Introduction
Data breaches are no longer speculative threats; they are present-day realities that confront organisations across all sectors. The Nigeria Data Protection Act (NDPA) 2023 addresses this challenge by establishing a regulatory framework that prioritises preventive safeguards, prompt incident reporting, and data subject rights. But how well do organizations understand their obligations under this law when a breach occurs?
In this article, we unpack what the NDPA requires, highlight lessons from recent Nigerian cases, and outline practical steps every business should take before—and after—a data breach occurs.
The Importance of Timely Detection and Containment
The first step in responding to a data breach is detection. Organisations must deploy systems capable of identifying anomalies that may indicate potential violations. The NDPA, under Section 39(1), mandates that data controllers implement “appropriate technical and organisational measures” to ensure data security¹.
The 2022 PLASCHEMA data leak, which exposed the health-related personal data of over 37,000 Nigerians due to misconfigured Amazon Web Services (AWS) servers, highlights the risks associated with inadequate internal monitoring.² Although external researchers flagged the issue, the vulnerability persisted for nearly four months. This delay in containment escalated the potential harm.
Once a breach is detected, Containment should be implemented immediately to prevent further compromise. The longer the exposure, the greater the risk—and the higher the scrutiny from regulators.
Assessing Risk and Regulatory Thresholds for Notification
After identifying a breach, organisations must assess whether the incident is likely to result in a risk to the rights and freedoms of individuals, referred to as data subjects. This involves determining whether the incident could result in harm, such as financial loss, identity theft, or reputational damage.
Section 40(7) of the NDPA adopts a risk-based approach similar to global standards like the EU’s GDPR.³Not every breach must be reported to the Nigeria Data Protection Commission (NDPC), but failing to assess or document the decision can itself become a compliance issue. This step should not be skipped or downplayed; it is crucial. A written risk analysis should be prepared for every breach, even those deemed minor.
Regulatory Notification: The 72-Hour Rule
If the risk to individuals is significant, organisations must notify the NDPC within 72 hours of becoming aware of the breach, as required by Section 40(2) of the Act.⁴ This deadline underscores the importance of being prepared.
In the Fidelity Bank case, the NDPC imposed a ₦555.8 million fine for breaches that included failing to adhere to lawful consent practices⁵. Though not explicitly tied to breach notification, the case reinforces that enforcement can arise from layered non-compliance—where poor data handling meets inadequate breach response.
Organisations must designate a responsible officer, such as a Data Protection Officer (DPO) or compliance manager, who is empowered to lead the response, communicate with regulators, and make prompt notification decisions within this timeframe.
Communicating with Data Subjects
Where the risk to data subjects is high, Section 40(3) mandates direct communication with those affected⁶. This is often the most delicate part of the response: conveying bad news while maintaining credibility.
Many companies delay or underreport incidents to protect their reputations. However, transparency often reduces reputational fallout and strengthens credibility. Notifications must be clear, timely, and explain:
- What happened
- What data was affected
- What the company is doing in response
- What individuals can do to protect themselves
Documentation and Internal Accountability
Even when notification is not required, Section 40(8) mandates that all data breaches be documented⁷. This record-keeping ensures accountability and prepares organizations for future audits or investigations.
By maintaining a breach register, organizations can identify recurring vulnerabilities—whether in technology, staff practices, or third-party systems.
Beyond Response: Implementing Remedial Measures
Response without remediation is incomplete. Once a breach is resolved, Organizations must review their systems, revise policies, and retrain staff to prevent recurrence.
The XpressVerify breach in March 2024, which exposed government-linked personal data for as little as ₦100, highlighted serious lapses in data access control mechanisms⁸. The incident demonstrated how breaches can arise not only from carelessness but also from the deliberate commercialisation of personal data—a clear violation of the NDPA’s requirement for fair and lawful processing.
The best practice here is to conduct a post-incident review that informs and informs technical upgrades and staff training.
Preparation is Protection
Even with the best systems, breaches can still happen. The key difference lies in how well an organisation is prepared to respond to challenges. Best practices include:
- Having an internal incident response plan
- Conducting simulation drills
- Training staff regularly
- Vetting the data protection practices of vendors and service providers
With the NDPC’s increasing enforcement activity, including joint fines such as the $220 million imposed on Meta Platforms Inc. by the FCCPC⁹, regulators are making it clear: data protection is not an optional aspiration but a legal obligation.
Conclusion
Data breaches will occur—even in well-run organizations. What matters is the speed, transparency, and accountability with which a business responds to its customers. The NDPA provides a clear, though strict, pathway for this. Companies that understand and operationalize these standards will not only avoid sanctions but also build long-term trust in a data-driven economy.
Quick Breach Response Checklist
- 📌 Detect and contain the breach
- 📌 Assess the risk to affected individuals
- 📌 Notify the NDPC within 72 hours (if required)
- 📌 Inform affected individuals (if the risk is high)
- 📌 Document the breach and decision-making process
- 📌 Review internal controls and implement remedial action
Disclaimer: This article is intended for general information purposes only. It does not constitute legal advice. Organizations should seek tailored advice from a qualified legal professional to address specific compliance needs.
For further information or assistance with data protection compliance and advisory services, please contact the Lex Luminar team at support@lexluminar.com
Footnotes
- NDPA 2023, Section 39(1).
- Wired, “The Deep Roots of Nigeria’s Cybersecurity Problem,” 2022. Link
- NDPA 2023, Section 40(7).
- NDPA 2023, Section 40(2), (4).
- Reuters, “Nigerian data agency fines Fidelity Bank for breaches,” August 22, 2024. Link
- NDPA 2023, Section 40(3), (4).
- NDPA 2023, Section 40(8).
- Paradigm Initiative, “Major Data Breach: Sensitive Government Data of Nigerian Citizens Available Online for Just 100 Naira,” June 20, 2024. Link
- Reuters, “Nigeria fines Meta $220 million for violating consumer, data laws,” July 19, 2024. Link