A decade ago, little was said about what happened to users’ personal data when they filled out an online form or used a mobile app. As a result, most Nigerians were unaware of the need for data privacy.
However, startups were booming across Africa, tech hubs were growing, and smartphones were becoming a part of everyday life.
Behind all the excitement, there was one major challenge: no one was watching how user data was collected, stored, or shared.
Back then, if a company leaked a user’s details or sold their email to a third-party marketer, the user’s options were limited. This was because there were no clear laws to protect users, and even if policies were written somewhere, they were often ignored. Data protection wasn’t on the radar. It was a luxury that was only found in countries in Europe, for example, that seemed to take it seriously.
That was before scandals like Cambridge Analytica made headlines.
In 2018, it was revealed that the personal data of millions of Facebook users, some of them Nigerians, was compiled and used to influence political campaigns. The news sent shockwaves across the world and gave African countries, including Nigeria, a wake-up call. It was time to start treating data protection as a real issue.
The road to GAID 2025
Fast forward to 2023, the Nigeria Data Protection Act (NDPA) became law, laying the foundation for stronger user rights and accountability. But the real shift came with General Application and Implementation Directive (GAID) 2025 [PDF], a national strategy document that introduced more detailed obligations for organisations, including mandatory Data Protection Impact Assessments (DPIAs) and the appointment of Data Protection Officers (DPOs), even for small startups.
For many early-stage startups, these new rules seemed like too much, too soon. Startups are faced with questions about how to afford a full-time DPO when seed funding hasn’t been raised.
“It’s a valid concern,” says Vanessa Obi, a data protection consultant and legal expert who has played a key role in shaping data governance practices at Banwo and Ighodalo.
Obi explains that startups often operate with lean teams and tight budgets. “So requirements like conducting DPIAs and appointing a DPO might feel like added pressure,” she tells Techpoint Africa.
But the story doesn’t end there. Data protection consultants have argued that the requirements aren’t meant to stifle innovation but to build trust and responsibility from day one.
“At the heart of these rules is the protection of people — their rights, their privacy, and their trust,” Obi says. “Startups are building products and services that rely on user data, so it makes sense that they are also expected to assess the risks involved and take steps to manage them.”
Consultants argue that having someone, internal or external, who understands data privacy is important, even if that person is part-time or outsourced. “It means users can ask questions, raise issues, and feel secure in how their personal information is being handled.”
Also, a practical solution of working with licensed Data Protection Compliance Organisations (DPCOs) rather than hiring a full-time DPO helps businesses stay compliant while allowing them to focus on growth. “Over time, as startups grow, they can build their own in-house capacity.”
Beyond the letters
Nigeria’s data protection law already gives citizens several enforceable rights — the right to access their data, correct it, delete it, or object to how it’s used. But having rights on paper isn’t enough. People need tools to exercise those rights easily.
One such tool is the Standard Notice to Address Grievance (SNAG) introduced by GAID 2025. It’s a simple form that allows citizens to raise complaints or make requests without needing legal knowledge.
“It’s a step towards making data protection more accessible and less intimidating for the average person,” according to Obi.
Where the law still falls short
Still, GAID 2025 is not without its gaps. One major challenge is in cross-border data transfers. In a world where servers are hosted overseas and tech companies operate across borders, it’s unclear how Nigeria can enforce its rules on global platforms.
Obi notes that while Nigeria’s judicial system is evolving, it still lacks the experience and resources to handle complex cross-border data disputes. “We have seen some good cases around local data breaches or direct marketing issues, like the Meta-FCCPC matter,” she says. “But when it comes to data flowing across borders, especially within multinational corporations, the system is still catching up.”
So far, three main reasons have been identified for these shortcomings: the volume and complexity of data transfers, which make monitoring difficult; the bulk of transfers happening internally within big corporations, away from the public eye; and the fact that the judiciary is still learning about the technical and legal issues involved.
A shared responsibility
The future of data protection in Nigeria won’t be built overnight. It will take effort from regulators, courts, businesses, and individuals. GAID 2025 offers a roadmap, but the journey is just beginning.
From the position of helping build out a data practice at one of Nigeria’s leading firms, the consultant has seen how real compliance can be more than a burden. “When done right, it’s a powerful business asset,” Obi states. “It helps companies avoid costly mistakes, build customer loyalty, and operate with confidence.”
