Data Protection and Information Governance

Every organisation collects data. Most collect far more than they realise: customer records, employee information, transaction histories, communications, and operational data built up over years or decades. That data has real value. It also carries real responsibility, legal obligations to protect it, regulatory requirements to manage it, and liability when it is mishandled, lost, or exposed.

We help organisations take control of their data. Our data protection and information governance advisory service builds the frameworks, policies, processes, and technical controls needed to manage data as a strategic asset while meeting the obligations imposed by Nigeria's data protection regime and applicable international frameworks.

THE REGULATORY AND BUSINESS IMPERATIVE

The Nigeria Data Protection Act (NDPA) 2023 established comprehensive data protection requirements for all organisations processing Nigerian personal data, with enforcement powers, mandatory breach notification, and penalties of up to 2% of annual gross revenue for violations.

The Nigeria Data Protection Commission (NDPC) is actively enforcing. Several high-profile organisations have already faced regulatory action, and enforcement activity has continued to increase. Treating the NDPA as a future concern is increasingly a miscalculation.

Nigerian organisations doing business in Europe, the United Kingdom, or the United States also carry obligations under GDPR, UK GDPR, or applicable US state privacy laws. The extra-territorial reach of these frameworks tends to come as a surprise when it materialises.

There are also less visible costs to poor information governance: operational inefficiency, eDiscovery exposure, intellectual property risk, and reputational vulnerability that builds up without notice until something goes wrong and all of it becomes visible at once.

WHAT WE DO

Data Protection Compliance Assessment

We assess your organisation's current compliance with the NDPA 2023 and applicable international regulations, identifying gaps, quantifying regulatory exposure, and establishing a clear baseline for improvement.

Data Mapping and Records of Processing Activities

We help you understand and document what personal data your organisation holds, where it came from, how it is used, who it is shared with, and how long it is retained. Organisations that skip this step tend to find out why it matters at the worst possible time.

Privacy Framework and Policy Development

We design and implement data protection frameworks covering privacy policies, data handling procedures, consent management, data subject rights processes, and breach notification protocols, built to work in practice and hold up to regulatory scrutiny.

Data Protection Officer (DPO) Support

The NDPA requires many organisations to designate a Data Protection Officer. We provide DPO-as-a-Service for organisations that lack the internal resource, fulfilling the role with qualified expertise or supporting an existing internal DPO with advisory capacity where needed.

Data Retention and Disposal

Retaining data longer than necessary increases both risk and regulatory exposure. We design and implement retention and disposal policies that reduce that risk while satisfying legitimate legal retention requirements.

Third-Party Data Processing Agreements

Organisations that share personal data with third parties must ensure appropriate contractual protections are in place. We review and draft data processing agreements that protect your legal position.

Information Governance Framework

Effective information governance extends beyond personal data to all organisational information: classification frameworks, access controls, document management, and lifecycle management that keep information under control rather than accumulating as unmanaged risk.