a need for Nigeria to establish international data protection agreements, especially with countries that have strong data protection laws like the EU’s General Data Protection Regulation (GDPR). These agreements will help Nigerian businesses navigate global data requirements while protecting the data of Nigerian citizens.
*Conclusion
The Nigeria Data Protection Act (NDPA) and the establishment of the Nigeria Data Protection Commission (NDPC) represent a pivotal advancement in safeguarding personal data within Nigeria’s rapidly evolving tech ecosystem. However, despite these regulatory strides, significant hurdles remain in the areas of compliance, industry awareness, and enforcement mechanisms. The impending September 30, 2024, deadline for the registration of data controllers and processors of major importance is a critical regulatory inflection point designed to enforce accountability across businesses.
As Nigeria continues its digital transformation, enterprises that embed robust data protection protocols into their operational frameworks will ensure regulatory alignment and foster enhanced trust and customer loyalty. The sustainability of Nigeria’s digital economy hinges on its ability to synergize innovation with rigorous data privacy and security standards.
From a regulatory perspective, the NDPC must go beyond mere compliance monitoring and adopt a proactive, collaborative approach to enforcement. It is imperative that the Commission guides businesses through the enforcement process, ensuring that the regulatory objectives of data protection are not only met but fully realized, thereby reinforcing the integrity and resilience of the tech ecosystem.
*Omoruyi Edoigiawerie is the Founder and Lead Partner at Edoigiawerie & Company LP, a full-service law firm offering bespoke legal services focusing on start-ups, established businesses, and upscale private clients in Nigeria. The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. His firm can be reached by email at hello@uyilaw.co
