Abuja · Federal Capital Territory · Nigeria
Two years into the Nigeria Data Protection Act, most Nigerian boards have something they call a data protection programme. Far fewer have a programme that would survive a serious regulatory examination. The gap between the two is the question this commentary addresses.
The NDPA created, for the first time, a Nigerian data protection regime with statutory force, dedicated regulator oversight, and meaningful penalty exposure. The Nigeria Data Protection Commission has spent the intervening period building its supervisory capacity and establishing the practical contours of compliance. We are now in the phase where compliance frameworks built quickly under the previous regulation are being tested against a more demanding standard.
The first board-level question is governance. Under the NDPA, accountability for data protection rests with the controller — which for most boards means the company itself. Boards that have delegated data protection to a single compliance officer without establishing meaningful oversight at the board or board-committee level are operating under an outdated governance model. Modern data protection governance requires periodic board-level review of the programme, clear escalation paths for material incidents, and integration with the broader risk management framework of the organisation.
The second question is the substance of the programme itself. A serious data protection programme is not a privacy notice and a register of processing activities. It is a operational system that connects data inventory to lawful basis analysis, that maintains current records of processor relationships, that implements data subject rights in practice rather than in policy, and that prepares the organisation for incidents before they occur.
The third question is the international dimension. Many Nigerian businesses transfer personal data across borders — to cloud service providers, to group affiliates, to professional advisors, and increasingly to AI service providers. Each transfer requires lawful basis analysis under the NDPA, and the most defensible programmes have moved beyond standard contractual clauses to assessments that consider the adequacy of the recipient jurisdiction.
Boards approaching these questions seriously typically commission an independent assessment of their current programme against a defined standard, identify the gaps that matter most, and resource remediation appropriately. The cost of doing this exercise is modest compared with the cost of doing it after a regulatory examination has already begun.
