Your Legal Advocates
expertise in Every Case

Contact Information

  • Wasington SY, UK, NY 12099
  • +81 800 123 06 78
  • seargin@gmail.com

Get Regular Updated

    follwo us

    WHO OWNS YOUR DATA? UNDERSTANDING DIGITAL RIGHTS IN NIGERIA’S EVOLVING TECH SPACE

    WHO OWNS YOUR DATA? UNDERSTANDING DIGITAL RIGHTS IN NIGERIA’S EVOLVING TECH SPACE

    By Toluwani Folorunso

    If you have ever downloaded a new app, opened a bank account online, or used a buy-now pay-later service, you have probably clicked “I agree” without reading the fine print. But whose  data is it after you click, yours or the company’s?

    In Nigeria, the short answer is: you retain the rights; organisations get limited permission to use  your information under the law. That principle sits at the heart of Nigeria’s data protection  regime.

    THE LEGAL BACKBONE: NDPA 2023 AND RELATED FRAMEWORKS 

    Nigeria’s principal privacy law is the Nigeria Data Protection Act, 2023 (NDPA). It  establishes the Nigeria Data Protection Commission (NDPC), sets out the conditions for  collecting and using personal data, and gives individuals enforceable rights over their  information. The Act applies both to companies operating in Nigeria and foreign companies  targeting Nigerian residents.

    Two other frameworks are critical:

    1. Open Banking: The Central Bank’s Operational Guidelines for Open Banking govern  how banks and fintechs share customer data via APIs. Such sharing generally requires  clear proof of the customer’s consent and adherence to strict security protocols.
    2. Cybercrime Legislation: The Cybercrimes (Prohibition, Prevention, etc.) Act, as  amended in 2024, addresses unlawful access, hacking, and other data-related offences,  complementing privacy rules with criminal sanctions.

    WHO REALLY “OWNS” YOUR DATA? 

    Nigerian law does not frame personal data in terms of absolute ownership like a physical asset.  Instead, it adopts a rights-based model:

    • Data subjects (you) hold legal rights over your personal information. • Data controllers or processors (organisations) may collect and use the  information only on specific lawful grounds, for stated purposes, and with   safeguards.

    In essence, you retain control; companies receive a conditional licence to process the data,  limited by law and your consent.

    YOUR KEY RIGHTS UNDER THE NDPA 

    The NDPA grants individuals the right to:

    1. Be informed about the collection and purpose of data processing.
    2. Access copies of their personal data.
    3. Rectify inaccurate information.
    4. Request deletion in certain circumstances.
    5. Transfer data to another provider (“data portability”).
    6. Object to certain processing, such as direct marketing.
    7. Challenge significant decisions made solely through automated means.

    LAWFUL BASES FOR PROCESSING DATA 

    Organisations must identify and rely on at least one lawful basis for processing, such as: ● Consent – freely given, specific, informed, and unambiguous.

    • Contract – processing necessary to perform a contractual obligation. ● Legal obligation – compliance with statutory requirements.
    • Legitimate interest – narrowly defined business purposes that do not override  individual rights.

    They must also comply with the NDPA’s guiding principles: minimal collection, purpose  limitation, accuracy, security, and retention only for as long as necessary.

    OPEN BANKING: CONSENT WITH SAFEGUARDS 

    The Open Banking Guidelines enable customers to share account information securely with  third-party Fintechs for innovative services. However, an “access provider” (such as a bank) cannot share data with an “access party” (such as a fintech) without demonstrable customer  consent, and all parties must adhere to prescribed technical and contractual safeguards.

    CROSS-BORDER TRANSFERS 

    The NDPA allows data to be transferred outside Nigeria only where:

    • The destination country offers adequate protection;
    • Approved contractual safeguards are in place; or
    • Specific exceptions apply.

    This is especially relevant for cloud-based services, multinational employers, and global digital  platforms.

    DATA SECURITY AND BREACH RESPONSE 

    Data protection is only as strong as the security measures behind it. The NDPA requires  organisations to implement technical and organisational safeguards to prevent unauthorised  access, alteration, or disclosure of personal data. This includes encryption, multi-factor  authentication, regular security audits, employee training, and controlled access to sensitive  records.

    Where a data breach occurs, the law imposes clear duties:

    • Notification to the NDPC: Data controllers must promptly inform the Commission when a breach is likely to result in a risk to the rights and freedoms of individuals. ● Notification to individuals: If the breach creates a high risk of harm (such as identity theft or financial loss), affected persons must also be informed in plain and clear  language.
    • Timelines: Although the NDPA does not prescribe exact hours, the 2024 amendments to the Cybercrimes Act tighten reporting obligations, encouraging organisations to notify regulators “without undue delay.” This aligns Nigeria with  international practice, where 72-hour reporting is becoming the norm.
    • Record keeping: Even where breaches do not meet the threshold for external reporting, organisations are expected to maintain internal records of incidents, investigations, and remedial steps.

    Failure to comply with breach notification requirements may attract administrative sanctions,  fines, or enforcement action by the NDPC. More significantly, the reputational and commercial  impact of mishandling a breach often outweighs the regulatory penalties.

    PRACTICAL IMPLICATIONS FOR BUSINESSES 

    For organisations operating in Nigeria’s tech-driven economy, compliance with the NDPA and  related frameworks is no longer optional, it is a business risk issue. Regulators now have  stronger enforcement powers, and customers are increasingly privacy conscious. To remain  compliant and competitive, businesses should prioritise the following steps:

    1. Audit and Map Data: Identify what categories of personal data you collect, where it is stored, how it flows across your systems, and with whom it is shared.
    2. Define Lawful Bases: For each processing activity (e.g., marketing, payroll, customer onboarding), determine the correct legal basis under the NDPA and document it.
    3. Strengthen Consent Processes: Ensure consent requests are clear, specific, and easy to withdraw. Avoid vague or bundled consent.
    4. Update Contracts: Review agreements with vendors, cloud providers, and API partners to include strong data protection obligations and liability clauses.
    5. Enable Data Subject Rights: Create accessible channels for individuals to request access, correction, deletion, or portability of their data and ensure your team can respond within statutory timelines.
    6. Implement Breach Response Plans: Establish internal protocols for detecting, reporting, and managing breaches. Regular drills and training are critical.
    7. Embed Privacy by Design: Integrate data protection considerations into new products, apps, and services from the planning stage, not as an afterthought.
    8. Train Staff Regularly: Employees are often the weakest link in data security. Continuous training builds awareness and reduces compliance risks.

    By embedding these practices, businesses not only reduce the risk of penalties and reputational  damage but also position themselves as trusted custodians of customer data which is a  competitive advantage in Nigeria’s rapidly evolving digital economy.

    PRACTICAL STEPS FOR INDIVIDUALS 

    • Read the stated purposes before agreeing to data collection.
    • Use privacy controls to limit unnecessary sharing.
    • Exercise your NDPA rights to access, correct, or erase data.
    • Avoid granting excessive app permissions.
    • Report non-compliance to the NDPC.

    CONCLUSION 

    In Nigeria’s fast evolving tech space, personal data is not a commodity to be traded away at  first use. The NDPA ensures that individuals retain rights while organisations process data  under strict legal conditions. As digital interactions expand, the balance between innovation  and privacy will depend on both users understanding their rights and businesses embedding  compliance into their operations.

    KEY REFERENCES 

    ❖ Nigeria Data Protection Act, 2023.

    ❖ Central Bank of Nigeria, Operational Guidelines for Open Banking, 2023. ❖ Cybercrimes (Prohibition, Prevention, etc.) Act, 2015 (as amended in 2024). ❖ NDPA, Sections 24–32 (Rights of Data Subjects).

    ❖ NDPA, Sections 25–26 (Lawful Bases for Processing).

    ❖ NDPA, Sections 41–44 (Cross-Border Transfers).

    ❖ NDPA, Sections 45–47 (Data Security and Breach Notification).