top of page
  • Writer's pictureJude Ademola Ikumapayi

The Pros and Cons of the Nigeria Data Protection Regulation (NDPR)

With its huge population, often estimated at 200 million, Nigeria is a data miner’s treasure field. On a daily basis, millions of critical information are giving away by Nigerians to local and international businesses, government agencies and institutions, most of which are unaccounted for. The lack of accountability also means people’s information are getting into the wrong hands and are being used to target them for fraud and other criminal activities online[1].

The NDPR was established to regulate those who have access to and control people’s data. Prior to the NDPR, there existed provisions in a few laws which protected certain information or data from unlawful use[2] However, unlike the NDPR, these provisions were ambiguous, inadequate, and ineffective in imposing sanctions and ensuring compliance in the event of a data breach, Conscious of the concerns around privacy and protection of Personal Data and the grave consequences of leaving Personal Data processing unregulated, National Information Technology Development Agency (NITDA) has issued the Nigeria Data Protection Regulation (NDPR), which is to a large extent a mirror of the European Commission’s General Data Protection Regulation (GDPR)[3].

Image: CyberTalkNaija

The NDPR aims to safeguard the rights of natural persons to data privacy, foster safe conduct for transactions involving the exchange of Personal Data, prevent manipulation of Personal Data and to ensure that Nigerian businesses remain competitive in international trade through the safe-guards afforded by a sound data protection regulation.

The NDPR is currently Nigeria’s most comprehensive law on data protection[4]. It contains various provisions regulating the collection and processing of data in Nigeria. Nevertheless, having laws is one thing; ensuring compliance is another. With regards to the latter, the Draft Framework released by National Information Technology Development Agency (NITDA) in July 2019 helps organizations comply with the NDPR[5].

The NDPR was made in recognition of the fact that many public and private bodies have migrated their respective businesses and other information systems online. These information systems have thus become critical information infrastructure which must be safeguarded, regulated and protected against personal data breaches[6].

The NDPR may be Nigeria’s most comprehensive law on data protection but it also has its shortcomings, NDPR restricts the protection offered under the regulation to, only rights of natural persons. This is inadequate because, institutions or organizations can also fall victims of privacy and data breach but if the express provision of the NDPR is slavishly adhered to, then artificial persons can’t take cover under it as currently enacted[7].

Since the regulation’s main focus is to protect data, then its restriction to personal data may be counterproductive in the nearest future and in addition, may give rise to agitations for another broader regulation protection other kinds of data especially the non-personal, non-electronic data, etc.

NDPR definition of “Data” is also not comprehensive enough. It simply defines Data as “characters, symbols and binary which operations are performed by a computer which may be stored by transmitted in the form of electronic signals is stored in any format or any device[8]. The inadequacy of this definition is, at a glance, reflected in the use of the word “computer” which the same regulation defines as “information technology systems and devices whether networked or not”. Hence, the NDPR does not seek to safeguard data wholly captured, performed and stored in paper form without the use of computers since its focus is on computer and ICT.

The Framework mandates Data Controllers to notify NITDA of Personal Data breaches within 72 (seventy-two) hours of becoming aware of the breach, the legal framework provides punishments for infringement but it is silent on remedies for victims of data privacy breach. The penalties as contained therein would only generate income for the government at the expense of the actual victims of data privacy breach.

Olumide, (2020) noted that data protection and privacy are practically strange to the Nigerian society. Data subjects are, generally, unaware of their property rights in data and Data collectors or administrators are numb to their corresponding duty to protect and respect the privacy of data entrusted in their hands[9].

Conclusion & recommendation

The NDPR has been rightly touted as Nigeria’s comprehensive and contemporary regulation on data privacy, NITDA and all other stakeholders need not get complacent with the commendable regulation but it must be periodically revised and updated to cater to outstanding issues whether existing or arising in the future, the definitions under the NDPR needs to cover all grounds to ensure that they cannot be misinterpreted. It is not enough for the government to bring up regulations in data privacy; what is important is that such regulations must address specific needs, the essence of a regulation is in doubt if the citizens are unaware of the said regulation. More sensitization is needed to make people aware of their rights.


[1] Frank eleanya, 2019 The NDPR isn’t perfect but it’s a step to data protection for Nigeria The NDPR isn’t perfect but it’s a step to data protection for Nigeria - Businessday NG [2] Some of these laws include the Constitution of the Federal Republic of Nigeria 1999 (as amended), Nigerian Communications Commission Act 2004, CBN Consumer Protection Framework 2016, Freedom of Information Act 2011, and the Cybercrimes (Prohibition, Prevention, etc.) Act 2015. [3] Frank eleanya, 2019 The NDPR isn’t perfect but it’s a step to data protection for Nigeria The NDPR isn’t perfect but it’s a step to data protection for Nigeria - Businessday NG [4] Francis Ololuo 2020 Privacy & Data Protection Understanding-Nigerian-Data-Protection-Compliance-Requirements-and-Managing-Breach-Francis-Ololuo.pdf ( [5] NIGERIA DATA PROTECTION REGULATION 2019: IMPLEMENTATION FRAMEWORK, 2020 ImplementationFramework.pdf ( [6] Ibid5 [7] Olumide Babalola 2021 My thoughts on the Nigeria Data Protection Regulation (NDPR) 2019 MythoughtsontheNigeriaDataProtectionRegulation.pdf [8] NIGERIA DATA PROTECTION REGULATION 2019 NigeriaDataProtectionRegulation.pdf ( [9] Olumide B (2020) Data Protection and Privacy Challenges in Nigeria (Legal Issues)

617 views0 comments
bottom of page