Data Protection and Governance in Nigeria – NDPR Nigeria – Digital Governance Essentials

Data Protection and Governance in Nigeria – NDPR Nigeria – Digital Governance Essentials

Data Protection and Governance in Nigeria – NDPR Nigeria – Digital Governance Essentials

Data has become one of the most valuable assets that Nigerian organizations hold, and like all valuable assets, it requires governance.

Every Nigerian business that collects customer information, processes employee records, manages patient data, or handles any personal information in the course of its operations is sitting on a data governance obligation that the Nigerian legal framework now makes impossible to ignore.

The Nigeria Data Protection Act 2023 and its predecessor the Nigeria Data Protection Regulation 2019 have transformed data protection from a best-practice aspiration into a legal requirement with enforcement consequences. For Nigerian organizations that have not yet built data governance frameworks, the question is no longer whether to comply but how quickly the gap between current practice and legal obligation can be closed.

Let me walk you through what data protection governance means, what Nigerian law requires, what specific obligations organizations must meet, and how to build a data governance framework that is both legally compliant and practically effective.

Related service: Business Cardinal provides Data Protection Compliance Assessments to help organizations evaluate their current position against NDPA requirements.


What is data protection and why does it matter for Nigerian organizations?

Data protection is a topic that many Nigerian business leaders treat as a technology department concern. It is not. It is a governance, legal, and organizational matter that touches every part of a business that handles personal information, which in practice means almost every Nigerian organization of any size.

Definition — Data Protection: According to the International Association of Privacy Professionals (IAPP), data protection is defined as “the process of safeguarding important information from corruption, compromise, or loss. In the context of privacy law and regulation, data protection refers specifically to the legal frameworks and organizational practices that govern how personal data about individuals is collected, stored, processed, shared, and ultimately deleted, with the objective of preserving individuals’ rights over their own information and preventing unauthorized or harmful use of that information.”

Personal data, which is the primary subject of data protection law, is any information that can identify a living individual either directly or in combination with other information. In the Nigerian context, this includes names, addresses, phone numbers, email addresses, National Identification Numbers, Bank Verification Numbers, financial account information, health and medical records, biometric data including fingerprints and facial recognition data, location data, employment records, and any other information that relates to an identifiable person.

The reason data protection matters to Nigerian organizations goes beyond legal compliance. Organizations that mishandle personal data face regulatory sanctions and reputational damage that can be commercially devastating. They face civil liability to individuals whose data they have mishandled. They face cybersecurity risks that are amplified by poor data governance practices. And they face the growing reality that customers, employees, and business partners are increasingly aware of their data rights and increasingly willing to assert them.

laptop computer on glass-top table

Why data governance is the framework within which data protection lives

Data governance is the broader organizational discipline that encompasses not just legal compliance with data protection requirements but the full range of policies, processes, and structures through which an organization manages its data assets.

Data governance determines who in the organization has authority over different categories of data, how data quality is maintained, how data is classified and protected according to its sensitivity, how data is retained and ultimately deleted, how data incidents and breaches are detected and managed, and how the organization’s data practices are overseen at the board and management level. For broader governance context, see Corporate Governance: Why Every Nigerian Company Needs It.

Data protection compliance sits within the data governance framework as a specific and legally mandated set of requirements. But organizations that approach data only through the compliance lens, asking what the law requires of them, will build narrower and less effective frameworks than organizations that ask the broader governance question of how they should be managing their data assets to protect their stakeholders, their organization, and their long-term interests.

igerian legal framework for data protection

Knowing which laws apply to your organization is non-negotiable in the current regulatory environment. Nigeria’s data protection legal framework has evolved significantly over the past few years, and understanding the current landscape is essential for any organization building a compliance program.

The Nigeria Data Protection Act 2023

The Nigeria Data Protection Act 2023 (NDPA) is the primary legislation governing data protection in Nigeria. It replaced and significantly expanded upon the earlier Nigeria Data Protection Regulation 2019 (NDPR), establishing a comprehensive legal framework aligned with international data protection standards including the European Union’s General Data Protection Regulation (GDPR). You can read the full text of the NDPA on the Nigeria Data Protection Commission website.

The NDPA applies to any person or organization that processes the personal data of individuals in Nigeria, regardless of whether the processing organization is located in Nigeria or abroad. This extraterritorial scope means that Nigerian subsidiaries of international companies, international companies processing data about Nigerian citizens, and Nigerian companies processing data about non-Nigerians are all potentially within the scope of the Act.

The NDPA establishes the Nigeria Data Protection Commission (NDPC) as the independent regulatory authority responsible for administering and enforcing data protection law in Nigeria. Visit the NDPC official website for enforcement guidelines and regulatory updates.

Key principles of the Nigeria Data Protection Act 2023

The NDPA is built on a set of core principles that govern how personal data must be handled. Every organization that processes personal data must understand and apply these principles because they underpin every specific obligation the Act imposes.

Lawfulness, Fairness, and Transparency. Personal data must be processed lawfully, meaning there must be a valid legal basis for every processing activity. It must be processed fairly, meaning the interests of the data subject must be considered. And it must be processed transparently, meaning individuals must be informed about how their data is being used.

Purpose Limitation. Personal data collected for one specified purpose cannot be used for a different, incompatible purpose without the data subject’s knowledge and consent. An organization that collects customer contact details for order delivery cannot subsequently use those details for marketing campaigns without a separate legal basis for that additional processing.

Data Minimization. Organizations should only collect and process the personal data that is actually necessary for the specific purpose for which it is being processed. Collecting more data than is needed, often called data hoarding, is a violation of this principle and increases both compliance risk and cybersecurity exposure. For guidance on cybersecurity, see Cybersecurity Strategy for Nigerian Businesses Facing Rising Digital Threats.

Accuracy. Personal data must be accurate and kept up to date. Organizations must have processes for correcting inaccurate data and for responding to data subject requests to update their information.

Storage Limitation. Personal data must not be retained for longer than is necessary for the purpose for which it was collected. Organizations must have documented retention schedules that define how long each category of personal data will be kept and what will happen to it at the end of its retention period.

Integrity and Confidentiality. Personal data must be processed with appropriate security measures to protect it against unauthorized access, accidental loss, destruction, or damage. This principle requires technical and organizational security measures proportionate to the sensitivity of the data being processed. The National Information Technology Development Agency (NITDA) provides cybersecurity guidelines that complement these requirements.

Accountability. Organizations are responsible for complying with the NDPA and must be able to demonstrate their compliance. This accountability principle is the foundation of the data governance obligation: it is not sufficient to comply in practice; organizations must also be able to show that they comply through documented policies, procedures, training records, and audit trails.

The Nigeria Data Protection Regulation 2019

The NDPR 2019, issued by the National Information Technology Development Agency (NITDA) before the NDPA was enacted, established the initial data protection framework in Nigeria. While the NDPA has superseded the NDPR as the primary legal instrument, organizations should be aware that compliance obligations and guidance issued under the NDPR framework continue to inform the interpretation and implementation of data protection requirements in Nigeria during the transition to full NDPA implementation. See NITDA’s official NDPR guidance for reference.

The NDPC has been progressively building its enforcement infrastructure since the NDPA came into force. Enforcement actions, compliance audits, and regulatory investigations are becoming more frequent and more consequential. Organizations that were treating the NDPR era as a period of regulatory tolerance should update their understanding. The NDPA enforcement environment is materially different, and organizations that have not built adequate compliance programs are carrying real and growing regulatory risk.

A wooden gavel and legal book represent justice in a court setting, emphasizing order and legal authority.

Who must comply: understanding data controller and data processor obligations

The NDPA creates distinct obligations for different roles in the data processing chain. One of the most important concepts in Nigerian data protection law is the distinction between data controllers and data processors, because these two roles carry different legal obligations and different levels of regulatory exposure.

What is a data controller?

A data controller is any person or organization that determines the purposes and means of processing personal data. In plain terms, the data controller is the entity that decides what personal data is collected, why it is collected, and how it is used. A bank that collects customer financial information to provide banking services is a data controller. A hospital that collects patient medical records to provide healthcare is a data controller. An employer that collects employee personal information to manage the employment relationship is a data controller.

Data controllers carry the primary legal obligations under the NDPA. They are responsible for ensuring that all data processing activities have a valid legal basis, that data subjects are properly informed about how their data is being used, that data subject rights are respected and can be exercised, that appropriate security measures are in place, and that the organization can demonstrate compliance with the NDPA. Data controllers must register with the NDPC and must submit annual data protection compliance reports.

What is a data processor?

A data processor is any person or organization that processes personal data on behalf of a data controller. The data processor does not determine the purposes of the processing. It acts on the instructions of the data controller. A cloud computing company that stores a Nigerian bank’s customer data is a data processor. A payroll company that processes a corporation’s employee salary information is a data processor. A marketing company that sends promotional communications on behalf of a retail company is a data processor.

Data processors carry their own direct obligations under the NDPA including implementing appropriate security measures, processing data only on the controller’s documented instructions, assisting the controller in meeting its obligations to data subjects, maintaining records of processing activities, and notifying the controller of data breaches without undue delay.

The relationship between controllers and processors must be governed by a written data processing agreement that specifies the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data involved, the categories of data subjects, and the obligations and rights of the controller.

Large Data Controllers

The NDPA introduces a specific category of Large Data Controllers, organizations that process significant volumes of personal data above defined thresholds, which carry additional compliance obligations. Large Data Controllers must appoint a Data Protection Officer, conduct Data Protection Impact Assessments for high-risk processing activities, and may be subject to more intensive NDPC oversight. Organizations that process personal data at significant scale, including major banks, telecommunications companies, e-commerce platforms, and large employers, should assess whether they meet the Large Data Controller threshold. For guidance on internal controls, see Internal Control Over Procurement in Nigeria.

The six lawful bases for processing personal data

Every data processing activity in your organization must have a valid legal basis or it is unlawful. One of the most practically important concepts in the NDPA is the requirement that every processing of personal data must have a lawful basis. Organizations cannot collect or use personal data simply because it would be useful or convenient to do so. There must be a specific legal justification for each processing activity.

The NDPA recognizes six lawful bases for processing personal data.

Consent. Processing is lawful where the data subject has given clear, specific, and informed consent to the processing of their personal data for a specific purpose. Consent under the NDPA must be freely given, meaning it cannot be a condition of receiving a service that does not require the personal data in question. It must be specific, meaning blanket consent for all possible uses of personal data is not valid. It must be informed, meaning the data subject must understand what they are consenting to. And it must be capable of being withdrawn, meaning organizations must have mechanisms through which individuals can withdraw consent and stop the processing of their data.

The requirement for granular, informed consent has significant practical implications for Nigerian organizations that have relied on broad consent clauses buried in lengthy terms and conditions documents. These practices do not meet the NDPA consent standard and must be reformed.

Contract. Processing is lawful where it is necessary for the performance of a contract to which the data subject is a party, or to take steps at the data subject’s request before entering into a contract. A bank processing customer financial data to execute a transfer instruction is processing on a contractual basis. An employer processing employee payroll data to pay salaries is processing on a contractual basis.

Legal Obligation. Processing is lawful where it is necessary for compliance with a legal obligation to which the controller is subject. An employer that processes employee personal data to comply with PAYE tax reporting obligations, or a bank that processes customer data to comply with AML and KYC requirements, is processing on the legal obligation basis. For related compliance obligations, see Anti-Money Laundering Compliance for Non-Financial Firms in Nigeria.

Vital Interests. Processing is lawful where it is necessary to protect the vital interests of the data subject or another natural person. This basis applies primarily in emergency situations involving threats to life or physical safety.

Public Task. Processing is lawful where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This basis is primarily relevant to public sector organizations and regulators.

Legitimate Interests. Processing is lawful where it is necessary for the purposes of the legitimate interests pursued by the controller or a third party, provided those interests are not overridden by the interests or fundamental rights of the data subject. The legitimate interests basis requires a balancing assessment that weighs the controller’s interests against the data subject’s interests and rights.

The NDPC has been issuing guidance on the application of the lawful bases in the Nigerian context, with particular attention to the use of consent and legitimate interests as bases for marketing and data analytics processing. Check the NDPC website for the latest regulatory guidance. Organizations that have relied on overly broad or poorly documented lawful bases should review and strengthen their documentation in light of this emerging guidance.

Data subject rights: what individuals are entitled to and how organizations must respond

The NDPA gives individuals real rights over their personal data, and organizations must have systems to honor those rights. One of the most significant and practically demanding aspects of Nigerian data protection law is the set of rights it grants to individuals over their personal data. These rights are not aspirational. They are legally enforceable entitlements that organizations must have systems and processes in place to honor within specified timeframes.

The Right to Be Informed. Data subjects have the right to be informed about how their personal data is being used. This right is primarily fulfilled through a privacy notice, a clear and accessible document that explains what personal data is collected, why it is collected, what legal basis applies, how long it is retained, who it is shared with, and how data subjects can exercise their rights. Privacy notices must be provided at the point of data collection and must be written in clear, plain language that the intended audience can understand.

The Right of Access. Data subjects have the right to request a copy of the personal data an organization holds about them and information about how that data is being processed. This request is called a Subject Access Request (SAR), and organizations must respond within one month of receiving a valid request. Responding to SARs requires organizations to have systems that can locate and compile all personal data held about a specific individual across all the organization’s systems and records, which is a significant operational capability that many Nigerian organizations do not currently have.

The Right to Rectification. Data subjects have the right to have inaccurate personal data corrected and incomplete personal data completed. Organizations must have processes for receiving and acting on rectification requests within specified timeframes.

The Right to Erasure. Data subjects have the right in certain circumstances to have their personal data deleted. This right is not absolute. It does not apply where the processing is necessary for compliance with a legal obligation, for public interest tasks, or for the establishment or defense of legal claims. But where none of these exceptions apply, organizations must be able to delete personal data and confirm that deletion to the data subject.

The Right to Data Portability. Where processing is based on consent or contract and is carried out by automated means, data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller. This right has significant implications for banks, telecommunications companies, and digital platforms that hold large volumes of customer data.

The Right to Object. Data subjects have the right to object to processing based on legitimate interests and to processing for direct marketing purposes. Where a data subject objects to processing for direct marketing, the organization must stop that processing immediately without any assessment of competing interests.

Building a data governance framework for Nigerian organizations

Understanding data protection law is one thing. Building the organizational systems that deliver consistent compliance is another and substantially more demanding challenge. A data governance framework for a Nigerian organization must address several interconnected components.

Data mapping and records of processing activities

The foundation of any data governance framework is a comprehensive map of the personal data the organization holds and how it is processed. This data map should identify every category of personal data collected, the source from which it is collected, the purpose for which it is processed, the legal basis relied upon, the systems in which it is held, the third parties with whom it is shared, the countries to which it is transferred, and the retention period applicable to each data category.

This data map feeds into the Records of Processing Activities (ROPA), which is a formal documentation requirement under the NDPA for organizations that meet certain size or processing volume thresholds. The ROPA must be maintained, kept current as processing activities change, and made available to the NDPC on request.

A diverse team engaged in a business meeting, fostering collaboration and teamwork in an office setting.

Privacy notices and consent management

Every touchpoint at which the organization collects personal data requires a privacy notice that meets the NDPA information requirements. For a Nigerian bank, this means privacy notices for account opening, mobile banking, credit applications, marketing communications, and every other processing activity. For a hospital, it means privacy notices for patient registration, medical records management, and any research uses of patient data.

Where processing relies on consent, the organization must have a consent management system that records what consent was given, when, and for what specific purpose, and that allows individuals to withdraw consent and have that withdrawal recorded and acted upon.

Data Protection Officer

Large Data Controllers are required to appoint a Data Protection Officer (DPO). The DPO must have expert knowledge of data protection law and practice, must be independent in the performance of their functions, and must report directly to the highest management level of the organization. The DPO’s responsibilities include monitoring compliance with the NDPA, providing advice on Data Protection Impact Assessments, cooperating with the NDPC, and serving as the contact point for data subjects exercising their rights and for the NDPC in regulatory interactions.

For organizations that are not required to appoint a DPO, having a designated data protection lead with clear responsibility for data governance oversight is still a governance best practice that improves compliance consistency and accountability. For support, see Capacity Building and Training Services.

Data Protection Impact Assessments

A Data Protection Impact Assessment (DPIA) is a structured process for identifying and assessing the privacy risks of high-risk processing activities before they begin. The NDPA requires DPIAs for processing activities that are likely to result in high risk to the rights and freedoms of individuals, including processing involving large-scale processing of sensitive personal data, systematic monitoring of individuals, use of new technologies with uncertain privacy implications, and processing of children’s data.

DPIAs must identify the necessity and proportionality of the proposed processing, assess the risks to data subjects, and identify the measures that will be taken to address those risks. Where a DPIA identifies a high residual risk that cannot be adequately mitigated, the organization must consult with the NDPC before proceeding with the processing activity.

Data breach response

The NDPA requires organizations to report personal data breaches to the NDPC within 72 hours of becoming aware of the breach, where the breach is likely to result in risk to individuals’ rights and freedoms. Where the breach is likely to result in high risk to individuals, affected data subjects must also be notified without undue delay.

Having a data breach response plan that enables the organization to detect, contain, assess, and report breaches within the 72-hour window is an operational necessity for NDPA compliance. Many Nigerian organizations currently lack the detection and response infrastructure to meet this requirement, and addressing this gap should be a priority in any data governance improvement program.

Data transfers outside Nigeria

The NDPA restricts the transfer of personal data to countries outside Nigeria unless adequate protections are in place. Transfers are permitted to countries that the NDPC has determined provide an adequate level of data protection, or on the basis of appropriate safeguards including standard contractual clauses, binding corporate rules for intra-group transfers, and other mechanisms approved by the NDPC.

For Nigerian organizations with international operations, international cloud service providers, or data sharing arrangements with foreign counterparties, the cross-border transfer restrictions have significant practical implications that must be addressed in data governance frameworks.

Staff training and awareness

Every employee who handles personal data must receive training on data protection obligations, the organization’s data governance policies, and their specific responsibilities in relation to personal data. Training must cover how to identify and handle personal data correctly, how to respond to data subject rights requests, how to recognize and report suspected data breaches, and the consequences of non-compliance for both the organization and individual employees.

Training must be delivered at induction for new employees and refreshed regularly as requirements evolve and as new processing activities or systems are introduced

The NDPC has been developing sector-specific data protection guidelines for industries including healthcare, financial services, telecommunications, and education, which provide more detailed implementation guidance tailored to the specific processing activities and risks of each sector. Monitor the NDPC website for sector-specific guidance. Organizations in these sectors should be monitoring and incorporating sector-specific guidance into their compliance frameworks as it is published.

The consequences of data protection non-compliance in Nigeria

The penalties are real, and enforcement is accelerating. Organizations that fail to meet their data protection obligations under the NDPA face a range of regulatory, financial, and reputational consequences that the regulatory environment is making increasingly real.

Administrative Fines. The NDPA empowers the NDPC to impose administrative fines on organizations that violate its provisions. Fines can be significant, with the Act providing for penalties of up to two percent of annual gross revenue or ten million naira, whichever is higher, for less serious violations, and up to four percent of annual gross revenue or twenty million naira, whichever is higher, for more serious violations including processing personal data without a lawful basis, failing to implement adequate security measures, and obstructing NDPC investigations.

Compliance Notices and Enforcement Orders. Beyond financial penalties, the NDPC can issue compliance notices requiring organizations to take specific remediation actions, enforcement orders directing organizations to cease non-compliant processing activities, and in serious cases, orders to delete personal data that has been unlawfully processed.

Reputational Consequences. Data breaches and data protection enforcement actions attract public attention and media coverage in ways that create reputational damage extending well beyond the regulatory sanction itself. For Nigerian organizations whose business models depend on customer trust, including banks, insurance companies, healthcare providers, and digital platforms, the reputational consequences of data protection failures can be more commercially damaging than the regulatory penalties.

Civil Liability. The NDPA provides individuals with the right to seek compensation from organizations that have violated their data protection rights and caused them damage, whether material damage including financial loss or non-material damage including distress. As awareness of data rights grows among Nigerian consumers, the prospect of civil claims arising from data protection failures is becoming a real legal risk for Nigerian organizations.

Close-up of a handshake between colleagues in a professional office setting, emphasizing teamwork and agreement.

Practical data governance checklist for Nigerian organizations

A starting point for assessing your organization’s current data protection compliance position:

Legal Foundation. Has your organization identified all personal data it processes and documented this in a data map? Has a valid lawful basis been identified and documented for every processing activity? Are privacy notices in place at every data collection touchpoint, and do they meet NDPA requirements?

Data Subject Rights. Does your organization have processes for receiving and responding to Subject Access Requests within one month? Are there processes for handling rectification, erasure, portability, and objection requests? Is there a mechanism for individuals to withdraw consent and have that withdrawal acted upon?

Security and Breach Response. Are appropriate technical and organizational security measures in place to protect personal data? Is there a documented data breach response plan that enables 72-hour NDPC notification? Has the organization identified and addressed the most significant data security vulnerabilities in its systems?

Data Protection Officer. If your organization is a Large Data Controller, has a qualified DPO been appointed with the required independence and direct reporting to senior management?

Third Party Management. Are data processing agreements in place with all vendors and service providers who process personal data on your behalf? Have cross-border data transfer arrangements been reviewed against NDPA requirements?

Training. Are all employees who handle personal data receiving regular data protection training? Are training records maintained?

NDPC Registration. Has your organization registered with the NDPC as required, and is annual compliance reporting up to date?

Key data protection terms every Nigerian organization should know

Personal Data. Any informatnumbers, location data, online identifiers, and factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the person.

Sensitive Personal Data. A special category of personal data that carries higher risk and requires additional protection. Under the NDPA, sensitive data includes racial or ethnic origin, political opinions, religious or philosophical beliefs, health data, biometric data, and data concerning sex life or sexual orientation.

Data Controller. An organization or person that determines the purposes and means of processing personal data. Carries primary legal obligations under the NDPA.

Data Processor. An organization or person that processes personal data on behalf of a data controller. Carries direct obligations under the NDPA and must operate under a written data processing agreement with the controller.

Data Protection Officer (DPO). A designated expert responsible for monitoring an organization’s compliance with data protection law, advising on Data Protection Impact Assessments, and liaising with the NDPC. Required for Large Data Controllers under the NDPA.

Data Protection Impact Assessment (DPIA). A structured process for assessing the privacy risks of high-risk processing activities before they commence. Required under the NDPA for processing likely to result in high risk to individuals.

Subject Access Request (SAR). A formal request by a data subject to access the personal data an organization holds about them. Must be responded to within one month under the NDPA.

Records of Processing Activities (ROPA). A documented inventory of all personal data processing activities carried out by an organization, required to be maintained by data controllers and processors above defined thresholds.

Data Breach. A security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. Must be reported to the NDPC within 72 hours where likely to result in risk to individuals.

Privacy Notice. A document provided to data subjects at the point of data collection that explains how their personal data will be used, the legal basis for processing, retention periods, data subject rights, and how to exercise those rights.

How Business Cardinal Supports Data Protection Governance in Nigeria

At Business Cardinal, we work with Nigerian organizations to build data protection governance frameworks that meet NDPA requirements, satisfy investor and regulatory expectations, and protect the organization and its stakeholders from the legal, financial, and reputational risks of data protection failures.

Related services from Business Cardinal:

For organizations needing structured governance frameworks, COSO Framework Implementation Services provides guidance on integrating data protection controls into enterprise risk management. For companies requiring audit and oversight support, Internal Audit Support Services helps strengthen control monitoring and compliance. And for organizations needing to build internal data protection capabilities, Capacity Building and Training Services offers hands-on training programs for data governance and privacy awareness.

Recommended reading from the Business Cardinal blog:

To understand how governance fits into broader organizational strategy, read Corporate Governance: Why Every Nigerian Company Needs It. For guidance on managing data protection alongside other compliance obligations, see Anti-Money Laundering Compliance for Non-Financial Firms in Nigeria. And for strategies to protect data assets through internal controls, take a look at Internal Control Over Procurement in Nigeria.

Let’s work together

Does your organization have a data governance framework that meets the requirements of the Nigeria Data Protection Act 2023? The organizations that treat data protection as a genuine governance priority today are the ones that will face fewer regulatory surprises, fewer breach consequences, and fewer investor concerns about data risk tomorrow.

Contact us today:

📧 Email: hello@businesscardinal.com
📞 Phone: +234 802 320 0801
📍 Address: 5, Ishola Bello Close, Off Iyalla Street, Alausa, Ikeja, Lagos, Nigeria

Contact Business Cardinal to request a data protection compliance assessment.

Take the first step toward data governance that protects your organization, your customers, and your reputation.

Business Cardinal – Your Partner in Data Protection Governance

References

  1. International Association of Privacy Professionals (IAPP). What is Data Protection? Available at: https://iapp.org/resources/article/what-is-data-protection/

  2. Federal Government of Nigeria. Nigeria Data Protection Act 2023. Available at: https://ndpc.gov.ng

  3. Nigeria Data Protection Commission (NDPC). Regulatory Guidelines and Enforcement Guidance. Available at: https://ndpc.gov.ng

  4. National Information Technology Development Agency (NITDA). Nigeria Data Protection Regulation 2019. Available at: https://nitda.gov.ng

  5. Financial Reporting Council of Nigeria. Nigerian Code of Corporate Governance 2018 — Digital Governance Provisions. Available at: https://www.frcnigeria.gov.ng

  6. Central Bank of Nigeria. Cybersecurity Framework and Data Governance Guidelines for Financial Institutions. Available at: https://www.cbn.gov.ng

  7. European Union. General Data Protection Regulation (GDPR) — Reference Framework. Available at: https://gdpr.eu

  8. African Union. African Union Convention on Cyber Security and Personal Data Protection. Available at: https://au.int

  9. Information Commissioner’s Office (UK). Guide to Data Protection — Reference Resource. Available at: https://ico.org.uk/for-organisations/guide-to-data-protection/

There are no comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Start typing and press Enter to search

Shopping Cart
wpChatIcon
wpChatIcon