The advancement of technology over the years has transitioned almost all aspects of a man’s life to the internet. Individuals are increasingly using various social media platforms, websites, and other internet platforms generating, collecting, processing, storing their personal data at an unprecedented level.  Due to the exorbitant amount of data generated through Information and Communications Technology (ICT) and Telecommunication including the financial sector, several problems such as identity theft, web attacks, unlawful/ unauthorised use of personal information arise[1].  As of August 2017, there were about 3.5 billion global mobile internet users. Therefore, with the growing number of internet users, it is important the personal information of customers are secured. Nigeria currently has over 100 million internet subscribers according to Nigeria Communication Commission.

In the light of the imminent risk, abuse, breach, and misuse of personal data,   there is a need to safeguard personal information both physically and electronically. This has ushered in increasing legislation on privacy and protection of personal data globally. This is evident recently with the European Union’s General Data Protection Regulation (GDPR).


The GDPR came into force on 25th May 2018 in order to regulate the processing of personal data within the EU and of EU residents. The purpose of the regulation is to improve data protection standards worldwide as its remits extend beyond the EU, especially to non-EU organisations that offer goods and services to EU residents or monitor their behaviour even though the processing of data occurs outside the EU.[2] As a regulation, the GDPR has a direct effect on Member States’ laws and as a result, has replaced both European Directive  (Directive 95/46/EC) and member state national laws on data protection. It is important to note that the GDPR aims at harmonising data protection framework within the EU, the GDPR also gives room for the Member States to enact their own data protection requirement in certain circumstances and extends this right to the European Commission to make delegated acts.

The GDPR applies to “personal data” that is, information that assists in identifying a natural person. Such data include; name, location, identification number, and other factors specific to the physical, genetic, mental, or social identity and not limited to online identifiers such as an IP Address. It further includes sensitive information about an individual which includes race, sex, religion, health, genetic or biometric data and sexual orientation.[3]

The regulation expands the rights of data subjects and increases the obligation of data controllers and processorsin relation to the processing of personal data. The regulation also provided the legal bases for processing of data, which include consent for both adults and children, the performance of a contract, protection of vital interests of data subjects and performance of a task carried out in public interest or authority vested in the controller[4].

Further, the regulation clearly states the rights of data subjects. These rights include;

  1. Right to information of the data subject being processed and the rationale behind the processing.
  2. Right to access personal data of the data subject.
  • Right to rectification: That is, the right to ask for a modification of personal data with the data processor
  1. Right to object to the processing of the personal data of data subjects
  2. Right to object to the automated processing of data
  3. Right to be forgotten
  • Right for data probability: That is the right to transfer personal data to another controller
  • Right to lodge a complaint with a supervisory authority and judicial remedy.

All these rights highlight the length at which a data subject can control his personal data in the custody of a data processor or controller with limited restrictions.

Furthermore, the GDPR ensures that data controllers must include privacy by design at the development phase when creating systems instead of establishing protection measures as an added element. Also, the regulation makes provision for implementation of security and organisational measures at the time of processing to ensure protection and safeguard of data subjects through pseudonymisation[5] and encryption of data. This is to promote confidentiality and integrity of personal data. The supervisory authorities in respective member states are to enforce the regulation. Data controllers are to report breaches of personal data within 72 hours to the supervisory authorities, and without undue delay to the data subject except the breach is unlikely to risk the rights and freedoms of natural persons[6] or if necessary security measures have been taken.

The GDPR being an extensive regulation did not leave the issue of consent out of its radar. Consent is seen to be very sensitive and important in the regulation. As a result, consent must be freely given, specific, informed and unambiguous indicating the data subject’s wishes via a statement, action, which signifies the processing of his personal data[7]. Also, the consent to the processing of personal data must be easy to withdraw as it was given. To process sensitive personal data, consent must be explicit. Therefore, it is the duty of data controllers to demonstrate that consent was given[8]. Consent also extends to children who are 16 years old and can lawfully have their personal data processed.  Where the child is below the age of 16 years, the processing of such data shall be lawful only if consent has been given/authorised by the holder of parental responsibility over the child[9].


The National Information Technology Development Agency (NITDA) is empowered under Section 6 of NITDA Act 2007 to develop guidelines on the issue of privacy and protection of Personal Data. Premised on its mandate, it published its draft Data Protection Guideline 2017 (hereinafter referred to as the Guideline). It is important to state that Nigeria does not have a single comprehensive legislative framework on data protection of personal data.  Pieces of data protection are embedded in different Acts such as the Constitution of the Federal Republic of Nigeria (as amended) 1999, Credit Reporting Act 2017, and other legislation. There are ongoing legislative efforts at enacting data protection legislation[10].


The Guideline is divided into five parts which include; preliminaries, data protection principles, data collection and processing, data access and implementation of guidelines.


The preliminaries explain the various terms used in the guideline for ease of understanding when mentioned. It further states the persons and bodies to which the guidelines refer and they include Public and Private Sectors, Federal, Local and State Government agencies, Data Collectors, custodians administrators, system auditors and data security organisations.


The guideline took on the extraterritorial application garb of the GDPR. It applies to data controllers and administrators processing the personal data of persons within Nigeria and also “persons based outside Nigeria if they process personal data of Nigerian residents and citizens. The guideline further applies to the collection, accessing and processing of personal data wholly or partly by automatic and non-automatic means. The extraterritorial intention is ambitious and commendable, however, the guideline failed to distinguish the category of processing covered. The GDPR was specific about processing monitoring behaviour within the EU, and offering of goods and services to subjects in the union.


The Data Protection principles briefly state that data subjects must be informed of the purposes for which their data is collected. It further states that data controller shall publish on a noticeable part of the website, a privacy policy that will state consent of the data subject, description of personal information obtained, technical methods used to obtain information, how data is shared, and confidentiality rights. The guideline also tries to lay emphasis on the collection of only “needed data” which can be interpreted as a purposeful collection of data. Furthermore, data controllers shall give data subjects the opportunity to update their personal data which can be construed to mean rectification and modification of data.



Additionally, the guideline states that data controllers shall develop cybersecurity safeguard to protect data from hackers by using security measures such as firewalls, data encryption technologies, organisational policy, and staff training[11].


Cross-border data transfer outside Nigeria to a third party state is permissible under the Data Protection Guideline however; the receiving country shall also have data a protection guidelines or legislation. Data can also be transferred to a third party state where it forms part of the fulfillment of a contract/ contract with clear terms of the protection of personal data, and if the data subject consents to the transfer. This part of the guidelines is very vague as it did not state the standard to which the legislation of the receiving country must meet in order to transfer personal data of data subjects. The EU commission has the adequacy regime. It is important Nigeria hold third countries to a higher standard of protection.


Finally, the guidelines require that organisations should employ the services of a Data Security Officer who will be a compliance officer and ensure adherence to data protection and privacy policies and procedures, training employees to promote awareness and compliance with privacy and data security policies which is similar to the need for a data protection officer under the GDPR.



It could be seen from the draft guidelines that efforts were made to bring the guideline to meet up with global data protection standards and protect the personal data of natural persons. Unfortunately, the guideline is inadequate in light of existing technology and risk imminent; it requires more in-depth analysis which caters for the prevailing technological trend and privacy rights of Nigerians. Nigeria has over 100 million internet users and a burgeoning digital economy. There is a need for public authorities to be held more accountable about handling of data in an age where the government is more concerned about harnessing data of Nigerians without adequate safeguards or judicial remedy for breach.


The guidelines lack authenticity and originality which seems to be a smaller version of the GDPR as it fails to take cognizance of the peculiarity of the Nigerian tech space. Although the intention to protect personal data of data subjects can be seen, the guideline fails to clearly state if NITDA will act as the supervisory authority and there is no penal or administrative fine regime for violation. It appears an action for violation of the guideline will be brought pursuant to the agency’s Act.


Also, there should be clear timeframe for notification of the supervisory authorities and data subject in the event of breach. The provision on notifications should be reconciled with the provision of section 21 of the Cybercrime’s Act that mandates compulsory report of breach[12].


In a situation where there is a breach or misuse of data by data controllers/processors against data subjects, the data Subjects have no public data protection authority to make such complaints. Furthermore, no court was mentioned to have the requisite jurisdiction to try such matters on breach of personal data by data controllers/processors[13].  Penalty or fines were not stated in the event of any breach by organisations which will ensure strict compliance with the guidelines which is seen in the GDPR, where there is administrative fine or fine as high 4% of global annual turnover the of the preceding financial year[14].


It is advised that the Data Protection Guideline 2017 be thoroughly revised and re-drafted and taking explicit note of better security measures that will strengthen data protection in Nigeria. The draft presents a unique opportunity to for Nigeria to provide a legal framework for electronic communications, and disruptive technologies (like blockchain, internet of things (IoT), big data, Artificial Intelligence)

  • Facebook
  • Twitter
  • Google+
  • Gmail
  • LinkedIn

Motunrayo Akinyemi

Motunrayo Akinyemi Is an Associate With Tayo Oyetibo LP

[1] Perchstone & Graeys, 2016. Nigeria: Data Protection in Nigeria: A Call for a Single Legislative Framework. Mondaq. Available at:

[2] Bolger, P. Kelly, J, Walsh, C., 2017. Background and Introduction to the General Data Protection Regulation. Lexology. Available at: Accessed on 6th June 2018


Article 3 (2) of the GDPR

[3] Article 4 (1) of the GDPR

[4] Article 6 (1) of the GDPR

 Pseudonymisation is a method to replace identifiable data of a data subject in a way additional information is required to re-identify the data subject[5]

[6] Article 33 of the GDPR

[7] Article 4 (11) of the GDPR

[8] Article 7 (1) of the GDPR

[9] Article 8 of the GDPR

[10] More recently is the Digital Rights and Freedom Bill that has provisons on data protection. The Bill is currently awaiting the President’s assent. The Data Protection Bill is pending before the Nigerian parliament.

[11] Section 4.2 (7) (11) of the Data Protection Guidelines 2017

[12] The Cybercrimes Act requires the report is made within 7 days to the Ng CERT, which is considered too long.

[13] The Digital Rights and Freedom Bill suggest the Federal High Court and State High Court.

[14] Article 83 of the GDPR

Share This

Share this post with your friends!

Share This

Share this post with your friends!