ARTICLE
8 July 2026

Data Protection And Corporate Accountability: The Overlooked Governance Metric

Compos Mentis Legal Practitioners

Contributor

Compos Mentis Legal Practitioners is a leading indigenous law firm. Established in 1985, the Firm has a proven track record of providing cutting-edge legal services in both domestic and cross border related matters to individuals, corporations, multinationals and state-owned enterprises across range of industry sectors including financial institutions and governments.
In today's digital economy, data has emerged as one of the most valuable corporate assets. Businesses routinely collect, process, store, and transfer vast amounts of personal information relating to customers, employees, contractors, and other stakeholders. While corporate governance discussions have focused on financial performance, regulatory compliance, board effectiveness, and environmental, social, and governance (ESG) considerations, data protection has often been treated as a purely technical or operational concern.
Nigeria Corporate/Commercial Law
Emmanuella Okudaje’s articles from Compos Mentis Legal Practitioners are most popular:
  • within Corporate/Commercial Law topic(s)
  • in European Union
  • in European Union
  • in European Union
  • in European Union
  • in European Union
  • in European Union
  • with readers working within the Retail & Leisure industries
Compos Mentis Legal Practitioners are most popular:
  • within International Law, Litigation, Mediation & Arbitration and Criminal Law topic(s)

Introduction

In today's digital economy, data has emerged as one of the most valuable corporate assets. Businesses routinely collect, process, store, and transfer vast amounts of personal information relating to customers, employees, contractors, and other stakeholders. While corporate governance discussions have focused on financial performance, regulatory compliance, board effectiveness, and environmental, social, and governance (ESG) considerations, data protection has often been treated as a purely technical or operational concern. Increasingly, however, regulators, investors, and stakeholders are recognising that data governance is intrinsically linked to corporate accountability. The consequences of poor data management extend beyond regulatory sanctions and financial losses. Data breaches, unlawful processing practices, and inadequate cybersecurity measures can significantly damage corporate reputation, erode consumer trust, and expose directors and officers to scrutiny. As a result, data protection is gradually evolving from a compliance obligation into a critical governance metric by which corporate responsibility is also assessed.

This article examines the relationship between data protection and corporate accountability, explores the legal and regulatory framework governing data protection in Nigeria, and considers the growing need or expectation that organisations integrate data governance into their broader corporate governance structures.

The Legal and Regulatory Framework for Data Protection in Nigeria

The right to privacy is recognised under the Constitution of the Federal Republic of Nigeria 1999 (as amended)1, which guarantees the privacy of citizens, their homes, correspondence, telephone conversations, and telegraphic communications. This constitutional protection provides the foundation upon which modern data protection laws have developed.

The principal legislation on data protection is the Nigeria Data Protection Act, 2023 (NDPA).2 The Act establishes a comprehensive framework for the protection of personal data and regulates the processing of personal information by both public and private entities.3 It also creates obligations for data controllers and data processors to process personal data lawfully, fairly, and transparently.4

The NDPA imposes several obligations on organisations, including the implementation of appropriate technical and organisational measures to safeguard personal data,5 the appointment of data protection officers where necessary,6 compliance with data subject rights,7 and the reporting of data breaches within prescribed timelines.8

Beyond the NDPA, sector-specific regulations issued by financial, telecommunications, and healthcare regulators further reinforce data protection obligations. In the financial services sector, the Central Bank of Nigeria’s Risk-Based Cybersecurity Framework and Guidelines for Other Financial Institutions (2022) and related consumer protection frameworks impose stringent requirements on cybersecurity governance, customer data confidentiality, and incident reporting obligations.9 In the telecommunications sector, the Nigerian Communications Commission’s Consumer Code of Practice Regulations 2007 and the Registration of Telephone Subscribers Regulations 2022 regulate the collection, storage, and use of subscribers’ personal data, while also imposing confidentiality obligations on service providers.10 In the healthcare sector, the National Health Act 2014, together with the ethical standards set out in the Medical and Dental Council of Nigeria’s Code of Medical Ethics, impose strict duties of confidentiality in respect of patient health information and medical records.11 Thus, compliance with data protection requirements is no longer a matter of best practice but a legal obligation with significant regulatory implications.

Data Protection as a Corporate Governance Issue

Corporate governance has been associated with mechanisms that promote transparency, accountability, and responsible management within organisations.12 However, as corporate operations become increasingly digitised, data protection has emerged as an essential component of effective corporate governance.

Data governance encompasses the policies, procedures, and accountability mechanisms that determine how data is collected, processed, shared, and secured within an organisation.13 These decisions are rarely confined to information technology departments. Rather, they often involve strategic considerations relating to risk management, regulatory compliance, corporate reputation, and stakeholder trust, all of which are central to the sustainability of modern enterprises.

Boards of directors are expected to exercise oversight over material risks affecting their organisations, including the identification, assessment, monitoring, and mitigation of strategic, operational, financial, legal, regulatory, cybersecurity, and reputational risks that may threaten the company’s performance or long-term sustainability.14 This responsibility extends beyond passive supervision to active engagement in setting risk appetite, approving governance frameworks, ensuring the adequacy of internal control systems, and holding management accountable for the effective implementation of risk management policies across all levels of the organisation.

Against this backdrop, data protection has become an integral aspect of corporate risk governance. Given the significant financial, legal, and reputational consequences of data breaches, cyber incidents, and privacy violations, it properly falls within the scope of board-level oversight. Failure to implement adequate data governance structures may therefore be viewed not merely as an operational weakness but as a deficiency in corporate governance itself.

Increasingly, stakeholders evaluate organisations not merely by their profitability but by their ability to responsibly manage information entrusted to them.15 Consequently, data protection has emerged as a key indicator of corporate integrity, accountability, and long-term organisational resilience.

Emerging Trends in Data Protection and Corporate Accountability

Globally, regulators are adopting increasingly stringent approaches to data protection enforcement. This is most clearly evidenced by the enforcement practice under the European Union’s General Data Protection Regulation (GDPR), which empowers supervisory authorities to impose substantial administrative fines for unlawful processing, insufficient security measures, and failure to comply with core data protection principles.16 These enforcement mechanisms reflect a broader international shift toward strengthening corporate accountability for data-related misconduct and ensuring that organisations adopt proactive compliance frameworks rather than reactive responses.

A further notable trend is the growing recognition of cybersecurity as a core corporate governance issue. Cybersecurity incidents have repeatedly demonstrated systemic weaknesses in organisational controls, internal audit functions, and enterprise risk management systems.17 As a result, regulators and standard-setting bodies increasingly expect boards and senior management to exercise active oversight of cybersecurity risk, including preparedness, incident response planning, and continuous monitoring of digital infrastructure.18 This expectation is reflected in global governance guidance that integrates cybersecurity into enterprise risk governance and board-level accountability structures.19

Investors and environmental, social, and governance (ESG) stakeholders are also placing greater emphasis on data privacy and information governance as material non-financial risk indicators. Empirical evidence shows that data breaches can negatively impact market valuation, erode consumer confidence, and undermine long-term business sustainability.20 Consequently, data protection and cybersecurity governance are increasingly incorporated into ESG evaluation frameworks and investment decision-making models, particularly in relation to risk-adjusted returns and reputational risk exposure.

Furthermore, rapid advancements in artificial intelligence, automated decision-making systems, and cross-border data transfers have introduced new regulatory and compliance complexities. The Organisation for Economic Co-operation and Development (OECD) has recognised that AI systems raise significant governance challenges, particularly in relation to transparency, accountability, and privacy protection.21 Similarly, the GDPR imposes strict rules on automated decision-making and cross-border data transfers, requiring organisations to implement appropriate safeguards when processing personal data outside the jurisdiction of origin.22 Thus, organisations are increasingly required to balance technological innovation with privacy compliance, ensuring that emerging technologies are deployed in a manner that is both responsible and legally compliant.

The Consequences of Poor Data Governance

The impact of poor data governance extends well beyond the imposition of regulatory fines. Organisations that fail to adequately protect personal data may face civil liability, reputational harm, and significant loss of consumer trust, particularly where breaches involve sensitive or large-scale personal information.23 A major data breach can result in substantial financial losses arising from incident response and remediation costs, legal expenses, regulatory investigations, and compensation claims.24 In many cases, the reputational damage suffered by organisations following a data breach may exceed the direct financial penalties imposed by regulators, reflecting the centrality of trust in modern data-driven economies.25

Poor data governance may also expose directors and senior management to scrutiny regarding the adequacy of their oversight and risk management functions. Under contemporary corporate governance frameworks, boards are expected to ensure that appropriate systems are in place to identify, assess, and mitigate material data-related risks, including cybersecurity and privacy risks.26 As regulatory expectations continue to evolve, failure to demonstrate effective governance structures may be treated as a deficiency in board-level oversight responsibilities. Furthermore, organisations that fail to prioritise data protection risk losing competitive advantage in an environment where consumers, investors, and regulators increasingly value transparency, privacy, and accountability. In this regard, trust has become a critical corporate asset, and robust data protection practices are central to sustaining long-term organisational resilience.

Strengthening Corporate Governance and Compliance in Data Protection

A robust approach to data protection requires organisations to embed privacy considerations within their broader governance and risk management architecture, which includes the following:

1. Data Protection as a Strategic Governance Issue

Data protection should no longer be viewed solely as a legal or technical obligation but as a core element of corporate governance and enterprise risk management. Boards of directors are expected to integrate data protection risks into overall risk frameworks, ensure regular reporting on cybersecurity preparedness and compliance obligations, and oversee organisational data governance structures as part of their fiduciary responsibility.

2. Board-Level Oversight and Accountability Structures

Effective governance requires clear accountability structures for privacy compliance within organisations. This includes defined roles and responsibilities, adequate internal controls, and continuous employee awareness and training programmes. Boards must also ensure that data protection remains a standing item on governance agendas, with regular updates on emerging risks and compliance performance.

3. Compliance Mechanisms and Risk Management Tools

Organisations must institutionalise practical compliance tools such as regular audits, privacy impact assessments, and incident response planning. These mechanisms help identify vulnerabilities early, ensure regulatory compliance, and strengthen organisational resilience against data-related risks.

4. Regulatory Enforcement

Regulators should strengthen enforcement mechanisms and encourage proactive compliance cultures that align data protection with broader corporate governance standards.

Conclusion

Data protection has moved beyond mere compliance to become a key performance indicator of corporate accountability and effective governance in data-driven organisations. The Nigeria Data Protection Act 2023 reinforces this shift, but compliance alone is insufficient. Organisations must integrate data protection into governance structures, risk management, and strategic decision-making. In an era defined by trust and transparency, strong data governance enhances risk management, strengthens stakeholder confidence, and supports long-term sustainable growth for corporate bodies.

Footnotes

1 The 1999 constitution (As Amended), S.27.

2 Nigeria Data Protection Act 2023, Act No. 37 of 2023.

3 Nigeria Data Protection Act 2023, ss. 1–3.

4 Nigeria Data Protection Act 2023, ss. 24–30.

5 Nigeria Data Protection Act 2023, s. 39.

6 Nigeria Data Protection Act 2023, s. 32.

7 Nigeria Data Protection Act 2023, ss. 34–38.

8 Nigeria Data Protection Act 2023, s. 40.

9 Central Bank of Nigeria, Risk-Based Cybersecurity Framework and Guidelines for Other Financial Institutions (2022); Central Bank of Nigeria, Consumer Protection Framework (2019).

10 Nigerian Communications Act No. 19, (2003), Consumer Code of Practice Regulations (2024); Nigerian Communications Act No. 19, (2003), Registration of Telephone Subscribers Regulations (2022).

11 National Health Act 2014, s 26; Medical and Dental Council of Nigeria, Code of Medical Ethics in Nigeria (2008).

12 Organisation for Economic Co-operation and Development (OECD), G20/OECD Principles of Corporate Governance (2023); Nigerian Code of Corporate Governance 2018.

13 International Organization for Standardization, ISO/IEC 38500:2015 Governance of IT for the Organisation; International Organization for Standardization, ISO/IEC 27001:2022 Information Security Management Systems.

14 Nigerian Code of Corporate Governance 2018, Principle 1.

15 OECD, G20/OECD Principles of Corporate Governance (2023); European Union, General Data Protection Regulation (Regulation (EU) 2016/679), recital 85.

16  Regulation (EU) 2016/679, arts 5, 32, 83.

17 World Economic Forum, Global Risks Report 2024 (WEF 2024).

18 US Securities and Exchange Commission, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (Final Rule, 2023).

19 Organisation for Economic Co-operation and Development (OECD), Digital Security Risk Management for Economic and Social Prosperity (2015).

20 Daffron, et al, Cyber Security Cost Effectiveness for Business Risk Reduction; 2022; Cambridge Risk Framework series; Centre for Risk Studies; University of Cambridge, page 28.

21 OECD, Artificial Intelligence Principles (2019).

22 Regulation (EU) 2016/679 (GDPR) arts 22, 44–50.

23 Regulation (EU) 2016/679 (General Data Protection Regulation) arts 82–83; World Economic Forum, Global Risks Report 2024 (WEF 2024).

24 IBM Security, Cost of a Data Breach Report 2024 (IBM 2024).

25 Daffron, et al, Cyber Security Cost Effectiveness for Business Risk Reduction; 2022; Cambridge Risk Framework series; Centre for Risk Studies; University of Cambridge, pages 28-30.

26 OECD, Digital Security Risk Management for Economic and Social Prosperity (2015).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More