Data protection in Nigeria (NDPR) for startups, 2026

If you're running a startup in Nigeria and you collect customer data—email addresses, phone numbers, payment details, location, behaviour—you are already subject to the Nigeria Data Protection Regulation (NDPR). Most founders don't know this. Fewer still understand what compliance actually means. The result: startups operating in legal grey zones, exposed to fines up to ₦10 million, reputational damage, and loss of customer trust. This article walks you through the NDPR's real requirements, how it differs from GDPR, what you must do this year, and where to start if you're currently doing nothing.

The NDPR came into force in January 2021, but enforcement has accelerated since 2024. The National Data Protection Bureau (NDPB), a unit within the Office of the National Security Adviser, now actively reviews startups—particularly those handling financial data, health information, or customer databases at scale. We've seen early-stage founders penalised for basic violations: no privacy policy, no consent mechanism, no data processing agreements with third-party vendors. The good news is that compliance is achievable for startups without hiring a full legal team. It requires clear thinking about what data you collect, why, and how long you keep it.

What the NDPR actually covers

The Nigeria Data Protection Regulation applies to any organisation—startup, SME, multinational—that processes personal data of Nigerian residents. Personal data means any information that identifies or could identify a person: name, email, phone, IP address, payment history, device ID, even pseudonymised data in some cases. If your fintech app stores customer KYC data, your SaaS product logs user behaviour, or your logistics platform tracks driver locations, you are processing personal data and you must comply.

The NDPR does not apply only to large companies. The regulation explicitly covers startups from day one. There is no employee threshold, revenue threshold, or data volume threshold that exempts you. A solo founder running a Telegram bot that collects email addresses is technically subject to the NDPR. In practice, enforcement focuses on companies handling data at meaningful scale or in sensitive sectors (fintech, healthcare, e-commerce), but the law itself is universal.

The regulation is modelled on the European GDPR but adapted for the Nigerian context. Key similarities: both require lawful basis for processing, both give individuals rights to access and delete their data, both mandate breach notification. Key differences: NDPR has no equivalent to GDPR's right to be forgotten (deletion is more limited), NDPR allows processing for public interest without explicit consent in some cases, and NDPR fines are lower but still material—up to ₦10 million for serious breaches.

The seven principles you must follow

The NDPR rests on seven core principles. Understanding these shapes everything you do with customer data:

1. Lawfulness, fairness, and transparency. You must have a legal reason to collect data. "Because we need it" is not enough. Valid reasons include: user consent (explicit opt-in), contract performance (you need their address to ship an order), legal obligation (KYC for fintech), vital interests (emergency contact), public task (if you're a public body), or legitimate interests (e.g., fraud detection—but you must balance this against the individual's rights). You must tell users why you're collecting their data, in plain language, before you collect it.

2. Purpose limitation. Collect data for a specific purpose. If you collect email for order confirmation, you cannot later use it for marketing without fresh consent. This is a common violation: founders collect customer data "for future use" and then spam them. Do not do this.

3. Data minimisation. Collect only what you need. If you're running a clothing e-commerce store, you need name, address, and payment details. You do not need date of birth, employment history, or mother's maiden name. Startups often over-collect to "build a profile" or "enable future features." The NDPR says: collect only what is necessary for your stated purpose, now.

4. Accuracy. Keep data correct and up to date. If a customer updates their address, you must update your records. If you discover data is inaccurate, you must correct or delete it. This is less about perfection and more about reasonable effort—you don't need to validate every entry in real time, but you should have a process for corrections.

5. Storage limitation. Don't keep data longer than necessary. Define a retention policy for each data type. Customer payment records: keep for 7 years (tax requirement). Marketing email list: keep until they unsubscribe, then delete within 30 days. Support chat logs: keep for 2 years, then delete. Write this down. Auditors and the NDPB will ask for it.

6. Integrity and confidentiality. Protect data from unauthorised access, loss, or damage. This means basic security: encrypted passwords, HTTPS on your website, access controls (not everyone on your team can see all customer data), and incident response plans. You don't need military-grade security, but you need reasonable measures. For startups: use managed services (AWS, Google Cloud, Vercel) rather than self-hosting, enable two-factor authentication, keep software patched.

7. Accountability. You must be able to prove you're compliant. Keep records: what data you collect, why, from whom, how long you keep it, who has access, what security measures you have. If the NDPB asks, you must produce evidence. A spreadsheet is fine; silence is not.

Building a data protection framework for your startup

Compliance is not a one-time project. It's a framework you build into operations. Here's the practical sequence:

Step 1: Data audit

List every piece of personal data your startup collects. Go through each product, each process, each integration. For a typical SaaS startup in Nigeria:

• User accounts: name, email, phone, password hash, profile picture
• Usage logs: IP address, device type, pages visited, timestamps
• Payment data: card last four digits, billing address (not full card details—that should be handled by Paystack, Flutterwave, or Stripe)
• Support: chat transcripts, support tickets, attachments
• Marketing: email list, click behaviour, unsubscribe status

For each data type, document:

• What is it?
• Why do we collect it? (lawful basis)
• Where is it stored?
• Who has access?
• How long do we keep it?
• Do we share it with anyone else?

This audit takes 2-4 hours for most startups. Do it now. You'll reference it constantly.

Step 2: Privacy policy and terms of service

You must publish a privacy policy on your website. It must be in plain language, not legal jargon. It must cover:

• What data you collect
• Why you collect it (lawful basis)
• How long you keep it
• Who you share it with (payment processors, analytics tools, etc.)
• Users' rights (access, correction, deletion, opt-out)
• How users can contact you about data issues
• How you handle data breaches

Do not copy a template verbatim from the internet. Customise it to your actual practices. A privacy policy that doesn't match your real behaviour is worse than useless—it's evidence of non-compliance.

For startups, a 500-800 word privacy policy is sufficient. You can draft it yourself in Notion or Google Docs, or use a template from the NDPB website or a service like Termly (though be prepared to customise heavily).

Step 3: Consent mechanisms

For non-essential data, you need explicit, informed consent. This means:

• Checkboxes must be unchecked by default (users opt-in, not opt-out)
• Language must be clear: "I agree to receive marketing emails from Acme" not "I agree to Acme's terms"
• Consent must be freely given—do not make it a condition of using your core product unless it genuinely is
• You must keep records of when consent was given and what was consented to

Example: your e-commerce store needs shipping address (lawful basis: contract performance, no consent needed). You want to add them to a mailing list (lawful basis: consent, must ask). Separate these. At checkout, ask: "Yes, send me product updates and offers" with an unchecked box.

Step 4: Data processing agreements

If you use third-party tools—Paystack for payments, Mixpanel for analytics, Slack for internal chat, AWS for hosting—you are sharing customer data with those vendors. You must have a Data Processing Agreement (DPA) with each one. This is a legal contract stating that the vendor will only process data on your instruction and will protect it.

Most major vendors (Paystack, Flutterwave, Moniepoint, AWS, Google Cloud) have standard DPAs. Request them. Sign them. Keep copies. If a vendor refuses to sign a DPA, consider whether you should use them.

For startups, this is often overlooked. Do not overlook it. The NDPB has explicitly cited missing DPAs as a compliance failure.

Step 5: Data retention schedule

Create a simple table of what data you keep and for how long:

This is not just for compliance. It's good operations: you don't want old data cluttering your systems, and you reduce your liability if you don't hold it.

Step 6: Security baseline

You don't need a Chief Information Security Officer. You need basic hygiene:

1. Encryption in transit: Your website and APIs must use HTTPS. No exceptions. This is free with Let's Encrypt and automatic on platforms like Vercel, Netlify, and Heroku.

2. Encryption at rest: If you store sensitive data (passwords, payment details), encrypt it. Most managed databases (AWS RDS, Google Cloud SQL, MongoDB Atlas) offer encryption by default.

3. Access control: Not everyone on your team needs access to all customer data. Use role-based access. Your marketing team does not need to see payment records. Your support team does not need to see source code.

4. Password management: Use a password manager. Rotate admin passwords every 90 days. Enforce strong passwords (12+ characters, mixed case, numbers, symbols).

5. Two-factor authentication: Enable 2FA on all critical accounts: email, hosting, payment processors, internal tools.

6. Patch management: Keep your operating systems, libraries, and frameworks up to date. Use automated dependency scanning (GitHub's Dependabot, Snyk) to catch vulnerabilities.

7. Incident response plan: Write a one-page plan: if we suffer a data breach, who do we notify, in what order, and when. Test it.

For a typical startup, this takes 1-2 weeks to implement. It costs almost nothing if you use managed services.

NDPR vs GDPR: what's different

If you're familiar with GDPR (perhaps because you have European users), note the key differences:

GDPR: Right to be forgotten (data subject can demand deletion). NDPR: Limited right to erasure; data can be retained if there's a lawful basis or legal obligation.

GDPR: Data Protection Impact Assessments (DPIAs) required for high-risk processing. NDPR: No formal DPIA requirement, but you must document your risk assessment.

GDPR: Fines up to €20 million or 4% of global turnover. NDPR: Fines up to ₦10 million (approximately €13,000) or 2–3% of annual revenue, whichever is higher.

GDPR: Applies to any company processing EU resident data, regardless of location. NDPR: Applies to any company processing Nigerian resident data, regardless of location.

GDPR: Explicit consent required for most processing. NDPR: Lawful basis can include legitimate interest without explicit consent (though consent is still preferred).

For Nigerian startups with international users, you may need to comply with both. The good news: GDPR compliance usually covers NDPR compliance. If you're GDPR-ready, you're mostly NDPR-ready. The reverse is not always true.

Sector-specific considerations

Fintech and payments

If you process payments or hold customer funds, you have additional obligations under the CBN's regulations. You must:

• Comply with KYC (Know Your Customer) requirements
• Retain transaction records for 7 years
• Report suspicious activity to FIRS
• Have a DPA with your payment processor (Paystack, Flutterwave, Moniepoint, OPay, Kuda)

Read the CBN's Guidelines on Cybersecurity for Financial Services in Nigeria (2021) and the NDPR together. They overlap. For guidance on open banking compliance, see our resource on open banking in Nigeria in 2026.

E-commerce and logistics

If you collect delivery addresses and track shipments, you process location data. You must:

• Tell customers you're tracking their location
• Only use location data for delivery and fraud prevention
• Delete location history after delivery is complete (or within 30 days)
• Have a DPA with your logistics partner

SaaS and analytics

If you use analytics tools (Google Analytics, Mixpanel, Amplitude), you must:

• Anonymise or pseudonymise data where possible
• Have a DPA with the analytics provider
• Tell users you're tracking their behaviour (in your privacy policy)
• Respect do-not-track signals if your tool supports them

Note: Google Analytics in its default configuration may not be fully NDPR-compliant. If you use it, configure it to anonymise IP addresses and set a short data retention period (14 months maximum).

Healthcare and wellness

If you collect health information (telemedicine, fitness apps, mental health platforms), the NDPR treats this as "sensitive personal data." You must:

• Get explicit consent before collecting health data
• Store it with enhanced security (encryption, access logs)
• Never share it without consent, except to healthcare providers under a DPA
• Retain it only as long as needed for treatment or legal requirement

Enforcement and penalties

The NDPB has enforcement power. Penalties for breach:

• Administrative fines: Up to ₦10 million
• Percentage of revenue: 2–3% of annual revenue (whichever is higher)
• Suspension of operations: In severe cases
• Reputational damage: Public notification of breach

In practice, enforcement has been light on startups but heavy on financial services and large e-commerce platforms. The NDPB's strategy appears to be: educate first, penalise later. But "later" is arriving. In 2024, the NDPB began issuing compliance notices to fintech startups and e-commerce platforms. In 2025, we expect more active audits. By 2026, compliance will be table stakes.

The NDPB publishes compliance guidance on its website. Check it quarterly. The regulation is still evolving, and guidance documents are updated regularly.

How to document compliance

Keep a compliance folder (physical or digital) with:

1. Privacy policy (current version, dated)
2. Terms of service (current version, dated)
3. Data audit (list of all personal data you collect, updated annually)
4. Data retention schedule (table of retention periods)
5. Data processing agreements (signed DPAs with all vendors)
6. Consent records (sample of user consent logs, if applicable)
7. Security policy (one-page summary of your security measures)
8. Incident response plan (one-page plan for data breach response)
9. Staff training records (if you've trained staff on data protection)
10. Vendor list (all third parties who access customer data)

You don't need a 100-page compliance manual. You need evidence that you've thought about data protection and implemented reasonable measures. The NDPB will ask for these documents if they audit you. Being able to produce them in 24 hours is the difference between a warning and a fine.

Common mistakes to avoid

1. No privacy policy. If your website has no privacy policy, you are in breach. Add one today. It takes 2 hours.

2. Privacy policy doesn't match practice. If your policy says "we delete data after 30 days" but you keep it for 3 years, you're non-compliant. Update your policy or your practice.

3. No consent for non-essential data. If you add users to a mailing list without asking, you're in breach. Implement opt-in checkboxes.

4. No DPA with vendors. If you use Paystack but have no DPA with them, you're in breach. Request and sign their DPA.

5. No data retention policy. If you keep data indefinitely "just in case," you're in breach. Define and document retention periods.

6. No security measures. If your password is stored in plaintext or your database is publicly accessible, you're in breach. Encrypt passwords, use HTTPS, restrict access.

7. **Collecting data "for the future." If you collect email addresses "for future marketing," you're in breach. Collect data for a specific, stated purpose. If you want to use it for something else later, ask for new consent.

8. No incident response plan. If you suffer a data breach and don't know who to notify or how to respond, you're in breach. Write a one-page plan now.

Getting started in 2026

If you've never thought about NDPR compliance, start here:

1. Week 1: Do a data audit. List every piece of personal data you collect. (2 hours)

2. Week 2: Write or update your privacy policy. Make sure it describes your actual practices. (3 hours)

3. Week 3: Add consent checkboxes to any non-essential data collection (email lists, marketing, profiling). (2 hours)

4. Week 4: Request DPAs from all your vendors. Sign them. (2 hours)

5. Week 5: Document your data retention policy. Create a table. (1 hour)

6. Week 6: Review your security measures. Enable HTTPS, 2FA, encryption. (4 hours)

Total time: 14 hours. Total cost: €0 if you use free tools, or €100–500 if you hire a lawyer to review your privacy policy. This is not a heavy lift for most startups.

If you're registering a new startup, integrate NDPR compliance into your setup process. When you register with CAC (as covered in our guide on registering a Nigerian startup with CAC in 2026), add data protection to your compliance checklist. When you set up your tax structure (see taxes for a Nigerian startup in 2026), document your data retention policy so you know how long to keep tax-related customer records.

FAQ

Q: Do I need NDPR compliance if I only collect data from Nigerian users but my server is in the US?

A: Yes. The NDPR applies based on where your users are, not where your servers are. If you process data of Nigerian residents, you must comply with NDPR, even if you're hosted on AWS in Virginia.

Q: If I use Paystack or Flutterwave for payments, am I compliant?

A: Not automatically. Paystack and Flutterwave handle payment card data securely, but you still must comply with NDPR for all other customer data (names, emails, addresses, order history, etc.). You must have a DPA with them and a privacy policy describing what you do with customer data.

Q: Can I use Google Analytics without violating NDPR?

A: Yes, but you must configure it correctly: anonymise IP addresses, set data retention to 14 months or less, and tell users in your privacy policy that you use analytics. You should also have a DPA with Google (they provide one). Default Google Analytics configuration may not be fully compliant.

Q: What happens if I don't comply?

A: The NDPB can issue fines up to ₦10 million or 2–3% of annual revenue. In practice, enforcement on startups has been light, but it's increasing. More importantly, data breaches and customer backlash are costly. Building trust by being compliant is good business.

Q: How often should I review my compliance?

A: At least annually, or whenever you change how you collect or use data. If you add a new feature that collects new data, review compliance immediately. If you add a new vendor, get a DPA immediately.

What to do next

Start with your data audit this week. List what you collect, why, and how long you keep it. Then move to your privacy policy—make sure it's accurate and published on your website. Once those two are done, you've covered the biggest gaps.

If you're building a new startup and want to get compliance right from day one, integrate these steps into your launch checklist alongside CAC registration and tax setup. The time invested now saves legal fees and reputational damage later.

For ongoing updates on NDPR guidance and enforcement, follow the NDPB's announcements and check the resources section of LaunchPad regularly.