A few years ago, Clive Humby coined the expression, "data is the new oil'. He used the metaphor to explain how data is a resource that is useless if left 'unrefined' as it is only when it is mined and analysed that it creates (potentially extraordinary) value. 1

Several organisations have realized the truth in that concept and have aggressively carried out several activities towards obtaining and processing data. Most companies have resorted to scraping data from platforms like Facebook, or collecting personal data from websites or through cookies that collects Internet Protocol ('IP) addresses; or some just simply buy the data2.

The collected data are mostly used as big data analytics to send proposals or advertisement to targeted clientele and generally, to aid marketing, among other reasons3.

Data Protection in Nigeria

On the 15th January, 2019, the Nigeria Data Protection Regulations ("NDPR") was issued by the National Information Technology Development Agency ("NITDA"). NITDA's duty is to ensure that organisations (Data Controllers, Data Administrators, and third parties contractors) comply with the provisions of the NDPR and protect the personal data of people.

What then is personal data? Personal data means any information relating to an identified or identifiable natural person4 ('Data Subject'); It can be anything from a name, address,  phone number,  email  address,  bank  details,  posts  on  social  networking websites, medical information, and other unique identifier such as a MAC address, IP address, IMEI number and IMSI number5.

So in the event that an organisation collects the personal data of its employees or requests that people sign up on their website or download software applications, the organisation must comply with the guidelines provided by the NDPR.

Data Protection Compliance Organisations ("DPCOs")

The NDPR provides that organisations are permitted to appoint Data Protection Compliance Organisations ("DPCOs") to assist them in complying with the requirements of the NDPR.

DPCOs are entities  licensed by NITDA to conduct trainings, auditing, consulting and rendering services for the purpose of compliance with the NDPR or any foreign Data Protection law or regulation having effect in Nigeria6.

A DPCO may be any of the following organisations:

a)Professional Service Consultancy firm

b)IT Service Provider

c)Audit firm

d)Law firm

AELEX is a licensed DPCO and can assist an organisation with the following highlighted matters:

Reporting to NITDA and compliance issues

The NDPR provides that organisations that process two thousand or more personal data of persons are required to give report to NITDA on or before the 15th March annually7. However, due to the COVID-19 pandemic, NITDA has made a declaration extending the audit deadline of organisations for the year 2020 from March 15, 2020 to May 15, 20208.

Furthermore, where a Data Controller that processes the data of more than 10,000 Data Subjects breaches their data privacy rights, it will be liable to pay a fine of 2% of the organisation's annual gross revenue of the preceding year or the payment of the sum of ten million naira, whichever is greater.  Conversely , where the Data Controller processes less than 10,000 Data Subjects, the penalty for not complying with the provisions of the NDPR is the  payment of 1% of the annual gross revenue or two million naira, whichever is greater9.

A DPCO would be able to effectively assist an organisation with the above mentioned reporting requirements and compliance issues.

Data Protection Audits/review of data protection policies

The DPCO can conduct data protection audits for organisations to ensure that their policies are up to date and compliant with the NDPR and other data protection regulations such as the General Data Protection Regulation (GDPR).

Capacity Building/Training Programs

The DPCO can conduct trainings for Data Controllers and Data Administrators on data protection/privacy practices.

Some other matters that AELEX as a DPCO can assist with include:

  1. Data protection and privacy advisory services
  2. Data Regulations contracts drafting and advisory
  3. Data protection and privacy breach remediation planning and support services
  4. Information privacy audit
  5. Data privacy breach impact assessment
  6. Data Protection and Privacy Due Diligence Investigation
  7. Outsourced Data Protection Officer


Consequently, it is advisable that organisations appoint a DPCO that will assist them in conducting audits and carry out their regulatory filings with NITDA.

If your organisation yet to audit its data protection practices, now may be the best time to engage one to eliminate the penalties of breach of the NDPR.


1 Adeola Adesina, Data is the new oil, accessed via

2 Here are the data brokers quietly buying and selling your personal information accessed via

3 Neste's Why we collect data about you accessed via

4 an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location  data,  an  online  identifier  or  to  one  or more  factors  specific  to  the  physical,  physiological,  genetic,  mental,  economic, cultural or social identity of that natural person; 

5 Article 1.3q of the Nigeria Data Protection Regulations 2019.

6 Article 1.3xiii of the NDPR, 2019

7 Article 3.1.7 of the NDPR, 2019

8 Andersen, NITDA Issues Notice On Filing of 2020 Annual Audit Report accessed via

9 Article 2.10 of the NDPR, 2019

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.