Nigeria’s Data Protection Law Explained: What Every Business Must Know

Did you know that right now, your business could be violating a Nigerian law with penalties/fines running into millions, without even realizing it until an enforcement notice lands on your desk?

If you handle even a single customer’s phone number or a staff member’s BVN, you are in the crosshairs of the Nigeria Data Protection Act (NDPA).

This isn't just "big company" talk. Whether you run a pharmacy in Onitsha, a fintech startup in Yaba, or a law firm in Abuja, the rules of doing business in Nigeria and as it relates to data protection changed on June 12, 2023. That was the day the NDPA was signed into law, and at Accuvice Solutions Limited, we’re here to help you navigate it.

What Exactly is the NDPA?

The NDPA is essentially the "Constitution" of privacy in Nigeria. It’s a federal law designed to protect the "Data Subject," which includes your customers, employees, and vendors.

The law also established the Nigeria Data Protection Commission (NDPC). Think of them as the "EFCC of Data." Their job is to ensure that any business operating in Nigeria handles personal information with the same care you’d handle cash in a vault. In the digital age, data is the new oil, and the regulator is here to ensure no one is "spilling" it through negligence.

Who Must Comply? (Controller vs. Processor)

The law divides businesses into two main roles. It’s vital to know which one you are:

1. Data Controller: This is the person or company that decides why and how data is collected. If you own a hospital and collect patient records, you are the Controller.
2. Data Processor: This is an entity that handles data on behalf of a controller. If you are an HR firm handling payroll for ten different companies, you are a Processor.

The Rule of Thumb: In Nigeria, if you process the data of more than 200 people within six months, you are likely a "Data Controller of Major Importance," meaning the NDPC has an extra-bright spotlight on your business.

Your 5 Key Obligations of A Nigerian Business Owner

Compliance isn't a "one-and-done" task. To stay on the right side of the law, you must meet these five duties:

1. Lawful Basis

You cannot collect data just because you feel like it. You must have a legal reason, usually that the customer gave Consent, or you need the data to fulfill a Contract, Legal Obligation, or for Legitimate Interest, Public Interest, and Vital Interest.

2. Transparency

You must have a clear Privacy Policy. This document must tell people exactly what you’re doing with their information, how long you're keeping it, and who you're sharing it with, and so on.

3. Data Security

You must use "Technical and Organizational measures." This includes encryption, strong passwords, and training your staff not to share sensitive customer details in casual WhatsApp groups.

4. Data Subject Rights

If a customer calls and says, "Delete my data," or "Show me what you have on me," the law requires you to respond within a specific timeframe.

5. Audit & Filing

Major businesses must conduct an annual Data Protection Audit and file it with the Commission on or before March 31st.

The Cost of Non-Compliance: Penalties

Let’s talk about the part that keeps CEOs awake: the fines.

1. For Major Controllers: Fines can reach up to ₦10 million or 2% of your entire annual gross revenue—whichever is higher.
2. For Smaller Businesses: Fines reach up to ₦2 million or 2% of revenue.

Beyond the money, there is the reputational damage. When a brand is associated with a "Data Breach," customers move to competitors they can trust.

3 Steps to Start Your Compliance Journey Today

Don't panic. Compliance is a journey, and you can start today with these three steps:

1. Step 1: The Data Inventory. Write down exactly what personal data you collect, where it’s stored (is it in a locked cabinet or a random Google Sheet?), and who has access to it.
2. Step 2: Update Your Privacy Policy. Make sure it’s written in clear English, not "Legalese," and accurately reflects your business practices.
3. Step 3: Appoint a Privacy Champion. Large organizations are legally required to have a Data Protection Officer (DPO). If you’re smaller, assign one person to lead your privacy efforts.

Get Your Free Compliance Checklist

Data protection is the new standard of excellence in Nigeria. Protecting your data is protecting your business. Read our Blog post: "Your Business Is Leaking Data and How to Stop It" to get the "5-Step Data Security Health Checklist".

Contact Accuvice Solutions Limited today to book a professional consultation.

Stay compliant, stay secure.