Nigeria Enforces Data Protection Act Amid AI‑Driven Privacy Risks

Global data privacy faces pressure from increasing breaches and the rapid spread of artificial intelligence tools that can infer sensitive details from seemingly innocuous datasets. Experts note that as more personal information flows through apps and social platforms, the chance of exposure grows. In Nigeria, regulators have shifted from issuing guidelines to actively enforcing the Nigeria Data Protection Act (NDPA), signalling a new era of accountability for how companies gather and process data.

Akande Adedayo, a solutions architect at 54pay Technologies, said data gathering is a major part of daily life and that big companies use data to drive business, affecting everyone, which makes data privacy paramount. Mary Ajibola, a data privacy lawyer, warned that the more time people spend online, the more personal details appear across social media and apps, raising the risk of exposure when data is shared broadly. The NDPA’s enforcement now requires organisations to demonstrate lawful basis for processing, maintain records of activities, and provide clear privacy notices to individuals.

Security teams must align technical controls with legal obligations under the NDPA. This includes mapping data flows, classifying personal information, and ensuring that AI models do not inadvertently reveal protected attributes. Organisations will need to update incident‑response plans to address potential breaches that could trigger regulatory fines and mandatory notifications. Compliance also demands regular audits of third‑party vendors who handle data on behalf of the company.

- Conduct a comprehensive data inventory to locate all personal data stores and tag them according to sensitivity. - Review and refresh privacy notices to reflect the lawful basis and retention periods required by the NDPA. - Implement encryption at rest and in transit for personal datasets, and apply pseudonymisation where feasible. - Monitor AI training pipelines for inadvertent use of prohibited data sources, using data‑loss‑prevention tools that can flag personally identifiable information. - Deploy detection rules based on MITRE ATT&CK technique T1059 (Command and Scripting Interpreter) to spot unauthorized scripts that may exfiltrate data. - Schedule quarterly reviews of access logs and conduct penetration tests focused on web applications and APIs that collect user data. - Train staff on NDPA requirements and on recognizing social‑engineering tactics that aim to harvest personal details.