16 Important Facts You Need to Know about Data and Privacy Protection in Nigeria

This article examines and highlights important facts to know about data privacy protection in Nigeria. 

Nigeria has the Nigeria Data Protection Regulation, 2019 (NDPR) which serves as the principal regulation that regulates data protection in Nigeria currently. 

Data is defined by the NDPR regulation as “characters, symbols and binary on which operations are performed by a computer. Which may be stored or transmitted in the form of electronic signals is stored in any format or any device.”

Personal Data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM and others. 

To properly protect personal data and privacy of natural persons we need both data privacy and data security. Data privacy; deals with data protection laws and regulations, it focuses on how to collect, process, share, archive and delete the data. 

Data Security; deals with the measures that an organization is taking in order to protect and prevent any third party from unauthorized access. It focuses on the protection of data from malicious attacks and prevents the exploitation of stolen data(Data breach or cyber-attack).

The following are some important facts to know about data and privacy protection in Nigeria. 

  1. The Nigeria Data Protection Regulation, 2019 (NDPR) serves as the principal regulation that regulates data protection in Nigeria currently. The NDPR was issued by the National Information Technology Development Agency, the body statutorily mandated by the NITDA Act of 2007 to develop regulations for electronic governance and monitor the use of electronic data interchange and other forms of electronic communication transactions in Nigeria.
  1. There are other enactments that regulate data privacy protection in Nigeria, these enactments include;
  1. The Constitution of the Federal Republic of Nigeria 1999 (as amended); the Constitution guarantees citizens’ privacy, particularly section 37 of the Constitution which protects citizens’ right of privacy.
  2. The Child’s Rights Act 2003; protects the rights of Nigerian children, including rights to privacy as guaranteed by the Constitution. Particularly Section 8 of the Child’s Right Act, protects the child’s right to privacy, family life, home, correspondence, telephone conversation and telegraphic communications, and non-interference with these rights, subject to reasonable supervision and control by parents or legal guardians.
  3. The Cybercrimes (Prohibition, Prevention, etc.) Act, 2015; the Act criminalises abuse and misuse of data for fraudulent purposes. 
  4. The National Identity Management Commission Act, 2007; The NIMC Act prohibits access to individuals’ personal information in the national database. Particularly, Section 26(1) of the NIMC Act prohibits any person or corporate body from having access to the data or information contained in the database.
  5. The Nigerian Communications Act, 2003; The Act established the NCC which is the body that regulates the telecommunications sector in Nigeria. 
  6. The Freedom of Information Act, 2011; the Act governs use of public records and information in Nigeria, particularly Section 14 of the Freedom of Information Act which safeguards data protection in relation to personal data by restricting disclosure of personal records without obtaining consent from the data subject.
  7. The National Health Act, 2014; the Act contains provisions on how personal information of data subjects will be accessed. Sections 25-29 of the Act provide for an obligation for health service providers to keep records confidential, access to health records, and protect health records.
  1. The NDPR Regulation applies to all natural persons resident in Nigeria or residing outside Nigeria but of Nigerian descent and all organizations processing personal data of such individuals. 

See section 1.2 of the NDPR.

  1. Personal data may only be processed if at least one of five legal bases are met: 

(1)The data subject provides consent to the processing of his or her personal data for one or more specific purposes;

(2) Processing the Personal Data is needed for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;;

(3) The Personal Data is needed to meet a legal obligation to which the Controller is subject; 

(4) To protect the vital interests of the data subject or of another natural person and; 

(5) For the performance of a task carried out in the public interest or in the exercise of official public mandate vested in the controller;

See section 2.3 of NDPR.


Data Controller is under obligation to ensure that consent of a Data Subject has been obtained without fraud, coercion or undue influence before processing his or her personal data. Where processing is based on consent, the Controller shall be able to demonstrate that the Data Subject has consented to processing of his or her personal data and the legal capacity to give consent.

Prior to giving consent, the Data Subject shall be informed of his or right

And the ease to withdraw his consent at any time.

See section 2.3 of NDPR.


Data processing by a third party shall be governed by a written contract between the third party and the data controller. Any person engaging a third party to process the data obtained from data subjects is required to comply accordingly.

See section 2.7 of NDPR.


Organizations are mandated to display a “simple and conspicuous” privacy policy that contains specified content that the class of Data Subjects being targeted can easily understand.

See section 2.5 of NDPR.


Organizations must develop security measures to protect personal data, including setting up firewalls, implementing access controls, encrypting personal data, employing data encryption technologies, developing organizational policy for handling personal data (and other sensitive or confidential data), protection of emailing systems and continuous capacity building for staff. 

See section 2.6 of NDPR.


Data subjects have the following rights, 

(1) Right to object to the processing of their personal data for marketing purposes.

(2) Right to access their personal data.

(3) Right to obtain information about the processing of their personal data. 

(4)Right to have their personal data deleted or right to be forgotten (where certain criteria are met).

(5)Right to have their personal data corrected.

(6) Right to restrict the processing of their personal data.

(7) Right to data portability.

(8) Right to withdraw consent to the processing of their personal data.

(9)Right to data accuracy

(10)Right to lodge a complaint with the NITDA or another relevant regulatory body.



The transfer of personal data which are undergoing processing or are intended for processing after transfer to a foreign country or to an international organisation shall take place subject to the other provisions of this Regulation and the supervision of the Honourable Attorney General of the Federation (HAGF).

See section 2.11 of NDPR.

  1.  All public and private organizations in Nigeria that control data of natural persons are mandated to make available to the general public their respective data protection Policies; which Policies shall be inconformity with this Regulation within 3 months after the date of the issuance of the NDPR 2019.

See section 3.1 of NDPR.


Every data controller must designate a Data Protection Officer (“DPO”) to ensure compliance with the Regulation, relevant data privacy instruments and data protection directives of the data controller. A data controller may outsource data protection to a verifiably competent firm or person.

See section 3.1.2 of NDPR.


Within six months of the issuance of the Regulation, each organization subject to the Regulation is required to conduct a detailed audit of its privacy and data protection practices, in compliance with the requirements of the NDPR Regulation.

See section 3.15 of NDPR.

  1. Data controllers who processed the personal data of more than 1,000 data subjects in a six-month period must provide a soft copy of the audit summary to the NITDA.

See section 3.1.6 NDPR.

  1. Data controllers who processed the personal data of more than 2,000 data subjects within a 12-month period must submit a summary of its audit to the NITDA not later than the March 15th of the following year,.

See section 3.1.7 NDPR.


The regulation (NDPR) provides that any person subject to this Regulation who is found to be in breach of the data privacy rights of any Data Subject shall be liable in addition to any other criminal

Liability, the following:

a) In the case of a Data Controller dealing with more than 10,000 Data Subjects, payment of the fine of 2% of Annual Gross Revenue of the preceding year or payment of the sum of 10 million naira whichever is greater;

b) In the case of a Data Controller dealing with less than 10,000 Data Subjects, payment of the fine of 1% of the Annual Gross Revenue of the preceding year or payment of the sum of 2 million naira whichever is greater.

See section 2.10 of NDPR.

Written by Ebenezer Amadi, Esq. Data and Privacy Protection Lawyer. Abuja. 08061194337


Leave a Reply

Your email address will not be published. Required fields are marked *