About Us
Global Law Experts Logo
Global Law Experts Logo

Find a Global Law Expert

Practice Area


Since 2010, the Global Law Experts annual awards have been celebrating excellence, innovation and performance across the legal communities from around the world.


posted 2 years ago


As data usage in Nigeria is fast becoming an inevitable part of business practices, the regulatory oversight of the National Information Technology Development Agency (NITDA) in protecting personal information now cuts across most sectors of the economy. More than ever before, it is important that all companies assess their practices in view of the Nigeria Data Protection Regulation (NDPR) to avoid penalties which could be as much as 1-2% of the annual revenue of the company.

In assessing the level of compliance by companies with the NDPR, NITDA requires companies to engage a licensed Data Protection Compliance Organisation (DPCO) to conduct a data protection audit and file the report with NITDA. Although the deadline for data protection audits for the audit year of 2020 to 2021 lapsed on June 30, 2021, companies who are yet to carry out the audit are encouraged to engage a DPCO who is empowered to apply and obtain specific extension for each company.

Companies who have been audited and therefore in good standing, are expected to continuously monitor their data protection practices, ensuring they remain compliant. In this article, we have itemised five things companies should do to properly monitor their data protection practices.

  1. Appoint a Data Protection Officer

Any company or organisation that meets the following criteria is expected to appoint a Data Protection Officer (DPO) within 6 months of commencing operation. The company:

  1. processes personal information of over 10,000 Nigerians;
  2. processes sensitive personal information in the regular course of its business;
  3. processes critical national information; or
  4. is a government agency or ministry.

The DPO is to be knowledgeable in data protection; and will be responsible for monitoring compliance with the NDPR, advising the management, employees and third-party privy to personal information, and acting as the primary contact person for NITDA.

  1. Conduct Data Protection Impact Assessment

A data protection impact assessment (DPIA) is a process carried out by the DPO to assess and minimise the possible risk to a data processing activity. For a company launching a new business process or activity which would involve the use of sensitive information or heavy use of personal information of individuals, the DPO of the company is to carry out a DPIA to identify, evaluate and minimise possible data protection risks. This will help companies address the risks in the processes and ensure continuous compliance with the NDPR.

  1. Carry Out Regular Internal Audit

A company may monitor its compliance level by carrying out a periodic internal audit of its data protection practices to map, identify systems and improve these practices.

  1. Conduct Periodic Due Diligence on Third Party

Under the NDPR, a company that qualifies as a data controller will be responsible for the actions of its data processors (data administrators) i.e. third parties using personal information to provide services to the business. Consequently, companies are expected to conduct due diligence on the third party to ensure their data processing practices are in line with the NDPR.

  1. Submit to an Audit by a Licensed Data Protection Compliance Organisation

All companies that collect or process the personal information of over 1,000 individuals are required to submit to a data protection audit by a DPCO. The DPCO shall review the data protection documentation of the company, assess the systems and practices of the company and assess the knowledge of the staff before providing recommendations.


It is advisable for companies with the personal information of Nigerians (including foreign companies) to ensure such information is processed in compliance with the NDPR to avoid regulatory sanctions. These companies are further advised to implement these five steps to ensure their continued compliance with the NDPR.

Pavestones is a full-service law practice and a licensed DPCO supporting Nigerian and foreign clients. For more articles on data protection or clarity on our article above, contact Pavestones at [email protected]

Find the right Legal Expert for your business

The premier guide to leading legal professionals throughout the world

Practice Area
0 m+


who are already getting the benefits

Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.

Naturally you can unsubscribe at any time.

Newsletter Sign Up

About Us

Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.

Contact Us

Stay Informed

Join Mailing List