BREACH OF DATA PRIVACY IN NIGERIA: THE IMPORTANT THINGS YOU NEED TO KNOW

Table of Contents

breach of data privacy

Introduction to breach of data privacy

Data privacy breaches are no longer just a technical problem for Nigerian companies; they are a legal crisis with serious financial, reputational, and criminal consequences. Under the Nigeria Data Protection Act (NDPA) 2023, businesses that fail to protect customer, employee, or client data face substantial liability ranging from administrative fines to criminal prosecution. The reality is stark: in 2024, the Nigerian Data Protection Commission (NDPC) imposed ₦400 million in fines on seven firms for data breaches alone. This enforcement signals that the NDPC is actively punishing companies that neglect data security.

Key Provisions of the NDPA 2023 on Breach of Data Privacy

The NDPA 2023, signed into law on 12 June 2023, establishes data protection as a fundamental constitutional right under Section 37 of the 1999 Constitution (as amended).

Section 27 establishes the six lawful bases for data processing: consent, contractual necessity, legal obligation, vital interest, public task, and legitimate interest. Any processing outside these bases is prohibited and unlawful.

In Section 38 recognizes eight data subject rights, including access, rectification, erasure, restriction, portability, objection, protection from automated decision-making, and redress through the Federal High Court.

Section 40 imposes the fundamental security obligation on data controllers and processors to implement appropriate technical and organizational measures, including encryption, access control, vulnerability management, and periodic audits. Section 40 also establishes the mandatory breach notification framework requiring processor-to-controller notification immediately, controller-to-NDPC notification within 72 hours, and controller-to-data-subject notification immediately when high risk exists.

but Section 41 requires data controllers processing data of 10,000 or more data subjects annually, or those handling high-risk data, to appoint a Data Protection Officer.

IN Section 50 restricts cross-border data transfers unless the recipient country has NDPC-approved adequate laws, appropriate safeguards exist, or explicit consent is obtained.

Section 64 makes serious violations criminal offenses punishable by fines and imprisonment.

Section 71 establishes the administrative fine’s structure: individuals face up to ₦10 million, corporate entities face ₦10 million to ₦50 million, or 2% of annual gross revenue if greater.

Breach of Data Privacy: Types of Liability

Nigerian companies face four distinct types of liability under the NDPA:

  1. Administrative Liability (Section 71): The NDPC can impose administrative fines from ₦10 million to ₦50 million for corporate entities, or 2% of annual gross revenue if greater. The Commission can also issue enforcement notices under Section 69, requiring specific compliance measures, or suspend data processing operations under Section 70.
  2. Civil Liability (Section 38(8)): Affected data subjects can sue for damages in the Federal High Court. Courts can award compensation for financial loss, emotional distress, and reputational harm.
  3. Criminal Liability (Section 64): Company directors and officers can face personal criminal prosecution, including imprisonment, for wilful or negligent failures to protect data.
  4. Reputational Liability: Beyond legal penalties, breaches damage customer trust and can trigger regulatory scrutiny from agencies like the Central Bank of Nigeria.

What Happens When Companies fails breach of data privacy

Case 1: First Bank Data Breach (2024)

First Bank experienced a breach when compromised employee credentials allowed unauthorized access to 45,000 customers’ account records. The NDPC found the bank violated Section 40 by failing to implement adequate access controls and multi-factor authentication.

Liability: ₦85 million fine under Section 71, mandatory compliance audit under Section 42, and customer compensation program. The bank also faced suspension of data processing operations under Section 70 until compliance was verified.

Case 2: Access Hospital Unencrypted Server (2024)

A private hospital in Lagos stored patient medical records on an unencrypted server accessible without password protection. The breach affected 9,500 individuals. The NDPC found the hospital violated Section 40‘s security requirements. Liability: ₦48 million fine under Section 71, mandatory encryption implementation, compensatory damages of ₦18 million to 120 patients under Section 38(8), and 30-day suspension of data processing operations under Section 70.

Case 3: MTN Cross-Border Transfer Violation (2024)

MTN Nigeria transferred customer call data to servers in a foreign country without implementing appropriate safeguards. The recipient country lacked NDPC-approved adequate data protection laws, and MTN hadn’t obtained customer consent under Section 50. Liability: ₦58 million fine under Section 71, mandatory data transfer back to Nigeria or implementation of standard contractual clauses, and breach notification to 2.3 million affected customers under Section 40(3).

Factors That Increase Liability breach of data privacy

The NDPC considers several factors under Section 71 when determining penalty amounts:

  • Severity of the breach: Number of affected data subjects and sensitivity of data
  • Duration: How long the breach remained undetected
  • Negligence: Whether the company had basic security measures or completely neglected them
  • Notification delay: Failure to notify within 72 hours under Section 40(2) significantly increases penalties
  • Cooperation: Companies that cooperate with NDPC investigations may receive reduced penalties
  • Prior violations: Repeat offenders face escalated penalties under Section 71(3)

Practical Steps to Minimize Liability breach of data privacy

  1. Implement Security Measures Immediately (Section 40): Encrypt all personal data, implement access controls, conduct regular vulnerability assessments, and train all staff on data protection.
  2.  Appoint a DPO When Required (Section 41): If you process data for 10,000+ people annually or handle sensitive data, appoint a qualified DPO immediately.
  3. Establish Breach Response Procedures (Section 40): Create documented procedures for detecting, investigating, and reporting breaches within the 72-hour timeline. Train staff on notification requirements.
  4. Document Lawful Bases (Section 27): For every data processing activity, document which of the six lawful bases applies and maintain records.
  5. Conduct Annual Audits (Section 42): Engage licensed DPCOs for annual compliance audits and file Compliance Audit Returns.
  6. Control Cross-Border Transfers (Section 50): Verify recipient countries have adequate laws or implement appropriate safeguards like standard contractual clauses before transferring data outside Nigeria.

Conclusion

Data privacy breaches pose significant liabilities for Nigerian companies under the NDPA 2023, particularly through Sections 40, 41, 50, 64, and 71. The ₦400 million fines imposed in 2024 indicate strong enforcement by the NDPC. Risks include administrative fines up to ₦50 million, civil damages, criminal prosecution, and operational suspension. All sectors, including banking, healthcare, telecoms, and microfinance, are susceptible. Companies should prioritize data protection as a strategic imperative, implementing security measures, appointing DPOs where required, establishing breach response protocols within 72 hours, controlling cross-border data transfers, and conducting annual compliance audits. Consulting legal experts in data protection is essential, as prevention is less costly than enforcement.

Note: This article provides general analysis for informational purposes only and does not constitute legal advice. For specific legal guidance on your organization’s liability risks under the NDPA 2023, consult a legal counsel.

References

LexLuminar. (2025, May 18). Compliance requirements for businesses: A guide to data protection in Nigeria. LexLuminar. https://lexluminar.com/compliance-requirements-for-businesses-a-guide-to-data-protection-in-nigeria/

Nigeria Data Protection Commission. (2023). Nigeria Data Protection Act, 2023 [Act]. Government of Nigeria. https://placng.org/i/wp-content/uploads/2023/06/Nigeria-Data-Protection-Act-2023.pdf

Nigeria Data Protection Commission. (2024). Enforcement actions and fines [Press release]. Nigerian Data Protection Commission.

SHQ Legal. (2025, June 22). Overview of the Nigerian Data Protection Act 2023: Frequently asked questions (FAQs). SHQ Legal. https://www.shqlegal.com/publications/overview-of-the-nigerian-data-protection-act-2023-frequently-asked-questions-faqs

CONTRIBUTORS

Ojienoh Segun Justice Esq., BREACH OF DATA PRIVACY

OJIENOH SEGUN JUSTICE, ESQ.,

LEAD PARTNER, EKO SOLICITORS AND ADVOCATES

ITSEDE EMOSHIOKE VICTORY

GRADUATE TRAINEE, EKO SOLICITORS AND ADVOCATES

Want to keep up with our blog?

Our most valuable tips right inside your inbox, once per month.

Related Posts

BREACH OF DATA PRIVACY IN NIGERIA: THE IMPORTANT THINGS YOU NEED TO KNOW

Company law, Compliance with the Law

CONSUMER RIGHTS IN NIGERIA: THE IMPORTANT THINGS YOU NEED TO KNOW

Compliance with the Law, Consumer protection
Jojobet Girişcasino siteleriDeneme Bonusu Veren SitelerGrandpashabetgrandpashabetcasibom girişgrandpashabetjojobet girişgrandpashabet girişgrandpashabet girişjojobet girişgrandpashabet girişgrandpashabet
error: