Since Nigeria introduced the Nigeria Data Protection Regulation (NDPR) in 2019 and later strengthened the framework with the 2023 Nigeria Data Protection Act, the country’s data privacy landscape has been undergoing a quiet but significant transformation.
Now, with the Nigeria Data Protection Commission (NDPC) “going all out” to enforce the law, consumers are being urged to understand their rights — and use them.
Olatorera Oladeji, a data privacy practitioner, tells Technology Times that this isn’t just about government regulators chasing companies. It’s about everyday Nigerians knowing what they can demand from the banks, telcos, fintech apps, social media platforms, and other “data controllers” they hand personal information to every day.
“As data subjects, as consumers, we have an obligation to know what our rights are… so that we can demand better from data controllers,” Oladeji says. “We also have to support the law by keeping data controllers on their toes and demanding adequate service and protection of the data we provide.”
To illustrate the risks, Oladeji shares a troubling real-life example. A Nigerian woman discovered her passport application form — complete with name, phone number, email, and other sensitive details — had been leaked. In her case, someone called her to alert her, but in many other situations, the story ends differently.
Data privacy: Why your name, email, and phone number matter more than you think
To illustrate the risks, Oladeji shares a troubling real-life example. A Nigerian woman discovered her passport application form — complete with name, phone number, email, and other sensitive details — had been leaked. In her case, someone called her to alert her, but in many other situations, the story ends differently.
Leaked personal data can be exploited for blackmail, account hacking, identity theft, or fraudulent activity. Criminals might sell it on the dark web, clone phone numbers to intercept messages, or use the details for targeted scams.
“The risk to the data subject is more than just unauthorised access,” Oladeji warns. “It goes into the security of a person… their livelihood, even their life.”
For Nigerian consumers, this underlines a critical reality: any data you share — from signing up for a service to filling a government form — becomes a potential target for misuse unless properly protected.
The law is on your side — But only if you use it
Under Nigeria’s data protection framework, the NDPC regulates how organisations collect, process, store, and share your data. But the law works best when consumers actively enforce their rights.
These include:
- Right to know why an organisation is collecting your data.
- Right to consent before your data is shared or transferred abroad.
- Right to access the data an organisation holds about you.
- Right to request correction or deletion of your data.
- Right to object to certain forms of processing, such as marketing.
Oladeji stresses that consumers shouldn’t passively give away information. “If someone asks for your name, you should know why they are connecting it with your data and what purpose it serves,” she says.
Business responsibility: From data officers to compliance organisations
While individuals must stay alert, the law also puts strong obligations on organisations. By law, many businesses must appoint a Data Protection Officer (DPO) responsible for compliance, training, and creating a clear data privacy policy.
Some work with Data Protection Compliance Organisations (DPCOs), which provide training, audits, and advisory services. These measures are meant to ensure employees understand the rules and can protect customer information effectively.
In Oladeji’s view, there are no excuses for companies to plead ignorance. “Organisations can learn through their third-party agents, through their own DPOs, through their DPCOs, or even by consuming available literature on the internet,” she says.
Before any transfer, Nigerian law requires a Data Privacy Impact Assessment to determine if the destination country has adequate safeguards, functioning courts, and clear remediation measures if a breach occurs.
“Imagine sending your data to a country that has no protection law, no regulation… even their courts are not functional,” Oladeji cautions. “You won’t get any form of remediation if your data is breached.”
Cross-border data transfers: When your information leaves Nigeria
In today’s interconnected digital economy, your personal data might not stay within Nigeria’s borders. From multinational e-commerce platforms to global cloud storage providers, cross-border transfers are common — but also risky.
The NDPC generally prohibits sending data abroad without safeguards, but there are exceptions. These include:
- Consent: You agree in writing that your data can be transferred abroad.
- Contractual necessity: For example, an international business contract requiring data exchange.
- Binding corporate rules: Multinationals applying the same strict data privacy standards across all branches.
- Adequate protection in the destination country: The recipient country must have strong privacy laws and enforcement.
Before any transfer, Nigerian law requires a Data Privacy Impact Assessment to determine if the destination country has adequate safeguards, functioning courts, and clear remediation measures if a breach occurs.
“Imagine sending your data to a country that has no protection law, no regulation… even their courts are not functional,” Oladeji cautions. “You won’t get any form of remediation if your data is breached.”
Privacy policies: Keep them simple and separate
One recurring complaint from consumers is that privacy policies are often hidden inside long, unreadable “terms and conditions.” Oladeji says this practice discourages users from reading important clauses that outline their rights.
Her advice: organisations should make privacy policies simple, concise, and separate from terms of use. Consumers, for their part, must take the time to read them — no matter how tedious it feels.
“You cannot sign a contract and then say it is not valid because you didn’t read it,” she notes. “The best thing is to assume you have read it and understood what you are agreeing to.”
Private vs public sector compliance: The enforcement gap
While enforcement against private companies has been visible — including fines against some for unauthorised data use — Nigerians often question why government agencies seem less accountable.
Oladeji says the difference is partly due to the complexity of enforcing court judgments against public bodies, which can be slow, costly, and politically sensitive. Instead, the NDPC is taking a pre-emptive, collaborative approach with agencies like the Nigeria Immigration Service, holding training sessions and awareness campaigns.
Progress is slow but visible. Filing of data audits by government agencies has risen from about 2% to over 10–20% in recent years.
“They are the major processors of data in Nigeria, so bringing them into compliance is essential,” she says.
Nigeria’s growing role in African data privacy
Nigeria is not just catching up — it is positioning itself as a continental leader. The NDPC recently hosted an African data privacy programme, underlining the country’s ambition to shape Africa’s privacy agenda.
But Oladeji warns that enforcement must balance deterrence with economic realities. Excessive fines could discourage business operations in a fragile economy. Instead, she advocates combining penalties with negotiated remediation plans.
“What we are looking for is compliance with regulations… confidence in the system, not just monetary fines,” she explains.
Why consumers are paying attention now
Enforcement actions against companies have generated buzz on social media, with many Nigerians welcoming the NDPC’s actions.
“Data subjects are happy… they feel government agencies are taking them seriously,” Oladeji observes.
Still, the responsibility cuts both ways. Data controllers must ensure they follow the law, and consumers must hold them accountable.
Her final message is simple but powerful:
“Data is you. You are your data. Please take data privacy seriously. Know your rights. Understand your access rights. Hold your data controllers accountable.”
Data privacy: Key takeaways for Nigerian consumers using online services
Know Your Rights: Familiarise yourself with the NDPR and Data Protection Act provisions on access, consent, and objection.
Read Before You Agree: Always read privacy policies before signing up for a service.
Ask Questions: Don’t provide personal data without understanding why it’s needed.
Be Alert for Breaches: Watch for unusual calls, emails, or account activity.
Report Violations: The NDPC provides channels for lodging complaints against data misuse.
Building a Culture of Privacy Nigeria’s data privacy ecosystem is still young, but momentum is building. The NDPC’s enforcement actions, combined with public awareness and growing organisational compliance, signal a shift towards a safer digital environment.
The journey will be long, but as Oladeji’s insights reveal, the destination is worth it: a Nigeria where consumers can trust that their personal information — whether in the hands of a fintech app, a government agency, or a social media platform — is handled with the care, respect, and security it deserves.
For Nigerian consumers navigating an increasingly online world, data privacy is no longer an abstract legal term. It is the shield protecting identity, livelihood, and safety in the digital age. And that shield works best when both the law and the people stand behind it.
Home
