Employee Data Privacy

Nigeria - Breach Notification

 Download as a PDF

Are there any data breach notification requirements? 


A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Local data protection regulations have required data controllers to report such breaches in certain circumstances. 


The Nigerian Data Protection Regulation (NDPR) Framework mandates that Data Controllers, such as employers, and Data Administrators conduct a Data Protection Impact Assessment (DPIA) on processes, services and technology periodically to ensure continuous compliance. In addition, Data Controllers and Data Administrators are expected to notify the National Information Technology Development Agency (NITDA) of personal data breaches within 72 hours of becoming aware of a data breach.

Nigeria does not currently require data subjects to be notified of in the event of a personal data breach. That said, the Nigerian Data Protection Regulation does impose a general duty of care towards data subjects, such as employees.

Employers who do not meet that duty of care are liable for the actions and inactions of those who handle the personal data that the employer collects. Therefore, while a data breach notification may not be required, it is a good idea to follow common international best practices and consider disclosing a breach to the data supervisory authority, when appropriate. 

UKG's HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where UKG's customers have employees. HR Compliance Assist is a service exclusively available to UKG customers.

Share Your Feedback

Let's Talk