The Obligations And Challenges Of Nigerian Companies Under Nigeria’s Data Protection Regime


Data is “information, especially facts or numbers, collected to be examined and considered and used to help decision-making or information in an electronic form that can be stored and used by a computer. Data due to technological advancement and digital inclusion has become more valuable than oil. The fact that that the five most valuable corporations in the world are tech companies who deal with data and the growing interest in instruments provided by digital technology and by the internet further bolsters this consideration.


The importance of data led to the need for data protection. Data protection is an extension of the fundamental human right. Data protection includes mechanisms, laws and regulations that make it illegal to store or share some types of information about people without their knowledge or permission.


Many small and medium businesses (SME’s) are of the opinion that protecting customer privacy is an issue for big business giants like MTNN and Zenith Bank? This could not be farther from the truth.  Many small companies have lost customer trust or even been sued over privacy mishaps in recent years. Some have seen customers bolt to other platforms or completely remove their data over data breaches.

This does not even take into accountant the tough as nails regulators that do not tolerate data breaches. These problems non-compliant businesses face will likely increase as data collection grows in size and importance for modern SME’s as a result of the 4th Industrial Revolution. The vast importance of data to the industry, commerce, and human development has led to the need for data protection.

Data protection adjudged to be an extension of fundamental human rights. Data protection includes mechanisms, laws and regulations that make it illegal to store or share some types of information about people without their knowledge or permission.  The essence of data protection to an individual or a company is to minimize the risk of identity theft, exploitation, and manipulation. These personal data reveal a lot about a person, their thoughts, life, choices, and finances. The importance of data protection is to enable individuals and companies to take control of their personal information.

Furthermore, it makes the body or platform usually referred to as the data controller accountable to the data subject, i.e. where there is a breach his obligations in relation to data subjects’ personal data, a data subject has a cause action against the data controller. Data protection also makes the data subject to have the right to give the controller access to the individual’s data and the extent of such data. Data protection also imposes obligations on the data controller in relation to the data of individuals or companies.


In 2013-2014, about 3 billion accounts with Yahoo were compromised. This data breach caused compromise to the names, email addresses, passwords, dates of birth, telephone numbers, security questions and answers. In 2016, Linkedin had a similar experience when over 117 million accounts were compromised by Russian cybercriminals named “peace”.

Cambridge Analytica in 2018 also acquired personally identifiable information of up to 87 million Facebook users without their consent resulting in a significant breach. The data comprised was used to facilitate a political campaign. The data harvested by Cambridge Analytical was used to create psychographic profiles. The data was detailed enough to create a profile which suggested what kind of advertisement would be most useful to persuade a particular person in a particular location for some political event.  

About 57 million accounts and drivers’ data were compromised when two hackers obtained login credentials to access data stored on Uber’s Amazon Web Services account. The attackers obtained credentials to access Uber’s cloud servers and downloaded 16 large files containing user information resulting in the compromise of 25.6 million, 22.1 million names and phone numbers, 607,00 names and driver’s license numbers in October 2016. In September 2019 a number user of the Bolt/ Taxify app who had saved their card details on the app received unauthorized debit card alerts. Though the company in its statement stated that it was not hacked, user’s data was evidently compromised.


The following laws and regulations form the principal framework for data protection in Nigeria:

  1. The Constitution of the Federal Republic of Nigeria
  2. Freedom of Information Act No. 4 of 2011
  3. The Child Rights Act of 2003
  4. The Consumer Code of Practice Regulations 2007
  5. Nigerian Communications Commission (Registration of Telephone Subscribers) Regulations, 2011
  6. The Cybercrimes (Prohibition, Prevention etc.) Act of 2015
  7. The National Identify Management Commission (NIMC) Act
  8. The Immigration Act
  9. The Nigerian Data Protection Regulation 2019
  10. The General Data Protection Regulation
  11. Personal Information and Data Protection Bill

The Nigerian Data Protection Regulation 2019: This regulation was issued by the National Information Technology Development Agency (‘NITDA’) for the purpose protecting the right to privacy of a person as guaranteed under Chapter 4 of the 1999 constitution of the Federal Republic of Nigeria. This Regulation applies to federal, state and local government agencies and institutions as well as private sector organisations that own, use or deploy information systems within the Federal Republic of Nigeria, obtain and process personal of Nigeria residents and citizens within and outside Nigeria. Furthermore, the regulation imposes obligations on organisations (data controllers or processors). The Regulation stipulates that the use of the personal data of the data subject must be disclosed and the data subject had given his consent.

The General Data Protection Regulation: This Regulation applies without the need to be implemented explicitly into the national law of a country. It generally applies to the processing of data by any organization within the European Union or organisations whose processing activities relate to offering goods and services and monitoring behaviour of data subjects residing in Europe. This Regulation puts individuals back in control of their data and ensures that the use of the data is disclosed after which consent of the disclosing party must be obtained. This regulation creates new rights like the “right to be forgotten and the “right to data portability.

Personal Information and Data Protection Bill: The purpose of this bill before the National Assembly is to establish rules to govern the collection, use and disclosure of personal information in a manner that recognises the right to privacy of individuals and the need of organisations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. This bill applies to organisations and their employees who deal in the collection, use and disclosure of data in the course of its commercial activities. The bill, however, excludes government institutions, individuals that collect personal information for personal or domestic purposes or organisations that collect personal data for journalistic, artistic or literary purposes.


The legal framework provides for punishments for infringement. Notably, Paragraph 2.10 of the Nigerian Data Protection Regulation provides that; Any person subject to this Regulation who is found to be in breach of the data privacy rights of any Data Subject shall be liable in addition to any other criminal liability, the following:

  1. In the case of a Data Controller dealing with more than 10,000 Data Subjects, payment of the fine of 2% of Annual Gross Revenue of the preceding year or payment of the sum of 10 million Naira whichever is greater; 
  2. In the case of a Data Controller dealing with less than 10,000 Data Subjects, payment of the fine of 1% of the Annual Gross Revenue of the preceding year or payment of the sum of 2 million Naira whichever is greater. 

Penalties under the GDPR – Organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).  This is the maximum fine that can be imposed for the most severe infringements, e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.  There is a tiered approach to fines, e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting an impact assessment. It is important to note that these rules apply to both controllers and processors – meaning ‘clouds’ are not exempt from GDPR enforcement. 

The above punishments do not stop individuals from seeking redress against companies that abuse their data.


Companies face significant challenges in protecting data. A few of those challenges include:

  1. Rapid data growth and security threats which are outside the scope of the current legislation.
  2. Unethical computer users
  3. Power blackouts and failures which affect the functionality and efficiency of software and hardware like processors & servers. 
  4. High Costs of the technological expertise and infrastructure to fulfil the obligations reposed on SMEs by the various data protection regulations
  5. Third-party breach and employee breach: Employees of the data subject who have legitimate access credentials to the system are responsible for 52% of recorded security breaches. 


IBM’s 2014 Cyber Security Intelligence Index highlights that 95% of breaches caused by employees have the potential to expose sensitive company data. The report lays blame at some common, but highly preventable behaviours, including using simplistic passwords, failing to recognize a phishing attack, and misplacing laptops and external hard drives. 

These problems, while complex, can be combatted with a proactive strategy for the protection of Data. At times it seems protecting customer privacy is difficult on the company. It, however, has its rewards because when data is handled correctly, it can create customer goodwill and even lift sales while reducing business and legal risks. Often such a strategy involves more than securing a network from hackers and posting a boilerplate privacy policy. To this end, we suggest the following to companies that are eager to respect their client’s data: 

  1. Conduct a Detailed data privacy audit- This entails understanding one’s business needs, what data it is collecting, and how that data is being stored and secured. It is also crucial to consider the legal obligations arising from handling medical, financial or minors’ data. 

Businesses often collect more data than they realise because they have used third-party software code that does so automatically or because a partner, such as an advertising network or analytics company, is pulling data. All that unnecessary information can be disposed of properly. To ensure this does not happen, one can obtain the services of a full-fledged chief privacy officer or merely the marketing director to monitor the data being continuously collected. 

  1. Minimise data collection and retention– Flowing from the above. We submit that What one does not have cannot hurt that person. Privacy advocates recommend that companies collect and store only data they need to deliver their product or service. Sometimes businesses gather extra information because they think they might need it in the future. Nevertheless, doing so increases risk. Data can be lost or stolen by hackers, and customers may mutiny if they feel the business is asking unnecessarily intrusive questions.
  1. Secure the data the business keep- Even if the business does not take debit card numbers, other personal data the business keeps could be valuable to identity fraudsters. It is embarrassing, not to mention costly and damaging, to tell customers their personal information has been compromised in a hack. Such disclosure is legally required under the NDPR and GDPR.
  1. Post a privacy Policy- Commercial website owners are required under the GDPR to post a privacy policy. Most app platforms also require one, especially in situations the businesses applications/ website transmit data.  It is not enough to cut and paste a “regular degular” boilerplate policy. Regulators consider privacy policies legally binding agreements between a business and its customers. Businesses are advised to describe their current business practices fully and accurately.
  1. Communicate with consumers– A privacy policy is a legal document that most customers rarely read. However, they do expect simple and clear descriptions of company data practices at critical moments, such as when they are asked to provide data and when the business adds new features to a product or service or make policy changes.

Privacy advocates and industry groups recommend direct, and upfront communication with customers about data businesses collect and the intended plans for the data.  This is especially important for SME’s without recognised brands that people know and trust. Most consumers will happily supply personal data necessary for a service they want.  For instance, Jumia keeps purchase data and uses it to deliver product recommendations that millions of customers’ embrace.

  1. Give consumers a choice- Recent research suggests customers expect settings and features that let them choose whether to share data, not eloquent flattery about the businesses respect for their privacy. They want to see signs that businesses are “serving” them, not “selling” them after all if they are not the customer; they are the product.
  1. Provide a forum for complaints- Businesses can give customers an online form or email address for communicating their privacy problems or concerns. Such two-way communication can help build trust and loyalty as well as help avoid potential privacy crises. Taking all the above steps will go a long way to handling issues of data protection as well as build rapport between a business and its customers. 

 On that note, we conclude that data protection is the complex legal issue of our time. Businesses that wish to exploit from the many benefits of data collection must be prepared to protect all the data they acquire. As Uncle Ben said, “With great power comes great responsibility”. The recent laws and regulations on data protection in Nigeria have imposed more stringent obligations on Nigerian Companies to ensure the judicious use of data received, the duty to disclose the use of data obtained and seek the consent of the data subject.   

Share on facebook
Share on twitter
Share on linkedin
Nwachukwu Obi
Victoria Orodeji

Subscribe for newsletter


2018 Global Excellence Awards Kenna Partners