Data Protection in Nigeria's TECH & TELECOM Sector
In Nigeria’s tech and telecom scene, data isn’t just fuel; it’s leverage. It decides who earns user trust, who gets that term sheet signed, and who quietly exits the market when regulators probe
Most founders don’t start their companies dreaming about data protection policies. You’re thinking of revenue, scale, users, and product-market fit. But as Nigeria’s digital economy matures, how you handle data is becoming as important as how you raise capital.
In today’s ecosystem, the real power isn’t just in having data, it’s in how securely, ethically, and intelligently you collect, use, and process it. From fintech platforms processing BVNs and users’ financial information to telecom operators tracking user metrics, every byte of data now sits at the intersection of innovation and risk.
A single compliance misstep can trigger a cascade of regulatory fines, investor red flags, and loss of consumer trust, among others. But when done right, strong data protection practices become a competitive advantage, a quiet signal to users, partners, and investors that your startup isn’t just growing fast, it’s building to last.
The Nigeria Data Protection Act (NDPA) 2023: What It Really Means for the Tech Ecosystem
Nigeria crossed a significant milestone in June 2023 when President Bola Tinubu signed the Nigeria Data Protection Act (NDPA) into law. For the first time, the country moved from a patchwork of regulatory frameworks to a comprehensive legal regime for data protection and privacy. This was not just an administrative update; it was a recognition that data has become one of Nigeria’s most valuable economic assets, and that value must be managed with structure, trust, and accountability.
Before the NDPA, the Nigeria Data Protection Regulation (NDPR) 2019, issued by the National Information Technology Development Agency (NITDA), was the main instrument guiding privacy compliance. It was groundbreaking for its time, but its legal force was limited: it was a subsidiary regulation, not a legislative Act. That meant enforcement was inconsistent and penalties often symbolic. The NDPA changed that. It made data protection a national conversation, backed by clearer institutional authority and enforceable sanctions.
The Act established the Nigeria Data Protection Commission (NDPC), replacing the earlier NITDA Data Protection Bureau. This Commission now functions as an independent regulator, empowered to audit, investigate, penalize, and issue binding directives. For the first time, Nigeria’s privacy framework has the institutional support to mandate compliance.
What does this mean for founders?
In essence, the NDPA formalizes how Nigerian businesses, especially those in fintech, telecom, and data-heavy tech sectors, must collect, process, store, transmit, and delete personal data.
The Act adopts a broad definition of personal data as any information that can directly or indirectly identify an individual, including names, phone numbers, BVNs, NINs, addresses, financial records, and even device identifiers. For startups, this means that every form, onboarding page, analytics dashboard, etc., that captures user details is potentially governed by the NDPA.
More importantly, the Act introduces the concept of extraterritoriality. This means a company doesn’t have to be based in Nigeria to fall under the NDPA. If your startup, even if incorporated in Delaware or Nairobi, as long as you target Nigerian users or process their data, you are within the jurisdiction of the Nigerian regulator. This is a direct nod to global privacy models like the EU’s General Data Protection Regulation (GDPR), signaling Nigeria’s intention to harmonize with international best practices.
Another critical innovation is the classification of “Data Controllers” and “Data Controllers/Processors of Major Importance.” The NDPC may designate a company as a Controller of Major Importance (DCMI) if it handles large volumes of data or processes information that could significantly affect individuals’ rights, think of payment platforms, digital lenders, telecom operators, and large-scale SaaS providers. Once designated, such companies face higher compliance thresholds, including mandatory Data Protection Impact Assessments (DPIAs) before undertaking high-risk processing.
The NDPA also outlines the foundational principles of data processing, which include lawfulness, fairness, transparency, data minimization, accuracy, integrity, confidentiality, and accountability. These are not academic ideals; they’re operational imperatives. For instance, a fintech collecting customer BVNs must be transparent about why it needs them, ensure the information is accurate, secure it against unauthorized access, and not retain it for longer than necessary.
In addition to defining duties, the Act also establishes the rights of data subjects, the individuals whose data you collect. Nigerians now have the right to know how their data is used, to access it, correct inaccuracies, demand deletion, restrict processing, or even object to certain uses (like marketing). They can file complaints directly with the NDPC, which is obligated to investigate and act.
Enforcement under the NDPA carries real weight. The Commission can impose significant administrative fines, conduct compliance audits, issue remedial orders, and even refer matters for criminal prosecution in extreme cases. For startups, this means that privacy compliance is no longer optional or “nice to have”; it’s a legal necessity that affects investor due diligence, customer retention, and market access.
A lesser-discussed but important feature of the NDPA is its embrace of self-regulation through Data Protection Officers (DPOs) and Data Protection Compliance Organizations (DPCOs). Every organization that processes personal data must appoint a DPO responsible for internal compliance, training, and engagement with regulators. DPCOs licensed by the NDPC can provide third-party audit and advisory services to help companies meet their obligations. For resource-constrained startups, partnering with a DPCO can be a practical route to compliance without building an in-house legal team.
Beyond its text, the NDPA also reflects a philosophical shift in how Nigeria views the digital economy. It signals to investors, partners, and international regulators that the country is serious about privacy governance and responsible innovation. For startups seeking to scale regionally or globally, alignment with NDPA is increasingly seen as a badge of credibility, much like GDPR compliance in Europe or CCPA compliance in California.
Regulatory Oversight and Guidance: The Role of the NDPC
The Nigeria Data Protection Commission (NDPC) operates as both a regulator and guide, striking a balance between enforcement and education. But beyond its enforcement role, the NDPC is consciously positioning itself as a collaborative regulator, one that supports innovation while insisting on responsible data governance. This duality is reflected in how the Commission issues frameworks, guidance notes, and directives to help stakeholders understand, implement, and internalize the principles of lawful data processing.
In other words, the NDPC isn’t merely an enforcer; it’s also an educator. Since its establishment, the Commission has published guidelines, FAQs, and advisory opinions to clarify ambiguous parts of the NDPA. Its official materials repeatedly emphasize the duty of care owed by any entity that collects or processes personal data, from large telcos handling millions of SIM registrations and data to small app developers.
At the heart of the NDPC’s expectations is the principle of accountability, the idea that organizations must not only comply with the NDPA but be able to demonstrate that compliance. To that end, the Commission requires businesses to maintain a comprehensive Record of Processing Activities (RoPA).
Next, the Commission expects every data-driven business to implement robust data security safeguards. This doesn’t just mean antivirus software or encrypted passwords. It includes end-to-end protection measures like access controls, encryption protocols, intrusion detection, employee confidentiality agreements, secure APIs, and vendor risk assessments. The NDPC’s tone is clear: cybersecurity and privacy are no longer separate conversations; they are two sides of the same governance coin.
Additionally, the NDPA mandates a data breach notification protocol. If a breach occurs, whether through hacking, internal error, or loss of devices, the organization must notify the NDPC within 72 hours, “where feasible.” That timeline aligns with the EU’s GDPR standard, signaling Nigeria’s adherence to global benchmarks. The notification isn’t a mere formality: it must include details such as the nature of the breach, categories of affected data, likely consequences, and remedial measures taken to contain it. Why does this matter for founders? Because speed and transparency in breach management are now legal expectations, not optional PR strategies. A delayed or concealed breach can significantly increase your exposure, ranging from regulatory fines to class-action suits by affected users. The NDPC also reserves the right to publicly announce serious breaches, which can damage your brand reputation far more than any fine.
Finally, and perhaps most critically, the NDPC’s guidance underscores that non-compliance carries both administrative and criminal liability. This dual approach reflects the seriousness with which Nigeria now treats data protection. Administrative sanctions can include corrective orders, suspension of processing activities, or monetary fines adjusted to the scale and gravity of the violation.
The NDPC’s General Application and Implementation Directive (GAID) 2025
One of the most influential instruments issued by the NDPC is the General Application and Implementation Directive (GAID). The GAID serves as the operational bridge between the NDPA’s broad statutory mandates and the real-world practices of data controllers and processors. While the NDPA lays down the law, the General Application and Implementation Directive (GAID), issued by the NDPC in 2025, acts as the operational manual for compliance. Think of the NDPA as the “what” and GAID as the “how.”
The GAID clarifies grey areas in the NDPA and translates them into practical steps that organizations must take to stay compliant. It’s particularly critical for tech and telco companies because it answers the real-world question: “What exactly should we be doing day to day?”
Some of the most relevant highlights include:
Mandatory Appointment of DPOs:
Controllers or processors of major importance must designate a qualified Data Protection Officer (DPO) responsible for overseeing compliance, reporting breaches, and serving as liaison with the NDPC. The GAID even specifies what qualifies someone to be a DPO and the documentation you must submit to prove competence.
Record-Keeping and Audits:
The GAID requires all organizations, regardless of size, to maintain Records of Processing Activities (ROPAs). These records serve as a “privacy log” detailing what personal data you process, why, and under what lawful basis. The NDPC can request these at any time. It’s essentially a data map that documents:
What categories of personal data you collect (e.g., names, contact details, financial information, geolocation data)
Why you collect it (for service delivery, analytics, KYC verification, etc)
Where it is stored
Who has access to it (employees, vendors, or cloud service providers)?
How long is it retained before deletion or anonymization?
For most startups, this might sound tedious, but it’s foundational. The NDPC uses these records during compliance audits to assess whether your data governance matches your stated privacy practices. It’s the first line of defense when regulators or investors come knocking with questions about how your system actually treats user data.
Compliance Audit Returns (CARs):
Data Controllers or Processors of Major Importance must file annual CARs through a licensed Data Protection Compliance Organization (DPCO). This report shows how you’re implementing NDPA principles, from data security controls to user rights management.
72-Hour Breach Notification:
The GAID enforces the NDPA’s rule that breaches must be reported within 72 hours of detection, when feasible. The notification must include the nature of the breach, likely consequences, and measures taken to mitigate harm.
Internal Governance & Training:
The directive mandates periodic staff training, internal audits, and privacy impact assessments. This signals a shift from reactive to proactive compliance, infusing data protection into the company culture, not treating it as an afterthought.
Data Sharing, or Deliberate Misuse of Personal Information:
The law also contemplates criminal prosecution of responsible officers, including founders, CEOs, or data controllers.
So what does all this legal jargon actually mean for founders?
Simply Put:
You must know your data. Understand what personal data you collect, from whom, and why. If you onboard customers, track app usage, or run analytics, you’re processing personal data.
You must have a lawful basis. Whether it’s user consent, contractual necessity, or legal obligation, every data use must have a valid justification.
You must protect and limit. Secure your databases, encrypt sensitive records, restrict access, and delete data once it’s no longer needed.
You must respect user rights. Nigerians now have enforceable rights under the NDPA, including access, correction, deletion, portability, and objection to processing. Users can file complaints directly with the NDPC.
You must be ready for scrutiny. The NDPC can audit even early-stage startups. Compliance isn’t about size; it’s about responsibility.
The Act rests on seven principles: lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, integrity/confidentiality, and accountability. These are the north stars of every data-driven business that wants to stay credible.
Business Risks of Ignoring Data Protection
For tech and fintech founders, ignoring data protection is not merely a regulatory oversight; it’s a strategic failure. In a digital economy where user trust is currency, a single privacy breach can undo years of brand-building, customer acquisition, and investor confidence.
Below are the core risk areas every founder should take seriously:
1. Regulatory Penalties
The Nigeria Data Protection Act (NDPA) 2023 empowers the Nigeria Data Protection Commission (NDPC) to enforce strict penalties on businesses that fail to comply with data protection obligations. The fines are not symbolic; they’re designed to bite.
For data controllers or processors not of major importance, the NDPA prescribes fines of ₦2 million or 2% of the preceding year’s gross revenue, whichever is greater.
For data controllers or processors of major importance, the penalty rises to ₦10 million or 2% of the preceding year’s gross revenue, whichever is greater.
These are not theoretical. The NDPC has already started wielding this power.
For example, in 2024, Fidelity Bank Plc was fined ₦555.8 million for breaching privacy rules, equivalent to about 0.1% of its gross revenue. Likewise, earlier this year, MultiChoice Nigeria Ltd was hit with a ₦766.24 million fine for processing personal data without consent and transferring user data across borders unlawfully.
As of 2024, the NDPC had initiated over 1,300 investigations across the financial, telecom, and gaming sectors for suspected breaches. In its own words, the regulator has committed to “stepping up enforcement.” This marks a clear shift: data protection is no longer a soft-compliance area; it’s becoming as real and consequential as tax or anti-money laundering compliance.
2. Loss of Customers and Brand Damage
In tech and telecom, trust is everything. A data breach isn’t just an IT issue; it’s a reputational crisis. When users feel their financial or identity data (like BVN, NIN, or card details) isn’t safe with you, they leave. The NDPC’s guidance warns that one of the biggest consequences of non-compliance is “negative perception of the organization” and “loss of customers.” Once trust is broken, even aggressive marketing or PR campaigns can’t easily repair it.
For fintechs that deal with payments, wallets, and sensitive user data, a single privacy incident can trigger customer flight, investor panic, and even regulatory audits. Remember: users are not merely looking for innovation; they’re looking for safety.
3. Payment Gateway and Partnership Risks
Data protection now influences who you can do business with. Partner banks, payment gateways, tech infrastructure companies, and international processors are under their own regulatory obligations. If your startup cannot demonstrate compliance, you may lose access to critical partnerships, integrations, servers, or APIs. For instance, if your app requires a bank API to verify customer identities or process transactions, non-compliance with NDPA can lead to disqualification from integration or immediate suspension.
Cross-border data handling is also under scrutiny. The MultiChoice Nigeria fine included violations related to illegal international data transfers, showing that regulators now track not just what you collect, but where it goes.
4. Reputational and Funding Risks
Investors today conduct far deeper due diligence than before. They examine your governance structure, risk profile, and compliance record, especially in data-driven sectors. A history of violations or weak data controls is a red flag that can derail funding or delay expansion. Public fines, regulatory investigations, or negative media coverage (like the Fidelity and MultiChoice cases) don’t just hurt your brand; they directly affect your valuation, customer confidence, and partner appetite.
For startups eyeing regional or global expansion, weak compliance at home signals poor governance abroad. In a world where investors assess risk holistically, NDPA compliance isn’t just about Nigeria; it’s about credibility everywhere else.
Simple Practical Steps for Startups
If you run a tech or telco startup in Nigeria, data protection compliance doesn’t have to feel like another bureaucratic burden. It’s actually a framework for building user trust, and that trust becomes your most valuable competitive edge. The steps below show how to progressively embed privacy and security into your operations, reduce legal exposure, and strengthen credibility with investors, customers, and partners.
1. Appoint a Data Protection Officer (DPO)
Every startup needs someone in charge of the data protection conversation. This doesn’t mean hiring a full-time executive right away. It could be a trusted team member with a good grasp of compliance, or even an external consultant who helps you build capacity internally.
Under the General Application and Implementation Directive (GAID) 2025, any organization categorized as a “data controller or processor of major importance” must appoint a Data Protection Officer (DPO). The DPO’s role is to oversee compliance, monitor internal processes, and act as your point of contact with the Nigeria Data Protection Commission (NDPC).
A good DPO should have practical knowledge of privacy management, data security, and relevant legal standards. Their appointment isn’t just procedural; the NDPC can actually review their credentials during your Compliance Audit Return (CAR) process to ensure they’re qualified and independent. They are also expected to submit internal reports on your data processing activities at least twice a year.
2. Audit Your Data: Know What You Collect and Why
You can’t protect what you don’t understand. A data audit or data mapping exercise helps you take stock of what personal information you handle, and how it moves through your systems.
Start simple:
What data do you collect (names, emails, phone numbers, BVN, behavioral data, payment details)?
Why do you collect it (user authentication, analytics, marketing, KYC, etc.)?
Where is it stored (servers, databases, cloud providers, backups)?
Who has access (internal teams, contractors, vendors)?
How long do you keep it before deletion or anonymization?
This mapping process gives you visibility into your biggest privacy risks. It’s also a legal requirement under the NDPA and GAID. You’re expected to maintain detailed records of processing activities, something the NDPC will request if your company ever undergoes an audit or investigation.
Once you’ve mapped your data, you’ll start spotting weak spots: unencrypted backups, outdated vendor agreements, over-permissioned staff, and you can fix them before they become compliance or security issues.
3. Draft a Clear Privacy Policy and Data Processing Agreement (DPA)
Transparency builds confidence. Users are more willing to trust you with their data when they know what you’re doing with it. Draft a human-readable Privacy Policy, avoiding technical or legal jargon. It should clearly state:
What data you collect
Why you collect it
The lawful basis for processing (consent, contract, legitimate interest, etc.)
How long you’ll keep it
How users can exercise their rights (access, correction, deletion, objection)
When you work with third parties, whether cloud providers, analytics tools, or marketing platforms, you must also have a Data Processing Agreement (DPA) in place. This is a legal contract defining how those partners will protect the data you share with them, what they can and cannot do with it, and how they should respond in case of a breach.
The NDPA explicitly requires data controllers to ensure that all processors comply with appropriate security, confidentiality, and audit obligations. Having these documents in place not only fulfills your legal duty but also signals professionalism to partners and investors.
4. Implement a Proper Customer Consent Flow
Consent is at the heart of data protection. But consent only counts if it’s freely given, informed, and specific. When you collect user data, whether for newsletters, analytics, or marketing, make sure your users understand what they’re agreeing to. Avoid vague statements like “We may use your data for marketing.” Instead, say, “We’ll use your email to send personalized product updates and offers.” Your consent process should:
Use clear opt-in options (no pre-checked boxes or forced agreements).
Give users a way to easily withdraw consent, ideally through your app or account settings.
Keep records: log when and how the user gave consent, and what version of your policy was in effect.
The GAID specifically emphasizes compliance around tracking tools, cookies, and profiling. For tech companies using analytics or ad pixels, this is especially important. Getting consent right now saves you from regulatory complaints and user mistrust later.
5. Strengthen Data Security Controls
After understanding your data and consent mechanisms, the next step is fortifying your systems. This is where technology meets compliance.
Adopt security practices that align with global standards:
Encrypt data both at rest and in transit.
Limit access strictly on a “need-to-know” basis, not everyone, should see customer data.
Enable multi-factor authentication (MFA) and use strong password policies.
Regularly back up data, and secure those backups separately.
Patch your software and run security tests (vulnerability scans, penetration testing).
Develop a Data Breach Response Plan; outline who does what if a breach occurs, including notifying the NDPC within 72 hours (as required by the NDPA).
Under the NDPA, data controllers are legally obligated to implement both technical and organizational measures to maintain the confidentiality, integrity, and availability of personal data. Compliance here is not just about law; it’s about business continuity and user trust.
6. Train Your Team
Even the most secure systems can fail if your people don’t know how to handle data properly. Human error remains one of the top causes of data breaches globally.
Train your staff, especially engineers, marketers, and support teams, on best practices in data handling. Teach them how to recognize phishing attempts, report suspicious activity, and respond to user data requests appropriately.
The NDPC encourages regular staff sensitization and record-keeping of all training sessions. It’s not just about ticking boxes; it’s about building a company culture that values privacy. When your team treats data protection seriously, compliance becomes easy, almost effortless.
7. File Your Compliance Audit Returns (CARs)
As your company scales or becomes classified as a Data Controller/Processor of Major Importance, you’ll be required to file annual Compliance Audit Returns (CARs) with the NDPC.
This involves auditing your data protection program, reviewing your privacy notices, DPO appointment, security controls, consent flows, and data subject request processes, and then submitting the report through a licensed Data Protection Compliance Organization (DPCO).
The NDPC sets deadlines (typically by March 31st each year) for these submissions. Late filings can attract penalties or surcharges.
Even if you’re not yet required to file, it’s smart to start preparing as though you will. Keep documentation, audit trails, and compliance evidence organized. That proactive approach not only keeps you ready for growth but also signals maturity to potential investors or acquirers.
Conclusion
Nigeria’s digital economy is entering a new phase, one where innovation alone no longer defines success. The Nigeria Data Protection Act (NDPA) and the Nigeria Data Protection Commission (NDPC) through tools like the GAID have made one thing clear: data protection is not a compliance checkbox, it’s a core business discipline. For founders, this means integrating privacy into your product design, governance, and culture from day one, not as a defensive measure, but as a competitive differentiator.
When users know their data is safe with you, they stay longer. When investors see clear governance, they invest confidently. And when regulators see transparency, they collaborate instead of sanctioning. In essence, data protection is now a smart business strategy.
As Nigeria deepens its digital transformation, every startup that handles user information, whether through apps, payments, or connectivity, will be judged not just by its technology, but by its trustworthiness. The NDPA offers the framework; it’s up to founders to build the culture that brings it to life.
In the end, compliance is not the goal. Credibility is. And in a market where trust has become the ultimate currency, your approach to data protection could well determine your place in Nigeria’s next wave of digital success stories.
About Legal Bytes
We are Adune Legal’s weekly Newsletter, which simplifies the Law for Busy Executives, Entrepreneurs, and Tech Enthusiasts interested in the legal aspects of Business, Technology, and Intellectual Property.
We love emails from our readers— reply to this email and let us know your thoughts and suggestions.
WAIT!!!
Become a paid subscriber and access;
Q&A sessions with Nneoma Grace via chats on Substack.
Detailed Legal Templates and examples to save you time and legal fees
Expert Interviews and Case Studies
Don’t miss out on these perks - subscribe today and start enjoying it!
Thanks for reading Legal Bytes
Adune Legal’s Team
P.S. Like Legal Bytes? Please forward us to a friend.
P.P.S. Was this publication forwarded to you? Sign up here & see previous publications.