- with readers working within the Retail & Leisure industries
- within Consumer Protection, Employment and HR and Insurance topic(s)
Introduction
Businesses are increasingly adopting the use of Emerging Technologies to improve efficiency and decision-making. While these technologies offer clear commercial benefits, they also involve the processing of Personal Data and therefore raise important legal and regulatory considerations.
This newsletter outlines key legal and regulatory issues businesses should consider when using Emerging Technologies to process Personal Data in Nigeria.
- What Are Emerging Technologies?
Emerging Technologies are new or fast-developing digital tools that change how organisations collect, store, analyse, and use data. In the context of data processing, common examples include:
- Artificial intelligence (AI) and machine learning – systems that analyse data and make predictions or decisions, such as automated loan assessments or product recommendations.
- Cloud computing and software-as-a-service platforms – online systems used to store data or run business applications, including cloud-based email, payroll, or customer management tools.
- Biometric technologies – tools that use physical characteristics to identify people, such as fingerprint scanners or facial recognition systems.
- Internet of Things (IoT) devices – connected devices that collect data on an ongoing basis, including smart meters, CCTV systems, or vehicle tracking devices.
- Advanced data analytics and automated decision-making tools – technologies that analyse large data sets or make decisions with little human involvement, such as fraud detection or employee monitoring systems.
Inherently, the use of Emerging Technologies can increase privacy and data protection risks, including unauthorised access, misuse of data, or unfair outcomes for individuals.
- What are Key Legal and Regulatory Considerations?
In Nigeria, Personal Data processing is primarily regulated by the Nigeria Data Protection Act, 2023 (NDPA). The General Application and Implementation Directive (GAID) issued by the Nigeria Data Protection Commission (NDPC) provides additional guidance on how organisations should apply the law in practice, particularly with respect to the use of Emerging Technologies (Articles 43 and 44 of the GAID). In addition to the above, sector-specific rules may apply, particularly in regulated industries such as banking, telecommunications, healthcare, and fintech.
The following are some of the considerations when deploying Emerging Technologies in data processing:
a. Lawful Basis for Using Data
Businesses must have a valid legal basis for collecting and using Personal Data. Common lawful bases include consent, contractual necessity, and legal or regulatory obligations.
Emerging Technologies often make it easy to reuse data for new purposes, such as analytics, product development, or AI training. However, data collected for one purpose should not be used for a different purpose unless:
- the new use is compatible with the original purpose, or
- additional consent is obtained or a legal basis is justified.
Businesses should therefore clearly explain to data subjects how data collected will be used.
b. Automated Decision-making
Many Emerging Technologies rely on automated decision-making, for example in credit scoring, fraud detection, employee monitoring, or targeted advertising.
The law does not prohibit automated decisions, but it requires businesses to:
- be transparent about how decisions are made,
- ensure decisions are fair and not discriminatory, and
- put safeguards in place where decisions significantly affect individuals.
The GAID specifically provides that such tools should be designed to respect data subject rights, including the right not to be subject to solely automated decisions, and to allow data subjects to exercise the right to be forgotten where feasible.
c. Assessment of Risks Before Deploying New Technologies
Where the use of technology may pose higher risks to individuals, businesses are expected to assess those risks in advance. This is commonly done through a Data Protection Impact Assessment (DPIA).
DPIAs are particularly relevant when using:
- AI or machine learning systems,
- biometric technologies such as facial recognition,
- large-scale monitoring or profiling tools, or
- new or untested technologies.
Conducting a DPIA helps identify potential risks early and mitigate against those risks prior to deployment. It also demonstrates responsible data governance. DPIAs should be carried out in controlled environments, with repeated adjustments if risks are identified, and the completed assessments filed with the NDPC as part of compliance audit report.
d. Management of Cloud and Cross-Border Data Transfers
Many technology solutions involve storing or processing data outside Nigeria, especially through cloud service providers.
Under the NDPA, a person or entity that determines the purposes and means of processing Personal Data ( a Data Controller), remains responsible for compliance even where third-party or foreign service providers are engaged for processing. Businesses should therefore:
- understand the location where data is stored and accessed;
- ensure appropriate safeguards are in place for cross-border transfers, and
- include clear data protection obligations in vendor contracts.
e. Strong Security and Governance Measures
Emerging Technologies can increase cybersecurity and data breach risks. Businesses are expected to implement security measures that are appropriate to the nature of the data and the technology used.
This includes:
- securing systems and networks,
- carefully selecting and monitoring technology vendors,
- clearly assigning data protection responsibilities, and
- training staff on responsible data handling.
The GAID reinforces that the more complex, sensitive or high-risk the technology, the stronger the expected safeguards.
f. Plan for Regulatory Developments
Nigeria's digital and data protection landscape continues to evolve, including ongoing discussions around AI and digital governance. Businesses should adopt a privacy-by-design approach, ensuring data protection considerations are built into technology decisions from the outset.
Conclusion
Emerging Technologies can deliver significant value to businesses, but they must be deployed responsibly. While the issues highlighted above are not exhaustive, organisations that understand and comply with applicable laws—including the NDPA, the GAID, and relevant sector-specific regulations—will be better positioned to manage legal risk, build trust, and innovate confidently within Nigeria's growing digital economy.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
