MyCentreOffice Logo
Back to Blog
February 21, 2026

₦10 Million Fine: 10 Ways Your Business Could Be Breaking Nigeria's Data Protection Law Right Now

₦10 Million Fine: 10 Ways Your Business Could Be Breaking Nigeria's Data Protection Law Right Now
Share Article

Let's be honest. When most Nigerian business owners hear the words "data protection law," their eyes glaze over. It sounds like something for big corporations and government agencies. Not for the event planner in Lekki, the hair salon in Abuja, or the logistics company in Port Harcourt.

But here's the truth nobody is telling you.

The Nigeria Data Protection Commission, the government body responsible for enforcing data protection in Nigeria, can fine your business up to ₦10 million or 2% of your annual revenue, whichever is higher. And the businesses getting caught aren't multinationals. They're businesses just like yours.

The scariest part? Most of them had no idea they were doing anything wrong.

Before we get into the 10 ways you could be at risk, let's quickly explain a few terms you'll need to understand. Don't worry, no big grammar. We'll keep it simple.

Terms You Should Know

Personal Data —> This is any information that can identify a person. Full name, phone number, email address, home address, date of birth, BVN, photos. If you collect any of these from your customers, you are collecting personal data.

Data Controller —>This is the business or person who decides why and how personal data is collected. If you run a business that collects customer information, you are a Data Controller.

Data Processor —> This is anyone who handles personal data on behalf of another business. If you're a VA, contractor, or vendor who manages customer data for your clients, you are a Data Processor.

NDPC —> The Nigeria Data Protection Commission. They are the government agency that makes sure businesses handle personal data properly. They also enforce the rules and issue fines.

Privacy Policy —> This is a simple document that tells your customers what information you collect from them, why you collect it, how you store it, and who you share it with. Think of it as a promise to your customers about how you'll treat their information.

Consent —> This means your customer gave you clear permission to collect and use their information. Them giving you their phone number to complete a transaction is not the same as them giving you permission to add them to your marketing list.

Now that we're on the same page, here are the 10 ways your business could already be at risk.

1. You collect customer information but you have no Privacy Policy

Every time a customer fills out your booking form, signs up on your website, or gives you their details to complete a transaction, you are collecting personal data. The law says you must tell them exactly what you're doing with that information, in plain language, before you collect it.

That document is called a Privacy Policy. If you don't have one, you're already in violation, even if you never misuse the data.

2. Your customer list has passed 200 people and you haven't registered with the NDPC

This one catches a lot of businesses off guard.

Once your business is processing the personal data of more than 200 people within a six-month period, and this includes your email list, your customer database, your booking records, you are required by law to register with the NDPC as a Data Controller of Major Importance.

Two hundred people sounds like a lot, but think about it. Your Instagram followers who've ever DM'd you. Every client whose number is saved in your phone. Everyone on your WhatsApp broadcast list. You may have crossed that number without realising it.

The registration is done online through the NDPC portal at services.ndpc.gov.ng.

3. You're running your entire business through WhatsApp

We get it. WhatsApp is convenient, familiar, and everyone in Nigeria is on it. But here's the problem.

When your entire client management lives inside WhatsApp, booking confirmations, payment details, personal information, sensitive conversations, that data is not being managed in a secure, structured way. If your phone is stolen, your account is hacked, or you accidentally send the wrong message to the wrong person, you've just had a data breach.

And under Nigerian law, data breaches have consequences.

4. You added someone to your marketing list without their permission

You met someone at an event. They gave you their business card. You added them to your email list and started sending them newsletters.

That is a violation.

Or a customer bought something from you once. You added them to your WhatsApp broadcast. Also a violation.

Under the Nigeria Data Protection Act, you need clear, specific permission from a person before you can send them marketing messages. "They gave me their number" is not the same as "they said yes to receiving my messages."

5. You share customer details with other people without telling your customers

You hire a photographer for an event and share the guest list with them. You use a printing company and send them your client database to print name tags. You bring in a freelancer and give them access to your customer records.

All of this involves sharing personal data with a third party. The law says your customers must know this could happen, and in many cases, must have agreed to it. If you're sharing customer information without telling them, you're at risk.

6. You have no way for customers to ask you to delete their information

Under Nigerian data protection law, every person has the right to ask a business to delete their personal information. This is called the Right to Erasure.

If a former customer contacts you and says "please remove all my details from your system", you are legally required to do that. If you have no process for handling that request, or if your data is so disorganised that you wouldn't even know where to look, that is a compliance problem.

7. Everyone in your business can see everything

If you have staff or team members and every single person has access to all your customer data regardless of what their job is, that is a data governance issue.

The law requires that access to personal data is limited to only the people who genuinely need it to do their job. Your social media manager probably doesn't need to see your full client payment history. Your delivery person doesn't need access to your entire customer database.

8. You had a data incident and you didn't report it

A data breach doesn't have to be a Hollywood-style hack. It can be as simple as sending an email with customer details to the wrong person. Losing a laptop with client records on it. Having your email account compromised.

If a breach puts your customers' data at risk, Nigerian law requires you to report it to the NDPC within 72 hours. Most businesses don't know this rule exists, and many have already had incidents they never reported.

9. You're a freelancer or contractor handling client data and you think the law doesn't apply to you

This one is very important for VAs, consultants, social media managers, accountants, and anyone who handles business data on behalf of their clients.

If you process personal data as part of your work, even if it's someone else's customers, you are classified as a Data Processor under Nigerian law. You have your own obligations. You may also need to register. The law does not only apply to big businesses.

10. You've never stopped to think about what data you actually hold

Here is a simple question. If someone asked you right now, where is all your customer data stored, who has access to it, how long do you keep it, and how is it protected, could you answer?

If the honest answer is no, that is where compliance begins. Not with lawyers and long documents. But with simply understanding what information your business holds and taking responsibility for it.

Compliance starts with awareness.

So What Should You Do?

First, don't panic. The fact that you're reading this already puts you ahead of most Nigerian business owners.

Start here. Ask yourself these three questions:

Do I have a Privacy Policy? If not, create one.

Have I processed data for more than 200 people in the last six months? If yes, visit services.ndpc.gov.ng and begin your registration process. You can also engage a licensed Data Protection Compliance Organisation (DPCO) to help you through it.

Is my customer data organised, secure, and managed in one place? If it's scattered across WhatsApp, spreadsheets, and notebooks, it's time to fix that.

In Part 2 of this series, we'll walk you through exactly how to register with the NDPC, what the process looks like, what it costs, and what good data compliance looks like for a Nigerian SME.

Until then, take the first step. Your business, your customers, and your peace of mind are worth protecting.

MyCo is a registered Data Controller with the Nigeria Data Protection Commission. We help Nigerian businesses manage their clients, communications, and payments in one secure, organised platform. Learn more at mycentreoffice.com

MyCo is also registered with the UK Information Commissioner's Office (ICO) and certified under Cyber Essentials.