Nigeria is facing a sharp increase in data privacy breaches, with the Nigeria Data Protection Commission (NDPC) reporting a surge in investigations into unauthorised data access, identity theft, and non-transparent mobile app practices. Despite heightened regulatory oversight and the enforcement of the Nigeria Data Protection Act 2023, the country’s digital privacy landscape remains fragile, exposing millions to risks. This article explores the growing challenges, regulatory responses, and the urgent need for enhanced data protection measures in Nigeria.
Nigeria has witnessed a troubling rise in data privacy breaches, even as the Nigeria Data Protection Commission (NDPC) intensifies its regulatory efforts. The recently released 2024 NDPC Annual Report reveals a significant increase in investigations, with 213 cases recorded in 2024, up from 177 in 2023 and 117 in 2022. This surge highlights the growing challenge of securing personal data in Nigeria’s rapidly evolving digital economy.
According to data from Surf Shark, a Netherlands-based virtual private network firm, Nigeria ranks fourth among African countries with the most data breaches, recording 19,326,746 breached accounts in 2024. This equates to a rate of nine breaches per 100 people, underscoring the scale of the problem. Data breaches not only pose financial risks to businesses, particularly in sectors like finance and e-commerce, but also threaten national security by exposing sensitive government databases.
The NDPC report identifies several key areas of concern, including unauthorised access to personal data, identity theft, behavioural profiling, loss of personal data, and the use of artificial intelligence in decision-making without human intervention. Unauthorised access remains one of the most prevalent issues, with many organisations failing to implement robust security protocols. Identity theft has also become more sophisticated, with cybercriminals using stolen data to defraud individuals and financial institutions.
Behavioural profiling, particularly in the digital advertising sector, has drawn regulatory scrutiny due to the tracking of user activities without explicit consent. The report also highlights the severe consequences of poor data management, such as financial and legal difficulties faced by individuals due to the loss of personal records. Automated decision-making, especially in credit scoring and insurance underwriting, has raised concerns about transparency and fairness.
In response to the surge in breaches, the NDPC has introduced several regulatory measures to ensure compliance with data protection laws. One of the key initiatives is the General Application and Implementation Directive, which provides a comprehensive framework covering 42 areas of data protection, including audit filing requirements and compliance principles. The NDPC has also made it mandatory for Data Controllers and Processors of Major Importance to register, with over 36,052 organisations already complying.
The Commission has stepped up enforcement actions, launching targeted investigations into organisations that process personal data without proper user consent. Cross-border data transfers have also come under scrutiny, with the NDPC strengthening international collaborations by signing agreements with data protection authorities in Canada and the United Arab Emirates. These partnerships aim to ensure that Nigerian data is protected under global standards, even when processed outside the country.
Despite these efforts, compliance remains a significant challenge. Many organisations continue to exploit legal loopholes or neglect data protection requirements. The NDPC has adopted a restorative justice approach, encouraging businesses to implement corrective measures rather than imposing immediate penalties. However, with data breaches becoming more frequent, there is growing pressure on the Commission to impose stricter sanctions on non-compliant entities.
The cost of data breaches is staggering. Nigeria’s Consumer Awareness and Financial Enlightenment Initiative projects a $6 trillion loss to cybercrime by 2030, primarily due to phishing and identity theft. Beyond financial losses, data breaches erode public trust, as consumers become increasingly cautious about sharing personal information with organisations that have poor data governance practices. Reputational damage is another major risk, with high-profile breaches leading to customer attrition and loss of investor confidence.
A study by PSONO, a self-hosted password manager, ranks Nigeria sixth among the 10 countries least prepared for data security threats. This highlights the urgent need for businesses to prioritise data security and for regulators to address the challenges hindering effective enforcement. Low public awareness about data protection rights, inadequate compliance measures, and slow adoption of international best practices are among the key issues.
At the 2025 Global Privacy Day event in Abuja, the National Commissioner and CEO of the NDPC, Dr Vincent Olatunji, reiterated the Commission’s commitment to enhancing data privacy. He emphasised the importance of stricter data protection measures and the need for collaboration with international and local regulators to ensure compliance.
Experts have called for increased public awareness and education to address the rising tide of data breaches. Olugbile Hassan, a former data protection officer at the NDPC, attributes the surge in breaches to poor compliance, inadequate security controls, and a lack of awareness among businesses and individuals. He urges the NDPC to focus on public education and proactive governance to empower Nigerians to understand their privacy rights.
Similarly, Olugbenga Odeyemi, CEO of e86 Limited, criticises the NDPC’s approach, arguing that the Commission prioritises revenue generation over public education. He calls for nationwide awareness campaigns and publicly accessible guidelines to encourage compliance and reduce data breaches.
As Nigeria’s digital economy continues to expand, the need for robust data protection frameworks and enhanced consumer education has never been more urgent. While the NDPC has made significant strides in regulating data privacy, achieving a secure and privacy-conscious digital ecosystem will require continued collaboration between regulators, businesses, and the public. By prioritising data security and public awareness, Nigeria can mitigate the risks of data breaches and build a more resilient digital future.
Follow us on Instagram.
https://www.instagram.com/businessnewsng?igsh=ZXpweTdjOGF1ZXdu
