I. Introduction
Just as is the case in the rest of the world, the wave of digitisation has swept across Nigeria, particularly in banking, telecommunications and e-commerce in general. These changes have increased the volume of personal data being generated and processed by companies. The swiftness of the adoption of digitisation has left stakeholders in underdeveloped countries like Nigeria exposed to data breaches, often without effective remedies usually due to issues with enforcement or the mere fact that the regulatory landscape has not evolved enough to tackle these challenges. Data breaches are security incidents where unauthorised parties access sensitive or confidential information and (or) corporate data.[1] In Nigeria, corporate liability for such breaches are anchored in the Nigerian Data Protection Act 2023 (NDPA) which emphasises both preventive and post-breach obligations. There are various forms of data breaches but for the purpose of this work, personal data breaches would be considered.
The NDPA does not explicitly define what would constitute ‘personal data’ but it can simply be defined as any information directly or indirectly relating to an identified or identifiable individual (data subject). It includes names, ID numbers, location data, online identifiers (IP addresses), or factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity.[2] Thus, a personal data breach would be said to have occurred in a scenario where security controls fail, resulting in accidental or unlawful compromise of personal data. The consequences extend beyond technical remediation to legal exposure, reputational harm, and regulatory action.
II. Legal Framework for Breach Liability
The Constitution of the Federal Republic of Nigeria 1999 (as amended) was enacted before the digital age, it grants Nigerian citizens the fundamental right to privacy in its section 37. This provision forms the constitutional basis for the protection of their personal data, laying the groundwork for data protection laws and obligations for data controllers and processors.
The NDPA is Nigeria’s primary data protection law and applies to all data controllers and processors operating in Nigeria or processing the personal data of Nigerian residents.[3] It also institutes the NDPC as the supervisory authority responsible for enforcement, compliance guidance, and sanctions.[4]
Under Section 40 of the NDPA, data controllers are obliged to notify the NDPC within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to data subjects’ rights and freedoms.[5] Where a breach is likely to result in high risk, controllers must also communicate the breach to affected data subjects promptly, including remedial measures that can mitigate adverse effects.[6] Failure to maintain records of breach incidents or to report in accordance with these provisions can expose companies to regulatory sanctions and liability.
III. Corporate Liability for Personal Data Breaches
The NDPA provides a range of liability which a data processor may be exposed to for failing to lawfully process data within the stipulations of the Act. These liabilities may range from administrative/ regulatory sanctions such as fines, to civil liabilities which may cause actions to be brought against the data processor and even criminal liability. These forms of liability would be analysed below.
A. Regulatory Sanctions
Non‑compliance with breach reporting and other statutory duties exposes companies to administrative sanctions. The NDPA empowers the NDPC to impose fines that vary depending on the scale of the controller’s operations and the severity of non‑compliance.[7]
These penalties may range from fixed sums to a percentage of annual gross revenue. A practical example of this involved Fidelity Bank, which was fined ₦555.8 million by the NDPC for violations of the NDPA and the earlier Nigeria Data Protection Regulation (NDPR) following a data breach investigation.[8] The fine, representing approximately 0.1% of the bank’s 2023 annual gross revenue, was reported as the largest sanction ever imposed by the commission at the time.[9] The case illustrates that even major financial institutions are subject to enforcement action where data privacy obligations are breached.
B. Civil Liability
In addition to administrative sanctions, companies may face civil liability where data subjects’ rights are infringed as a result of a breach. The NDPA explicitly allows data subjects to file civil actions for compensation against data controllers or processors responsible for unlawful processing or breach of privacy obligations.[10] Civil claims can be based on negligence or statutory breach, potentially resulting in awards of damages for harms suffered due to compromised personal data.
C. Criminal Sanctions and Business Implications
The NDPA also contemplates criminal penalties for serious breaches or wilful non‑compliance, although such sanctions are generally reserved for egregious conduct or repeat offences. Beyond statutory fines and criminal exposure, companies face reputational damage, loss of consumer trust, and potential operational restrictions that can arise from publicised enforcement actions.
IV. Compliance and Mitigation Measures
To mitigate liability, Nigerian companies should embed strong data governance practices, including:
- Conducting regular data security audits and risk assessments.
- Implementing robust technical and organisational safeguards to prevent breaches.
- Maintaining detailed incident records and demonstrating compliance readiness.
- Ensuring timely breach notifications to the NDPC and affected data subjects, where required.[11]
Organisations should also appoint qualified privacy or compliance officers and integrate breach preparedness into their broader risk management frameworks.
VI. Conclusion
Personal data breaches are an inherent risk in today’s digital economy, but Nigerian companies are not absolved of responsibility when such incidents occur. The Nigeria Data Protection Act 2023 places clear statutory duties on corporate actors to prevent breaches, report them promptly, and uphold individual privacy rights. Failure to comply not only attracts administrative and civil liabilities but also undermines consumer confidence in Nigeria’s digital marketplace. Strong compliance cultures, proactive data protection strategies, and effective breach response mechanisms are therefore essential for companies seeking to navigate Nigeria’s evolving data protection landscape.
