top of page
  • Writer's pictureEnyenaweh Research

Review of the Nigeria Data Protection Regulation .

The NDPR was established to regulate those who have access to and control people’s data. Prior to the NDPR, there existed provisions in a few laws which protected certain information or data from unlawful use[1] However, unlike the NDPR, these provisions were ambiguous, inadequate, and ineffective in imposing sanctions and ensuring compliance in the event of a data breach. Thus, the introduction of the NDPR by the National Information Technology Development Agency (NITDA) was a well needed opium in data protection in Nigeria.

The Nigerian Data Protection Regulation defines data as “characters, symbols and binary on which operations are performed by a computer, which may be stored or transmitted in the form of electronic signals stored in any format or any device[2]. Data is a highly sought-after commodity as people are more concerned than ever before about how their data is being transferred and processed in this era of business information technology. The NDPR is currently Nigeria’s most comprehensive law on data protection[3]. It contains various provisions regulating the collection and processing of data in Nigeria. Nevertheless, having laws is one thing; ensuring compliance is another. With regards to the latter, the Draft Framework released by National Information Technology Development Agency (NITDA) in July 2019 helps organizations comply with the NDPR.

Data privacy is a vital term as the world revolves around data and information. It is also connected to fundamental rights of citizens as the law protects the right to privacy. In Nigeria, Section 37 of the 1999 Constitution guarantees the privacy of citizens, their homes, correspondences, telephone conversations and telegraphing communications[4].

Compliance with data protection laws improves the trust between businesses and their customers. It also prevents the company from incurring expensive costs in forms of fines, litigation expenses, public embarrassment, and a bad reputation. Data protection compliance involves understanding not only a company’s policies, contracts, and legal engagements, it also requires an understanding of the company’s information technology, security, audit, and operational system[5].

Challenges militating against data protection and compliance

Reporting Data Breaches

There is no mandatory requirement to report data security breaches or losses to the authorities or to data subjects under the NDPR. However, the Framework mandates Data Controllers to notify NITDA of Personal Data breaches within 72 (seventy-two) hours of becoming aware of the breach. Despite the emergence of NDPR in Nigeria, most data breaches still go undocumented or unreported to the data subjects. Several reasons have been attributed to this, ranging from delay in informing the data subject of breaches in some situations, to data processor or data controller, to report data breaches, to the authority, and the authority required to notify the data controller whether they should notify the data subject of the breach.[6] Olumide, (2020) added that data protection and privacy are practically strange to the Nigerian society. Data subjects are, generally, unaware of their property rights in data and Data collectors/administrators are numb to their corresponding duty to protect and/or respect the privacy of data entrusted in their hands[7].

Lack of Enforcement

Beyond the inadequacy that characterized the data privacy legislation in the country many social commentators and scientists alike have expressed concerns over the ability of government to conform to the provisions of the data protection regulation as many agencies and parastatals were known to flout the law. So, despite coming up with the NDPR act by NITDA, it ought not to end there. The NDPR act, though issued on the 25th day of January 2019, was meant to take effect from 25th April 2019, at least with the Data Collectors distributing their protection policies as compulsorily required by section 2.5 of NDPR[8]. However, according to Olumide[9], April 25 came and left, neither have the various Data Collectors published their privacy policies to our knowledge nor did NITDA penalize them as provided under section 2.10 of the NDPR, thereby giving a rebuttable impression that the regulators are treating them with kid gloves.

Dearth of Practicing Professionals in the Country

Many Nigerian companies despite everything eye the NDPR buzz with a level of doubt, subtly wishing it goes away in view of the compliance costs in time and resources. Fortunately, the presence of data protection regulation is becoming internationally perceived as a sign for trust in a nation's online business space. As organizations become associated all-inclusive and information trade turns into an inexorably essential piece of business exchanges, data protection is becoming a risk issue discussed at the negotiation stage between companies in different jurisdictions[10].


It is clear that data has become a ubiquitous asset in the global community, mirroring the transformation of our modern societies, in which massive data collection and analysis have become a key competitive advantage. However, the transformation also emerges with its own challenges particularly in emerging societies like Nigeria, there is a need for the government and relevant stakeholders alike to review existing laws on data protection to suit new technologies. Similarly, enforcement procedures need to be reviewed. Law enforcement agents need to be trained on dealing with more sophisticated data crimes, Education and training needs to be intensified to fill the gap of dearth of practicing professionals.

[1] Some of these laws include the Constitution of the Federal Republic of Nigeria 1999 (as amended), Nigerian Communications Commission Act 2004, CBN Consumer Protection Framework 2016, Freedom of Information Act 2011, and the Cybercrimes (Prohibition, Prevention, etc.) Act 2015. [2] NIGERIA DATA PROTECTION REGULATION 2019 NigeriaDataProtectionRegulation.pdf ( [3] Francis Ololuo 2020 Privacy & Data Protection Understanding-Nigerian-Data-Protection-Compliance-Requirements-and-Managing-Breach-Francis-Ololuo.pdf ( [4] Tochukwu Onyiuke 2020, How to strengthen Nigeria’s data protection regulation, How to strengthen Nigeria’s data protection regulation - Punch Newspapers ( [5] Enyioma Madubuike, “What Is Really Happening in the Nigerian Data Compliance Space” (21st November 2019) available on accessed on 14th March 2020. [6] Diyoke Michael Chika , Edeh Stanley Tochukwu, 2020 An Analysis of Data Protection and Compliance in Nigeria [7] Olumide B (2020) Data Protection and Privacy Challenges in Nigeria (Legal Issues) [8] NIGERIA DATA PROTECTION REGULATION 2019 NigeriaDataProtectionRegulation.pdf ( [9] Olumide B (2020) Data Protection and Privacy Challenges in Nigeria (Legal Issues) [10] Diyoke Michael Chika , Edeh Stanley Tochukwu, 2020 An Analysis of Data Protection and Compliance in Nigeria

242 views0 comments
bottom of page