NAVIGATING THE FUTURE OF COMPLIANCE: Cybersecurity, Privacy & Regulatory Updates for 2025��Presentated at the SmartComply Compliance & Cybersecurity Breakfast Session 2025 ��DR VINCENT O. OLATUNJI, CPPPS, CDPO, FIIM�NATIONAL COMMISSIONER/CEO,�NIGERIA DATA PROTECTION COMMISSION (NDPC)�����15th January 2025

NIGERIA DATA PROTECTION COMMISSION

DATA PROTECTION AND CYBERSECURITY: A Twin Pillar Approach

Data protection and cybersecurity are not just interconnected—they are inseparable pillars of the digital age.

​

• Data protection ensures that personal information is collected, processed, and stored responsibly, respecting the rights and privacy of individuals.

​

• Cybersecurity, on the other hand, focuses on safeguarding the digital assets and systems that house this data from unauthorized access, breaches, and malicious attacks.

​

• Strong cybersecurity measures are essential to protect the confidentiality, integrity, and availability of personal data.   Conversely, a robust data protection framework guides the implementation of effective cybersecurity controls and fosters a culture of privacy.

​

Together, they form the foundation of trust in the digital economy and this demand that we approach both areas holistically.

NIGERIA DATA PROTECTION COMMISSION

KEY STATISTICS

• According to DataReportal, a total of 5.52 billion people around the world were using the internet at the start of October 2024, equivalent to 67.5% of the world’s total population.

​

• The number of connected devices grew from10 billion in 2019 to approximately 18.8 billion at the end of 2024 and is projected to grow to 41.1 billion by 2030.

​

NIGERIA DATA PROTECTION COMMISSION

EMERGING TECHNOLOGIES DATA RELIANCE AND PRIVACY IMPLICATIONS

Emerging technologies are transforming industries by leveraging vast amounts of data, enhancing efficiency, and enabling innovation. However, this data dependency raises significant privacy concerns that must be addressed to protect individual rights and maintain trust.

​

1. Artificial Intelligence (AI): require vast amounts of data to train algorithms and improve accuracy
1. Privacy Implications: The collection and processing of personal data can lead to unauthorized access, profiling, and potential misuse if not properly managed.

​

2. Internet of Things (IoT): IoT devices continuously collect data from users to provide seamless and personalized experiences.
1. Privacy Implications: IoT devices continuously collect data from users, often without explicit consent. The pervasive data collection can also result in surveillance concerns and unauthorized data sharing, compromising user privacy.

​

3. Blockchain Technology: Blockchain relies on transparent and immutable ledgers to ensure trust and security in transactions.

• Privacy Implications: Once data is on the blockchain, it can be difficult to delete or correct, conflicting with data protection principles like the right to rectification and erasure.

NIGERIA DATA PROTECTION COMMISSION

IMPACT OF CYBERCRIME & DATA BREACH

Cyberattacks and data breaches, are becoming more sophisticated and widespread.

​

• Cyberattacks were perceived to be the fifth most likely risk to present a material crisis on a global scale in 2024 (WEF)

​

• Statistics predict that cybercrime will cost the global economy more than $20 trillion by 2026, a 1.5 times increase compared to figures in 2022 (Statista).

​

• According to a report by IBM, the global average cost of a data breach in 2024 was $4.88million —a 10% increase over the previous year and the highest total ever.

​

• Nearly half of all breaches involved customer personal identifiable information (PII), which includes tax identification (ID) numbers, emails, phone numbers and home addresses.

​

​

​

NIGERIA DATA PROTECTION COMMISSION

SKILLS SHORTAGE AND THE FUTURE OF JOBS

1. According to the World Economic Forum:
1. 92 million jobs will vanish by 2030 and 170 million new jobs will be created.
2. 39% of today’s skills will be outdated. In Nigeria, a projected 41% of core skills are expected to change over the next few years.
3. There is a global skills shortage of nearly 4 million cybersecurity experts, with this deficit set to grow amid an increase in demand for cyber professionals.

​

2. IBM estimates the cybersecurity skills gap to have contributed $1.76 million increase in average breach costs in 2024.

​

• Data privacy skills gap affects 94% of businesses across Europe (ISACA)

​

• In Nigeria, there is a significant data protection talent gap of approximately 490,000 Data Protection Officers (DPOs), with over 500,000 businesses in Nigeria requiring DPOs and only around 10,000 certified.
• Top skills in demand globally are AI literacy, problem-solving, and cybersecurity (WEF).

​

NIGERIA DATA PROTECTION COMMISSION

NIGERIA’S CYBERSECURITY STATUS�

According to the 2024 Global Cybersecurity Index, Nigeria was placed in Tier 3 ("Establishing"), signifying a developing level of cybersecurity commitment.

​

The GCI assessed national efforts across five pillars: legal, technical, organizational, capacity development, and cooperation.

​

Strengths:

• Strong legal and regulatory framework.
• Growing investments in cybersecurity infrastructure and technology.

​

Areas for Improvement:

• Enhancing organizational capacity and coordination.
• Strengthening cybersecurity education and workforce development.
• Fostering local and international cooperation and information sharing.

NIGERIA DATA PROTECTION COMMISSION

GLOBAL TREND SHAPING THE FUTURE OF COMPLIANCE

• Increased reliance on digital services: individuals and organizations increasingly depend on digital services like online banking, e-commerce, remote work, and telemedicine, resulting in a hyper-connected world.

​

• Emerging Technologies and Privacy Risks: The rise of emerging technologies such as AI bring incredible opportunities but also raises concerns about privacy, data misuse, and ethical challenges. Regulations are evolving to address these complexities.

​

• Cross-Border Data Transfers: As businesses operate globally, navigating varying data protection laws and ensuring secure data transfers across borders is becoming increasingly critical.

​

• Global Convergence in Data Protection Laws: We are seeing an alignment of global privacy standards, such as the GDPR in Europe, Nigeria’s NDPA, and other frameworks. This convergence offers opportunities for businesses to build scalable compliance models.

​

These trends highlight the urgent need for a forward-thinking approach to compliance—one that integrates cybersecurity, privacy, and regulatory adherence as core strategic imperatives.

NIGERIA DATA PROTECTION COMMISSION

EVOLUTION OF DATA PROTECTION LANDSCAPE IN NIGERIA

NIGERIA DATA PROTECTION COMMISSION

Nigeria Data Protection Act (NDPA) 2023.

• On June 12, 2023, President Bola Ahmed Tinubu GCFR assented to the Nigeria Data Protection Act 2023, thereby establishing the Nigeria Data Protection Commission.
• The NDP Act aims to regulate the processing of personal data in Nigeria and ensure the protection of individuals' privacy rights.
• The act provides guidelines for the collection, use, and storage of personal data, including provisions for consent, data subjects' rights, data transfers, and penalties for non-compliance.
• It also addresses the challenges posed by emerging technologies and their impact on data protection.

​

NIGERIA DATA PROTECTION COMMISSION

STRATEGIES FOR NAVIGATING COMPLIANCE

Section 44.—(1) Data controllers and data processors of major importance shall register with the Commission within six months after the commencement of the Act or on becoming a data controller or data processor of major importance.

• Register as a Data Controller/Data Processor of Major Importance with the Commission

STRATEGIES FOR NAVIGATING COMPLIANCE (cont’d)

2. Ensure that personal data is processed in accordance with established data processing principles.

NIGERIA DATA PROTECTION COMMISSION

STRATEGIES FOR NAVIGATING COMPLIANCE (cont’d)

3. Ensure that processing of personal data is founded on a legal ground.

NIGERIA DATA PROTECTION COMMISSION

STRATEGIES FOR NAVIGATING COMPLIANCE (cont’d)

4. Safeguard the rights of data subjects and ensure that data subjects are able to exercise the following rights:

• Right to be informed
• Right to access
• Right to rectification
• Right to be forgotten
• Right to restrict processing,
• Right to object to the processing of their personal data,
• Right to object to automated processing
• Right to complain to the Commission

​

NIGERIA DATA PROTECTION COMMISSION

STRATEGIES FOR NAVIGATING COMPLIANCE (cont’d)

Section 39 NDPAct

“A data controller and data processor shall implement appropriate technical and organisational measures to ensure the security, integrity and confidentiality of personal data in its possession or under its control, including protections against accidental or unlawful destruction, loss, misuse, alteration, unauthorised disclosure, or access”

Technical Measures:

• Encryption
• Access Control
• Data Masking
• Firewall and Intrusion Detection Systems
• Regular Software Updates
• Data Backups
• Secure Coding Practices
• Endpoint Security
• Data Classification
• Vulnerability Management

Organizational Measures:

• Data Protection Policy
• Data Protection Officer (DPO)
• Employee Training
• Data Inventory
• Data Privacy Impact Assessments (DPIAs)
• Incident Response Plan
• Third-Party Risk Management
• Data Retention Policies
• Regular Audits and Assessments
• Privacy by Design

5. Implementing technical and organizational measures.

NIGERIA DATA PROTECTION COMMISSION

STRATEGIES FOR NAVIGATING COMPLIANCE (cont’d)

6. Engage a Data Protection Compliance Organizations (DPCO) carry out annual audit filing on behalf of the Data Controller.

​

The NDP Act introduced a Public Private Partnership (PPP) model where Data Protection Compliance Organizations (DPCOs) are licensed to provide a range of services related to data protection compliance and privacy. Some of their services include the following:

​

​

NIGERIA DATA PROTECTION COMMISSION

STRATEGIES FOR NAVIGATING COMPLIANCE (cont’d)

Section 40 NDPAct

“Where a personal data breach has occurred with respect to personal data being stored or processed by a data processor, the data processor shall, on becoming aware of the breach —

(a) notify the data controller or data processor that engaged it, describing the nature of the personal data breach including, where possible, the categories and approximate numbers of data subjects and personal data records concerned ; and

(b) respond to all information requests from the data controller or data processor that engaged it, as they may require to comply with their obligations under this section.

(2) A data controller shall, within 72 hours of becoming aware of a

breach which is likely to result in a risk to the rights and freedoms of individuals,

notify the Commission of the breach....”

​

7. Reporting data breach

​

Data Processor’s Immediate Actions:

• Notify the data controller or the engaging data processor about the breach.
• Provide details of the breach, including the types of data and number of individuals affected.

​

Data Controller’s Responsibilities:

• Inform the Nigeria Data Protection Commission within 72 hours of becoming aware of the breach.
• Describe the breach, including categories and approximate numbers of data subjects and records concerned.

​

Communication to Data Subjects:

• If the breach poses a high risk to individuals’ rights and freedoms, notify affected data subjects immediately.
• Use clear language to explain the breach and advise on mitigation measures.
• If direct communication is impractical, use public media to ensure data subjects are informed.

NIGERIA DATA PROTECTION COMMISSION

STRATEGIES FOR NAVIGATING COMPLIANCE (cont’d)

8. Awareness and capacity building on data protection for staff and obtain relevant certifications such as the Nigeria Data Protection professional certification;
9. Designate a senior officer as a Data Protection Officer (DPO);
10. Send the name and contact of its DPO to NDPB; and
11. Direct contractors, vendors or licensees to comply with the NDP Act.

​

NIGERIA DATA PROTECTION COMMISSION

Benefits of Compliance

NIGERIA DATA PROTECTION COMMISSION

Enforcement

The NDPC is empowered to enforce the NDPA in the following ways:

​

• Complaints and investigation
• Compliance orders
• Enforcement orders
• Offences and penalties
• Judicial review
• Civil remedies
• Forfeiture
• Joint and vicarious liability

​

NIGERIA DATA PROTECTION COMMISSION

Provisions of the NDPAct 2023 - Penalties

The NDPC has the power to impose a penalty or remedial fee ranging between —

​

(a) The “higher maximum amount” (in the case of a data controller/processor of major importance) shall be the greater of N10,000,000, and 2% of its annual gross revenue in the preceding financial year.

​

(b) The “standard maximum amount” (in the case of a data controller/processor not of major importance) shall be the greater of N2,000,000, and 2% of its annual gross revenue in the preceding financial year.

NIGERIA DATA PROTECTION COMMISSION

ROLE OF NDPC IN 2025

• Intensify the enforcement of the provisions of the Nigeria Data Protection Regulation and take appropriate action against non-compliant organizations.
• Capacity building and awareness.
• National Data Protection Officer Certification for certifying professionals to meet global standards in data protection practices.
• Strengthen partnerships with Data Protection Compliance Organizations (DPCOs).
• Provide guidance and support to organizations on data protection best practices.
• Collaborate with stakeholders (government, industry, academia) to foster a robust data protection ecosystem.

​

NIGERIA DATA PROTECTION COMMISSION

Conclusion

In conclusion, the future of compliance lies in the seamless integration of cybersecurity, privacy, and regulatory adherence.

​

By embracing a culture of data protection, implementing robust cybersecurity measures, and staying abreast of evolving regulatory landscapes, organizations and individuals can mitigate risks, safeguard their assets, and build a foundation for sustainable growth.

​

The NDPC remains committed to providing guidance, fostering collaboration, and ensuring a data-driven and secure future for all Nigerians.

​

​

​

​

​

NIGERIA DATA PROTECTION COMMISSION

Thank you for Listening

Website: www.ndpc.gov.ng

Email: info@ndpc.gov.ng

Kindly scan code to view the

Nigeria Data Protection Act 2023

: ndpcngr

: ndpcngr

: ndpcnigeria

NIGERIA DATA PROTECTION COMMISSION