Hello everyone, and welcome to this short but value-packed crash course on data protection and privacy compliance for players in the Nigerian and African tech ecosystem. This is the first of twelve articles in the Nexa Advisory & OTL Law Data Protection Knowledge Management Series designed for founders, engineers, privacy lawyers, enthusiasts, business owners, business advisers, and anyone with a keen interest in data protection and privacy compliance.
My name is ‘Tife Ekundayo, I am a lawyer and privacy consultant with multi-jurisdictional experience across the African, European, and United States markets. I am collaborating with the experts at OTL Law to bring you this series. While I have a background as a Nigerian-trained lawyer, I have, over the past few years, studied and practised technology law (with a focus on privacy and security) in the European Union. During this period, I have noticed a gap between how privacy is applied globally and how it is approached across the African continent. Our goal with this series is, therefore, to simplify privacy knowledge and compliance for individuals and entities in Nigeria and across the African continent.
The series will begin with the basics and gradually explore how to build a privacy compliance programme for any business. This is not meant to be an extensive or technical resource. Rather, it is a practical guide that can support both privacy beginners and professionals. Your comments, questions, and feedback are also appreciated.
With that, we welcome you to this series. Prepare to journey from being a privacy novice to a semi-expert in privacy in the next twelve weeks.
What is Personal Data?
Understanding what qualifies as personal data is the foundation of any data protection journey. Whether you are building a tech product, offering legal advice, or working with user information, you must know what you are protecting and why it matters.
Personal data is now a global priority, and Africa is also paying close attention. There is a growing conversation about personal data, how it is processed, and the risks involved. To begin this series, it is therefore important to explain what personal data is and what it is not.
Personal data refers to the information relating to an identified or identifiable natural person. This identified or identifiable natural person is referred to as the data subject. Personal data always refers to a “natural person”, that is, a human being. Information about legal persons, companies, or other legal persons created by the law does not qualify as personal data. Also, personal data always refers to information that relates to an identified or identifiable person. This means that the information must be about a person whose identity is obvious from the data itself (identified) or who can be identified using other additional information (identifiable), taking into account all reasonable means and technological advances that can make it easy to identify such a person.
What are the Common Types of Personal Data?
Information like names, phone numbers, home addresses, email addresses, online addresses (e.g. IP addresses, user IDs), identification numbers (e.g. social security numbers, national identity numbers), financial information (e.g. bank account numbers, card information) are the common types of personal data.
Categories of Personal Data
There are two categories of personal data. We have personal data and “special categories of personal data” or “sensitive personal data”. Sensitive personal data is personal data that requires enhanced protection because it inherently poses more risks to the data subject. Under the Nigerian laws, these include information about a person’s race or ethnic origin, genetic or biometric data, health status, sex life (or sexual orientation), political beliefs or affiliations, religious or philosophical beliefs, or trade union membership. In some jurisdictions (e.g. California), sensitive personal data may also include financial information like bank account numbers, social security numbers, passport numbers, and precise geolocation. Some data protection frameworks (e.g. Modernised Convention 108, South Africa’s Protection of Personal Information Act) include information about offences, criminal proceedings, and convictions, and related security measures in the list of special categories of (or sensitive) personal data.
What is NOT Personal Data?
Based on the definitions above, the following types of information are not personal data:
- Company registration numbers or public business IDs
- Generic company email addresses (when they do not contain personal data)
- Information about public bodies or government agencies
- Technical data such as device type or browser information
- Aggregated data that cannot be linked to a specific individual
Another example is truly anonymised data. This is data that has been stripped of all identifiers and cannot be traced back to any individual.
Pseudonymisation v. Anonymisation
Pseudonymisation refers to the process of keeping “identifiers” or information that will help identify a data subject separate from the personal data itself. Pseudonymised personal data cannot be attributed to the data subject without additional information, which is kept separately (the key). Pseudonymised data remains personal data. A common example of pseudonymisation is encryption. The key that enables the identification of personal data must be kept safe and secure at all times.
Anonymisation, on the other hand, refers to the process of permanently stripping personal data of identifiers (or information that links the data to the data subject). By stripping data of identifiers, they no longer relate to an identified or identifiable person. Anonymised data are therefore no longer personal data.
Short Test
Which of the following contains personal data?
- Mr. John Doe of 123, Liberty Union Square, with phone number +123456789 is a known patient of ABCD Dialysis Centre and visited in 6 times in May, June and July, 2025.
- The patient, MJD, (Patient #12345) visited 6 times in the past 3 months.
- Patient MJD visited 6 times in the past 3 months.
- tife.ekundayo@otllaw.com
- info@otllaw.com
Feel free to share your answers and thoughts in the comments.
If you found this helpful, feel free to share it with your team or network.
Got a question or want to test your understanding? Drop a comment.
In our next article, we will dive into who uses personal data and the key roles in any data processing activity: data controllers and processors.
Well work done here.
Quite informative.