Technological advancements and the growing importance of the role they play in our lives have necessitated jurisdictions to take a deeper look into data protection with a view to ensuring that safeguards are put in place to handle the proper processing, management and storage of personal data.

Section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended) guarantees and protects the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications. Although this provision can be said to generally protect privacy, it fails to adequately address data protection in light of current realities. Sector-specific legislations in Nigeria also contain provisions protecting privacy and confidentiality[1].

The National Information Technology Development Agency (NITDA) recently released the Nigeria Data Protection Regulation 2019 (NDPR 2019). Thus far, it is the most comprehensive data protection regulation in Nigeria.
The NDPR 2019 has the effect of protecting the personal data of Nigerian citizens and that of non-Nigerians who are resident in Nigeria.[2] Therefore the Regulation, like its European counterpart the General Data Protection Regulation (GDPR), not only applies to persons in Nigeria but it also applies to foreign entities outside Nigeria who handle data of Nigerian citizens. These entities are expected to comply with the Regulation when handling data of Nigerian citizens and foreigners who are resident in Nigeria.
Although this is laudable, it raises questions as to the practicability of enforcing the Regulation outside Nigeria. In spite of the difficulties that may arise in ensuring enforcement of the Regulation, the Federal Government of Nigeria recently made a move to investigate popular smartphone application Truecaller over allegedly violating privacy rights of Nigerians.[3]
Scope and Application of the NDPR 2019.
A cursory look at the Regulation reveals that the major players in Nigeria’s data protection regime are the Data Subject, the Data Controller and the Data Administrator. The Regulation defines the terms as follows under Regulation 1.3:
‘ix. “Data Administrator” means a person or an organization that processes data
x. “Data Controller means a person who either alone, jointly with other persons or in common with other persons or a statutory body determines the purposes for and the manner in which Personal Data is processed or is to be processed.
xiv. “Data Subject” means any person, who can be identified, directly or indirectly by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity…’
The type of data that is the subject matter of protection as envisaged by the Regulation is “Personal Data”. The main feature of Personal Data is that it should relate to an identified or identifiable natural person.[4] This reveals that the Regulation did not have data from a legal person in mind when considering the guiding principles of data processing. The possible effect this may have on legal persons is, however, yet to be seen.
The Regulation mentions the term “Sensitive Personal Data” to mean data relating to religious or other beliefs, sexual orientation, health, race, ethnicity, political views, trades union membership, criminal records or any other sensitive personal information.[5] However, a detailed examination of the Regulation shows that no distinction is made in the protection that is to be accorded to Sensitive Personal Data.
The Data Controller has certain responsibilities to the Data Subject. Before data can be lawfully processed, consent must be obtained from the Data Subject. Regulation 2.3(1) provides that the specific purpose of data collection must be made known to the Data Subject. Consent must have been obtained without fraud, coercion or undue influence. The provision governing the consent requirement emphasizes the importance of transparency and ensuring that consent is freely granted.
By virtue of Regulation 2.3(2)(c), a Data Subject has the right to withdraw their consent at any time. However, the Regulation goes on to state that the withdrawal of such consent does not affect the lawfulness of processing based on consent that took place before said consent was withdrawn.
Regulation 3.1(1) makes it mandatory for the Data Controller to provide any information relating to processing to the Data Subject. The information should be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Likewise, the Data Controller must inform the Data Subject about the purpose(s) of the processing.[6]
Regulation 4.1(2) mandates every Data Controller to designate a data protection officer to ensure compliance with the regulation, relevant data privacy instruments and data protection directives. The Data Controller may outsource data protection to a verifiably competent firm or person. This may have the effect of creating jobs and business opportunities through creating a need for data protection officers and experts.
Personal data is to be protected from hazards and data breaches such as theft, cyberattack, viral attack, dissemination and manipulation.[7] Those involved in data processing or control of data have the responsibility of developing security measures to ensure data security. By virtue of Regulation 2.7, data processing handled by a third party shall be governed by a written contract between the third party and the Data Controller. Such third party will be required to adhere to the provisions of the NDPR 2019. In situations where personal data is transferred to a foreign country for processing, Regulation 2.11 places such transfer under the supervision of the Attorney General of the Federation.
NDPR 2019 is indeed a welcome development as far as Data Protection in Nigeria is concerned. Data security increases trust and can positively impact investment in the digital space. In spite of the initial skepticism involved in the possibility of its enforcement, it is important for organisations to ensure compliance to avoid being liable.
[1] For example, see Section 38(5) Cybercrime (Prohibition, Prevention, etc.) Act 2015
[2] Regulation 1.2(b) NDPR 2019
[3] Adeyemi Adepetun, “FG moves against Truecaller over alleged breach of privacy in Nigeria,” The Guardian, September 25, 2019  < > (Accessed on September 26, 2019)
[4] The Regulation provides examples of identifiers that can be used to identify a natural person: a name, an identification number, location data, an online identifier, address, photo, email address, bank details, social media posts, medical information, factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, or unique identifiers that include MAC address, IP address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII), etc.
[5] Regulation 1.3(xxv) NDPR 2019
[6] Regulation 3.1(7)(c) NDPR 2019
[7] Regulation 2.1(1)(d) NDPR 2019
Judy-Vallery Imasuen is Tech lawyer with over a decade of experience in programming. She has her expertise in intellectual property law, blockchain technology and artificial intelligence. She can be contacted through