ARTICLE
16 July 2026

Data Protection Considerations in M&A Transactions

GE
G ELIAS

Contributor

We are a leading Nigerian business law firm founded in 1994 and now organized across 18 practice groups, covering 25 industry sectors. We are also a member of Multilaw, a leading global alliance of independent law firms in over 90 countries worldwide.
Data protection has evolved from a peripheral compliance issue to a core transaction risk factor in Nigerian M&A. With the Nigeria Data Protection Act 2023 and heightened regulatory enforcement...
Nigeria Corporate/Commercial Law
G ELIAS are most popular:
  • within Insolvency/Bankruptcy/Re-Structuring, Insurance and International Law topic(s)
  • in United States
  • with readers working within the Business & Consumer Services industries

Data Protection Risk in Nigerian M&A

Introduction

In contemporary mergers and acquisitions (M&A), the focus of transaction teams has traditionally centred on valuation, financing structure, tax efficiency, and regulatory approvals. Personal data protection, while not excluded during the due diligence considerations had, prior to the enactment of the Nigeria Data Protection Act, 2023 (the “NDPA”) rarely featured as a distinct work stream. The introduction of a comprehensive data protection framework in Nigeria, coupled with the increasing commercial value of personal data and heightened regulatory enforcement, has fundamentally altered this position. Personal data is now recognised not only an operational asset but also as a significant source of legal and regulatory risk capable of affecting valuation, deal certainty, and post acquisition integration.

Consequently, data protection has become an integral component of M&A risk assessment rather than an incidental compliance issue. Buyers, sellers, and their advisers are increasingly expected to identify, assess, and allocate data protection risks throughout the transaction lifecycle, making data privacy due diligence a standard feature of modern Nigerian M&A practice.

Legal and Regulatory Landscape in Nigeria

Nigeria’s data protection framework is anchored on a combination of constitutional guarantees and statutory regulations. Section 37 of the Constitution of the Federal Republic of Nigeria 1999 establishes the right to privacy.

The NDPA establishes the principal legal framework for lawful processing of personal data and applies to transactions where personal data of Nigerian data subjects is processed, or where processing activities occur within Nigeria.1 The enforcement mandate rests with the Nigeria Data Protection Commission (NDPC).2

The NDPC’s General Application and Implementation Directive (GAID), operationalises the NDPA by prescribing compliance obligations, classification thresholds for data controllers and processors, and detailed rules on cross-border data transfers and lawful processing.3

Notably, the extraterritorial scope of the NDPA is particularly relevant in cross-border M&A transactions, as foreign acquirers may become directly subject to Nigerian data protection obligations upon acquisition of a Nigerian target.

Data as a Transaction Asset and Liability

In today’s corporate environment, personal data, such as customer information, employee records, and vendor databases, forms a core component of enterprise value. This is particularly evident in sectors such as fintech, telecommunications, and e-commerce, where the scale, quality, and integrity of data often underpin commercial valuation.4

However, an M&A transaction extends beyond the transfer of shares or tangible assets. It also involves acquiring the target’s data processing activities, compliance practices, and any existing or potential regulatory exposure. As a result, personal data functions in two ways in M&A transactions: it is both a commercial asset being acquired and a regulatory liability being assumed.

This dual character makes personal data protection due diligence an essential part of the transaction review process. Buyers must go beyond confirming general compliance and assess the target’s data governance framework to identify and manage potential risks early in the deal lifecycle.

Data Protection in Due Diligence

Scope and Depth of Review

Due diligence is a critical component of M&A transactions, particularly where the volume and sensitivity of data heighten regulatory risk. Beyond identifying general commercial issues, it must include a structured and risk-based assessment of the target’s data protection and governance framework.

In most M&A transactions, the transfer of personal data is a key element of the deal, particularly employee and customer information. Under the NDPA, personal data includes information relating to an identified or identifiable individual. Accordingly, early-stage review of the target’s data protection compliance is essential to confirm that personal data is lawfully processed and adequately safeguarded, and to identify compliance gaps that may require remediation prior to completion.5

In practice, this involves assessing the nature and sensitivity of data processed by the target, the lawfulness of its processing activities, and the adequacy of its internal privacy and cybersecurity controls. Particular attention is typically given to whether the target qualifies as a data controller/processor of major importance which may trigger enhanced regulatory obligations and supervisory oversight under the NDPA.6

Regulatory Risk Identification and Deal Impact

From a transactional perspective, the objective of data protection due diligence is not merely to identify instances of non-compliance, but to assess and quantify risk in a manner that informs deal structuring and negotiation.

Certain issues commonly emerge as red flags, including the absence of a lawful basis for key processing activities, weak cybersecurity safeguards, undocumented or unresolved data breaches, and non- compliant cross-border data transfers. Where such risks are identified, they must be carefully evaluated in light of their potential legal, financial, and reputational impact on the transaction.

Depending on the severity, these risks may, where there is an active regulatory investigation, enforcement or an imposed fine, slightly affect the valuation of the transaction and necessitate specific indemnities or enhanced warranties, or require the inclusion of conditions precedent, such as the remediation of identified compliance gaps prior to completion. n.

Virtual Data Rooms and Controlled Disclosure

Virtual Data Rooms (VDRs) have become central to the due diligence process in modern M&A transactions, but their use introduces additional data protection considerations. While VDRs facilitate efficient and controlled information sharing, they often involve the disclosure of personal data to multiple parties, including external advisers and, in some cases, cross-border recipients.

To ensure compliance with the NDPA, such disclosures must be carefully managed, as VDR providers typically act as data processors.7 Accordingly, only information that is strictly necessary for the purpose of the transaction should be shared, in line with the principle of data minimisation. Where personal data is included in a VDR, appropriate safeguards must be applied. These typically include redaction or anonymisation of identifiers, encryption of stored data, and strict access controls limiting disclosure to authorised users only. Audit logs should also be maintained to monitor access and ensure accountability throughout the due diligence process.8

In addition, confidentiality undertakings entered into at the outset of the transaction should expressly address the handling of personal data within the VDR environment, including restrictions on use, onward disclosure, and retention.

Finally, VDR arrangements should incorporate clear assurances regarding compliance with applicable data protection obligations, including notification timelines to regulators and, where required, affected data subjects in the event of a personal data breach.

Enhanced Data Protection Due Diligence in Data-Intensive Sectors

In certain transactions, particularly those involving fintech, telecommunications and e-commerce businesses, data protection due diligence is necessarily more extensive because personal data forms a core operational asset of the target. These businesses typically process large volumes of financial, identity, communications and behavioural data, much of which attracts heightened protection under the NDPA and, in many cases, parallel obligations under sector-specific regulatory frameworks.

For example, fintech companies typically process financial information, Bank Verification Number (BVN)-linked identity records, payment credentials and credit data relating to large customer bases. These activities attract overlapping regulatory obligations under the NDPA, the Central Bank of Nigeria's regulatory framework and, where applicable, open banking requirements. Similarly, telecommunications companies process call data records, SIM registration information, subscriber identity data and location information on a large scale, while e-commerce platforms routinely process extensive customer profiles, payment information, transaction histories and behavioural data. Much of this information falls within the categories of personal or sensitive personal data recognised under the NDPA, thereby attracting more stringent compliance obligations and increasing the legal risks associated with any non-compliance.9

Accordingly, due diligence extends beyond the standard review of privacy policies and compliance documentation. Acquirers will ordinarily seek additional information relating to the target's data governance framework, data sharing arrangements, third-party processing relationships, sector- specific regulatory compliance and, where applicable, API integrations, cross-border data transfers and records of previous data breaches or regulatory investigations.

Where the target's data processing activities present significant regulatory or commercial risk, an independent data protection audit may be commissioned to provide an objective assessment of the target's compliance posture. Such an audit enables the acquiring party to verify representations made during due diligence and provides a stronger basis for negotiating appropriate warranties, indemnities and other contractual risk allocation mechanisms.

Cross- border Transfer of data during M&A

Cross-border data transfers frequently arise in M&A transactions where the acquiring entity, its advisers, or its parent company are located outside Nigeria. The transfer of personal data from Nigeria to another jurisdiction must comply with the safeguards under section 41 & 42 of the NDPA and schedule 5 of GAID.

Where personal data belonging to employees, customers, or vendors of the target company may be transferred to a prospective purchaser or its advisers located outside Nigeria, the receiving jurisdiction must be assessed to determine whether it provides an adequate level of data protection. The NDPC may determine that a country affords adequate protection where certain conditions are satisfied, including enforceable data subject rights, effective redress mechanisms, cooperative enforcement arrangements, and the existence of an independent supervisory authority with adequate powers.

In the absence of an adequacy finding by the NDPC, parties to cross-border M&A transactions involving the transfer of personal data out of Nigeria must, pending such finding, rely on the alternative transfer mechanisms prescribed under the NDPA- most practically, the use of standard contractual clauses, binding corporate rules where the transferee is within the same corporate group, or the explicit and informed consent of the data subjects concerned. Transaction counsel should, as a matter of practice, identify all anticipated cross-border data flows at the outset of due diligence, assess the legal basis for each transfer, and ensure that appropriate transfer mechanisms are documented and in place prior to completion.

Post Completion Provisions

a. Data migration compliance:

After the transaction is completed, personal data held by the target company is often migrated into the acquiring entity’s systems or integrated into shared data infrastructure. During migration and integration, organisations must ensure that the transfer and consolidation of databases comply with core data protection principles such as data minimisation, purpose limitation, and security of processing. Technical and organisational measures should be implemented to safeguard personal data during system integration, including encryption, access controls, and secure transfer protocols. Where integration involves cross-border cloud infrastructure, compliance with cross-border transfer requirements must also be ensured. Data Privacy Impact Assessments may be required for large-scale migrations.10

b. Post-Completion Compliance Audit:

The combined entity's data processing footprint will almost certainly expand post-completion, potentially pushing the merged organisation into a higher tier of regulatory obligation under the GAID's classification framework. Controllers and processors that process personal data of more than 200 data subjects in six months may be designated as of major importance, with further sub- categories. Ultra-High Level for data processors processing more than 5,000 data subjects or entities operating in major economic sectors; Extra-High Level for 1,000 to 4,999; and Ordinary- High Level for 200 to 999. Each category has its associated registration fees and obligations.11 Where thresholds are exceeded, the entity must reclassify, update its registration, and align compliance obligations accordingly.

c. Updating privacy policies, data retention practices and governance framework:

Updating privacy policies, retention frameworks, and governance structures is a critical post- completion obligation. Changes in ownership, control, and processing activities must be reflected in updated privacy notices, including identification of new controllers, processors, and recipients.

Where processing materially differs from original disclosures, fresh consent may be required. Retention policies must be reviewed to ensure lawful storage periods, and governance frameworks harmonised across the merged entity. This includes appointment or confirmation of a Data Protection Officer where required, staff training, and unified compliance oversight mechanisms.

Conclusion

Personal data protection is no longer a peripheral legal consideration in M&A transactions. It has evolved into a core transaction risk factor that influences valuation, structuring, execution certainty, and post-completion integration.

As regulatory enforcement under the NDPA continues to deepen, inadequate data governance is increasingly likely to affect not only compliance outcomes but also commercial negotiations and deal feasibility.

Accordingly, parties that integrate data protection analysis into every phase of the transaction lifecycle from due diligence through to post-completion integration are better positioned to manage risk, preserve value, and ensure regulatory alignment.

In modern M&A practice, data is no longer just part of the business being acquired. It is part of the risk being priced.

Footnotes

1 NDPA, s. 2

2 NDPA, s. 4-6

3 NDPC General Application and Implementation Directive 2025 (GAID), Preamble

4 https://africalawpartners.com/insights/mergers-and-acquisitions-m-and-a-in-the-face-of-data-protection/

5 Ann Bevitt, Cooley (UK) LLP, Data Protection in M&A: Under Lock and Key.

6 https://www.mondaq.com/turkey/data-protection/1763572/protection-of-personal-data-in-mergers-and-acquisitions

7 https://www.pwc.ch/en/insights/regulation/data-privacy-law.html

8 https://www.mondaq.com/turkey/data-protection/1763572/protection-of-personal-data-in-mergers-and-acquisitions

9 NDPA, S. 65.

10 NDPA, s. 28; NDPC-GAID, Art. 28.

11 NDPC-GAID, Schedule 7

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More