Kenya Data Protection Act vs. Nigeria NDPA: What Businesses Operating in Both Markets Must Know

Nigeria and Kenya together account for a substantial portion of Africa’s digital economy. Lagos is the continent’s largest startup ecosystem by funding. Nairobi is East Africa’s technology hub and home to some of Africa’s most sophisticated financial services infrastructure. Any pan-African platform—fintech, e-commerce, logistics, healthtech—that operates meaningfully in Sub-Saharan Africa almost certainly processes personal data of both Nigerian and Kenyan residents.

What many organisations have not done is sit down and map the differences between Nigeria’s Data Protection Act 2023 and Kenya’s Data Protection Act 2019. These are not equivalent frameworks applied to similar populations. They are distinct laws with different regulators, different thresholds, different rights regimes, and different enforcement postures. Applying one framework’s approach to both markets creates compliance gaps that are invisible until an enforcement action reveals them.

The regulatory authorities

Kenya: The Office of the Data Protection Commissioner (ODPC) was established under the Kenya Data Protection Act 2019. The ODPC has grown its enforcement capability steadily and has investigated complaints involving some of Kenya’s largest digital platforms. It registers data controllers and data processors and conducts audits.

Nigeria: The Nigeria Data Protection Commission (NDPC) was established under the Nigeria Data Protection Act 2023, replacing NITDA as the primary data protection authority. The NDPC has moved quickly to establish its enforcement framework, introducing the Data Controller of Major Importance (DCMI) registration requirement and mandatory annual audits for large-scale processors.

Both regulators have demonstrated willingness to pursue enforcement actions. Neither should be treated as a paper authority.

Lawful basis for processing: where the frameworks diverge

Both laws follow the GDPR-influenced model of requiring a lawful basis for processing personal data. But the available bases differ in ways that matter operationally.

Kenya DPA recognises: consent, contractual necessity, legal obligation, vital interests, public interest, and legitimate interests. The legitimate interests basis is available but must be balanced against the rights of the data subject—similar to the GDPR balancing test.

Nigeria NDPA recognises: consent, contractual necessity, legal obligation, vital interests, public interest and official authority, legitimate interests, and research/statistics/archiving. A notable feature of NDPA is the emphasis on consent quality—the Act specifies that consent must be a clear affirmative action and that conditional consent (consent required as a precondition to a service where it is not necessary) is invalid.

Operational implication: An organisation using legitimate interests as its lawful basis for customer analytics in Kenya needs to conduct and document a balancing test. In Nigeria, the same processing may require either explicit consent or a stronger legitimate interests justification given the NDPA’s emphasis on consent validity. The lawful basis cannot simply be copied from one jurisdiction to the other.

Data localisation: a significant structural difference

This is the most practically significant difference for cross-border operations.

Kenya DPA: Does not impose a general data localisation requirement. Personal data may be transferred out of Kenya provided the destination country has adequate data protection standards (assessed by the ODPC) or appropriate safeguards are in place. Kenya-based data can therefore be stored in cloud infrastructure in any adequacy-assessed jurisdiction without specific ODPC approval.

Nigeria NDPA: Imposes a data localisation requirement for certain categories of sensitive data—specifically health data, genetic data, biometric data, and financial data of Nigerian residents. This data must be stored on servers physically located in Nigeria, with cross-border transfer only permitted under specific conditions including NDPC approval or adequacy assessment.

Operational implication: A platform using a single cloud region for both markets will be compliant in Kenya but potentially non-compliant in Nigeria for financial and health data. The infrastructure architecture needs to account for this difference, or the Nigerian data localisation requirement needs to be addressed through a separate in-country storage arrangement.

Data subject rights: timing differences

Both laws create data subject rights including access, correction, deletion, and objection. The response timelines differ.

Kenya DPA: Data subjects must receive a response within 21 days. Extensions are possible but must be communicated.

Nigeria NDPA: The Act requires responses within 30 days. The NDPC has indicated it treats this as an outer limit, not a target.

Practical implication: A shared data subject rights process with a 21-day SLA satisfies both frameworks. A process calibrated to 30 days may miss the Kenyan requirement. If you operate a unified rights process, calibrate to the shorter window.

Registration and audit requirements

Kenya DPA: Data controllers and data processors are required to register with the ODPC. The registration fee and process are relatively accessible. Ongoing audit requirements are less prescriptive than Nigeria’s.

Nigeria NDPA: Organisations processing personal data of more than 10,000 Nigerian residents must register as Data Controllers of Major Importance (DCMIs) and submit to annual data protection audits conducted by NDPC-licensed Data Protection Compliance Organisations (DPCOs). This is a significant ongoing compliance obligation with external audit costs.

Practical implication: A pan-African platform with 100,000 Nigerian users and 100,000 Kenyan users will face annual external audit requirements in Nigeria that do not have a direct equivalent in Kenya. Budget and programme planning need to reflect this asymmetry.

Breach notification: similar requirements, different regulators

Both frameworks require breach notification within defined windows. Kenya DPA requires notification to the ODPC “without undue delay.” Nigeria NDPA specifies 72 hours for notification to the NDPC when a breach is likely to result in a risk to data subjects.

Practical implication: A single breach in a system processing both Kenyan and Nigerian data triggers two separate notification obligations—to two different regulators, potentially with slightly different information requirements. An incident response plan operating in both markets needs to document both notification tracks.

What a unified compliance programme looks like

Running two entirely separate compliance programmes for Kenya and Nigeria is expensive and operationally complex. The organisations managing this well have built a single compliance infrastructure with jurisdiction-specific configurations:

• A unified data inventory that tags each data category with the applicable jurisdiction(s) and framework requirements
• A single data subject rights process calibrated to the shorter (21-day) window that satisfies both
• Infrastructure that enforces Nigerian localisation requirements for Nigerian financial and health data while allowing Kenyan data to use regional cloud infrastructure
• A breach response procedure with parallel notification tracks documented for each regulator
• A vendor management programme that covers both Kenya DPA and Nigeria NDPA in DPA templates

The platform question is whether your compliance tooling can support jurisdiction-level configuration—different retention rules, different localisation constraints, different rights response SLAs—within a single operational view. Spreadsheets and shared drives cannot do this at scale. A governed compliance platform can.

The AfCFTA dimension

The African Continental Free Trade Area is creating new cross-border business flows that are generating data protection complexity beyond the bilateral Kenya-Nigeria case. As more African businesses expand to three, four, or five markets, the multiplication of regulatory requirements is driving demand for compliance infrastructure that treats multi-jurisdiction as a design requirement rather than an afterthought.

The organisations building that infrastructure now—before regulatory enforcement in multiple jurisdictions simultaneously—will have a structural advantage over those that are assembling compliance programmes market by market under examination pressure.