News

Why the NDPR should be every startup’s priority — Favour Ibe

Why the NDPR should be every startup’s priority — Favour Ibe

In Nigeria’s fast-growing digital economy, data has become the new oil — a critical asset powering innovation and business models across sectors. But as its value increases, so does the regulatory spotlight. The Nigeria Data Protection Commission (NDPC), established under the Nigeria Data Protection Act (NDPA), is no longer sitting on the sidelines. Armed with statutory powers and political will, the NDPC is now actively investigating, prosecuting, and sanctioning companies that violate the Nigeria Data Protection Regulation (NDPR).

Many Nigerian startups and mid-sized tech companies have historically downplayed data privacy, often copying generic privacy policies from foreign websites, ignoring consent requirements, and operating without proper data processing agreements. This lax attitude was previously enabled by weak enforcement and limited visibility from regulators. But the tide has turned.

According to startup and technology lawyer, Favour Chinaza Ibe, the days of ignoring data protection laws are over. “Startups need to stop thinking no one is watching. That era has ended,” she said in an interview. “The NDPC has moved from setting up frameworks to actually naming and shaming defaulters, issuing fines, and planning court actions.”

Ibe, who has advised startups across fintech, SaaS, crypto, and digital lending, warned that any company collecting user data — from emails to BVNs and health records — now falls within the regulatory scope. “If you’re not managing how that data is collected, stored, shared, and secured, you’re sitting on a legal time bomb,” she added.

She explained that too many founders prioritize product development and user growth over compliance. “Here’s the hard truth: if you don’t build privacy into your systems from day one, you’re not just non-compliant, you’re exposed. No valid user consent, no data processing contracts, no breach response plan? That’s a red flag.”

The consequences of ignoring these laws are becoming real. The NDPC recently fined Fidelity Bank PLC ₦555.8 million for data protection violations — a move widely seen as a warning to the broader tech ecosystem. “That was a clear warning shot,” Ibe noted. “The NDPC is serious, and startups are not exempt.”

The NDPC’s enforcement drive didn’t come out of nowhere. The foundation was laid in June 2023 when the Nigeria Data Protection Act was signed into law, giving the NDPC legal authority to regulate data privacy across the country. By 2024, the Commission had launched compliance campaigns, sent reminders for organizations to submit Compliance Audit Returns (CARs), and released the General Application and Implementation Directive (GAID 2025), a key operational guideline for regulated entities.

In 2025, the Commission has stepped into full enforcement mode. It has expanded its personnel, increased public visibility, and started imposing sanctions. According to reports by BusinessDay, the NDPC is planning stiffer penalties this year — including not just monetary fines but also criminal prosecution and public naming of violators. A recent court judgement involving Eat N’Go Limited, Domino’s Pizza, and Jumia further illustrates the legal risks for non-compliant firms.

Ibe urged Nigerian startups to take immediate steps to protect themselves. These include auditing current data practices, developing a locally compliant privacy policy, drafting solid data processing agreements with third parties, appointing a Data Protection Officer (DPO), and training staff regularly on privacy risks.

“Startups must stop copying random privacy templates from the internet. You need a policy that speaks directly to Nigerian users and complies with our laws,” she said. “And if you’re working with external vendors or cloud platforms, data processing agreements are non-negotiable. They protect you in case of a breach on their end.”

She stressed that data protection should not be viewed as a burden but as an opportunity. “Startups that take data seriously build trust faster, attract global partnerships, and stand out to international investors. It’s not just about avoiding fines — it’s about being future-ready.”

“This is not the year for regulatory guesswork or hesitation,” Ibe concluded. “The NDPC now operates with a legal mandate, an institutional structure, and growing public support. Startups must align their systems with the NDPR and NDPA or risk being left behind — or worse, shut down.”

As Nigeria moves toward a more regulated digital future, data compliance may soon become one of the key pillars of business survival. For Nigerian startups, the time to act is now.