Data Privacy Considerations for Start-Ups in Nigeria


On the 25th of January, 2019, the Nigerian Data Protection Regulation (NDPR) 2019, was signed into law by the Director-General, National Information Technology Development Agency (NITDA), Dr. Isa Ali Ibrahim (Pantami) FNCS, FBCS, FIIM, pursuant to NITDA act 2007. Launching Nigeria into the league of nations with data protection regulatory legislation. With the surge of technological advancements, the need to secure the data of subscribers is at an all-time high, according to expert data privacy practitioners, privacy is the new oil. A confirmation that millions can be made off data privacy breaches.

Recently, fresh lawsuits have been filed against the e-bay of NFTs, open-sea for alleged “securities vulnerabilities”, solidifying the claim that huge money can and will be made from data privacy/security breaches.

The number of start-ups in Nigeria is growing at an unprecedented rate, and it’s fast becoming a hub of entrepreneurship. According to the African Challenger Brand, start-ups in Nigeria have succeeded in creating an experience that turns a business into brands that customers and the general public can relate to, with tentacles in fintech, transport, health, hospitality, education, logistics, and agriculture, etc., start-ups have acquired and can acquire a billion-dollar status.

It is as a result of the rise of start-ups and the need to comply with the regulatory framework of the NDPR that start-up founders, and those who intend to set up a start-up, are aware of data protection principles.
These considerations are contained in Part 2 of the NDPR 2019;

1.Lawful Processing: This entails the collection and processing of personal data for the specific, and legitimate purpose to which the data subject consents. Section 2(2) NDPR 2019, provides that the processing of data is lawful if the data subject consents to the specific purpose if the processing is necessary for the performance of a contract to which the data subject is a party to or at his/her request to enter into a contract and if the processing is necessary to protect the interest of the data subject.

2. Consent: The crux of data privacy is consent, if the data subject does not consent, then a contrary act might be a breach. Prior to consent, the data controller must ensure the data subject is aware of his/her right set out in Part 3 of the NDPR 2019, and the ability to withdraw consent at any time. Accordingly, the specific purpose for the collection of data must be made known to the data subject, and as such data must be obtained without fraud, coercion, or undue influence; similarly, the data controller (in this instance, the start-up) must ensure that the data subject has the legal capacity to give consent, and such consent must be given in writing, also request for consent should be made in an intelligible and unambiguous manner.

3. Improper Motive: The NDPR prohibits the seeking, giving, or acceptance of consent in a situation that may engender or propagate atrocities, hate, child rights, violation, criminal acts, or anti-social conduct. Also, if a start-up intends to enter into a contract with another company, it must take ‘reasonable measures to ensure that the other party to the contract, does not have a record of violating the rights of data subject provided in Part 3 of the NDPR or NITDA or any data privacy regulatory authority within or outside Nigeria.

4. Privacy Policy: The NDPR provides that the medium through which personnel data is collected must have an unambiguous privacy policy that can be understood properly by the target audience. Also, the privacy policy shall contain relevant information not limited to; what constitutes the Data Subject’s consent, what personal information will be collected, the purpose of collection, and technical methods used to collect and store personal information such as cookies, JWT, web tokens, etc., access (if any) of third parties to Personal Data and purpose of access; the highlight of the principles stated in Part 2 of the NDPR 2019, available remedies in the event of a violation of the privacy policy; and the time frame for remedy.

5. Data Security: Start-ups must ensure the security of data in their possession, by protecting their system from hackers, setting up firewalls, employing the use of encryption technologies, organization policy for handling personal data, and other methods of system protection.

6. Third-Party Data Processing Contract: Sometimes, to build brand visibility, start-ups may employ the help of third parties for advertising and other promotional services. Most of these promotional services are targeted at certain demographics which may need the data of persons, the NDPR provides that such agreement must be governed by written contracts and ensure the contract is in line with data protection regulations, chief of which is the consent of the data subject to have his/her data transferred and processed by a third party.

7.Objection by the Data Subject: One of the salient rights of the data subject is the right to object to the processing of his/her data for any purpose, to that end, start-ups must provide a mechanism for the data subject to object to the processing of personal data.

Under the NDPR, startups, businesses, and companies that engage in the processing of personal data of over 1000 Nigerians, are mandated to conduct a detailed annual audit of their data processing activities. This audit is to be conducted by a licensed Data Protection Compliance Organisation (DPCO). Failure to comply with the provisions of the NDPR will result in the payment of a fine of 10 million Naira or 2% of the annual turnover (whichever is greater).


In this digital age, data has become a vital asset for both individuals and the corporate body. It has been regarded as the world’s most valuable resource. Under Nigerian law, data controllers and data processors are required to undergo Data Protection Compliance audits and generally adhere to the provisions of the NDPR.



Bayode Favour Ejaita is a law student, a prolific legal researcher, and writer.



Leave a Reply

Your email address will not be published. Required fields are marked *