Article 3: Understanding the Core Principles of Data Processing

OTL LawNo CommentsCategories: Article, Attorney, Nigeria, OTL Law x Nexa Advisory series

This series is progressing quickly and we are moving to the technical parts, or the meat of the matter, as I like to call it. In this article, we will discuss the key principles of data protection and their compliance objectives.

Data protection principles are the best place to begin for anyone who wants to understand data protection as both a right and a business practice. Many compliance obligations flow directly from these principles, and it is difficult to meet global standards without being familiar with them.

Although the wording may differ slightly across jurisdictions, the core principles remain consistent worldwide. For this article, we will begin with Article 6 of the European Union General Data Protection Regulation (“EU-GDPR” or “GDPR”), which provides a clear and instructive framework. To make it more relevant to our African tech ecosystem, we will also reference the Nigerian law equivalent found in Section 24 of the Nigeria Data Protection Act 2023 (“NDPA”) and Article 15 of the NDPA-General Application and Implementation Directive 2025 (“NDPA-GAID”).

The principles of data processing are:

  1. Lawfulness, transparency, and fairness of processing
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Security
  7. Accountability

Lawfulness, Transparency & Fairness of Processing: 

The lawfulness principle states that all personal data must be processed lawfully. To be processed lawfully, the data controller must have a legal basis for processing the data. These legal bases include consent, contract, vital interest of the data subject or a third party, public interest, or the legitimate interest of the data controller (we will discuss these legal bases in detail in the next article).

Fairness implies that data processing must be fair. The NDPA-GAID describes fairness as freedom from prejudice and exploitation, and consistency with civil liberties in a democratic society. Fairness implies that data subjects must be able to understand what is happening with their personal data. It can also mean that data controllers should act ethically when processing personal data.

The last pillar of this principle dictates that personal data must be processed in a transparent manner in relation to the data subject. Transparency means that data controllers must notify data subjects about how their data is going to be used. It means that data controllers should provide information to data subjects before processing starts, keep information readily accessible to data subjects during processing, and make data available to their data subjects upon their request.

While lawfulness, fairness, and transparency might feel like three different principles, practically, they go hand in hand. You cannot fulfill the principle of fairness, for example, without honouring the principle of transparency. You cannot be fair in processing without finding a legal basis for processing. This is why they are often described as one.

Purpose Limitation

The principle of purpose limitation dictates that every purpose of processing must be defined before processing commences. The NDPA and the NDPA-GAID state that personal data should be collected for “specified, explicit, and legitimate purposes”, and data should not be “further processed in a way incompatible with the original purpose(s)”. Data processing for undefined and/or unlimited purposes is therefore unlawful.

While describing what this means, the NDPA-GAID mentions that the purpose must describe the declared and exact intention of the data controller (specified), the words used to describe the purpose of processing must be free from ambiguity (explicit), and the purpose must describe a bona fide intention of data processing (legitimate). Purposes which override the rights and interests of data subjects, incompatible with public policy, or outrightly illegal are illegitimate.

Example: A fintech company collects customers’ biometric data for the purpose of identity verification when opening a digital wallet. Under the purpose limitation principle, this biometric data cannot later be repurposed for unrelated activities — for example, the company cannot use the same fingerprints or facial scans for targeted advertising, credit scoring, or selling insights to third parties. These new processing purposes (advertising or credit scoring) will require a new and separate legal basis for processing. Permitted related uses of the biometric data may include fraud prevention, account recovery, or regulatory compliance (e.g., CBN KYC/AML requirements) since these are directly connected to the original purpose.

Please note that the key term here is compatibility. Further processing must be compatible with initial processing. A compatible further processing is one that makes it possible to achieve the original purpose or is an innovative progression of the original purpose. To determine compatibility, the data controller should take into account:

  1. any link between the original purpose and intended further purposes,
  2. the context in which personal data has been collected. Particularly, the reasonable expectations of the data subjects based on their relationship with the controller,
  3. the nature of the personal data,
  4. the consequences of the intended further processing for data subjects, and
  5. the existence of appropriate safeguards in both the original and intended further processing operations.

Important note: Both the GDPR & the NDPA permit further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. These further processing still require appropriate safeguards like anonymisation or pseudonymisation.

Data Minimisation

This principle states that data processing must be limited to what is necessary to fulfil a legitimate purpose. Only such data that are adequate, relevant, and not excessive to the purpose of processing should be processed. The NDPA-GAID describes it this way: personal data should be “adequate, relevant, and limited to the minimum necessary for the purposes for which the personal data was collected or further processed.”

This principle aims to reduce the risk of excessive data collection for a particular processing purpose. For example, in hiring environments, only personal data necessary to move candidates further in the hiring process should be collected. Personal data, like annotated and certified copies of birth certificates, would be considered excessive for such a process.

Example: An e-commerce platform in Abuja requires customers to create an account to order household goods. To process the order, it legitimately needs the customer’s name, delivery address, phone number, and payment details. Collecting personal data like Bank Verification Number (BVN), National Identification Number (NIN), marital status, or religion would breach the principle of data minimisation.

Under data minimisation, organisations must ensure that only the data strictly necessary for the stated purpose is collected and processed, nothing more.

Data Accuracy

Accuracy implies that data controllers must ensure that all personal data is correct at all times. Controllers should not use information without taking steps to ensure, with reasonable certainty, that such data are up to date. Inaccurate data must therefore be erased or rectified without delay.

The NDPA-GAID says that data controllers should ensure that personal data is “accurate, complete, not misleading, and where necessary, kept up to date, having regard to the purposes” of processing.

This obligation to keep personal data accurate is contextual, that is, it is relative to the context of data processing. There are instances where updating stored personal data is legally prohibited (for example, medical records). This is because the purpose of storing data is to document events as a historical snapshot. It would therefore be inappropriate (and even illegal) to update medical records even if findings mentioned in the record later turn out to have been wrong.

Conversely, there are situations where it becomes absolutely necessary to regularly update and confirm the accuracy of personal data, due to the nature of the processing and having regard to the risks inherent in such processing operation. A good example of this is credit arrangements. Financial institutions ought to occasionally confirm that the creditworthiness of the customer is correct at every given time. This can be done by updating dedicated databases on the customer’s credit history.

Storage Limitation

Storage Limitation relates to the duration of processing. That is, personal data should not be stored (or retained) for longer than is necessary to achieve the lawful bases for which the data was collected. This means that personal data must be discarded as soon as the purpose of processing has been exhausted. Data controllers must use reasonable efforts to ensure that personal data is stripped of all identifiers after the purpose of processing has been achieved. This can be done by outright deletion or anonymisation. Data controllers must also specify a time limit for retention of personal data. These time limits should be subject to periodic review. This can be achieved by creating and monitoring data retention policies.

Using the example of the Abuja-based e-commerce platform referenced above, if the e-commerce company keeps customers’ personal data (name, delivery address, phone number, payment details) only for as long as it is needed to deliver the order, handle returns, and meet tax or regulatory obligations, and deletes or anonymises the personal data after order fulfilment, then the company has complied with the storage limitation principle. Conversely, if the platform were to keep delivery addresses and payment details indefinitely, even after the customer has closed their account and no legal requirement exists, it would be in breach of the storage limitation principle.

Important note: There are instances where the law requires longer storage of personal data (for example, in some jurisdictions, companies are obliged to store financial data and other tax information for seven years). The GDPR permits these exceptions if they are provided by law, respect the essence of fundamental rights and freedoms, and are necessary and proportionate for pursuing a limited number of legitimate aims. These aims would usually include protection of national security, protecting the rights and fundamental freedoms of others, investigating and prosecuting criminal offences, and so forth. In all of these cases, data controllers should always implement appropriate safeguards for the personal data.

Security

This principle requires controllers to implement appropriate technical or organisational measures during processing to ensure the integrity, availability, and confidentiality of personal data. This means that personal data must be protected against accidental, unauthorised or unlawful access, use, modification, disclosure, destruction or damage (this is known as a data breach). To determine a commensurate security measure, controllers should take into account the state of the art, the costs of implementation, the nature and scope of processing, and the risk inherent in the processing activity. It logically follows that sensitive personal data will require more stringent security measures than other categories of personal data. These appropriate organisational or technical measures could include anonymisation, pseudonymisation, encryption of data at rest and in transit, access controls, secure authentication, and so forth.

Accountability

Accountability dictates that data controllers and processors should actively and continuously comply with data protection obligations and principles. They should also be able to demonstrate accountability by keeping necessary records and documentation. Data protection is a self-assessment procedure. Controllers and processors must implement appropriate technical and organisational measures to show that they are compliant in all phases of data processing. This can be done by keeping records of processing activities, designating an independent data protection officer, undertaking necessary assessments for specific processing operations, ensuring data protection by design and default, and so forth.

This brings us to the end of our discussion on principles of data protection. In practice, these principles work together to set the foundation for lawful processing. Data controllers and processors must apply all of them consistently to demonstrate compliance. These principles also create concrete obligations, which we will discuss in detail in the next article.

 

Short Test

  1. Which principle requires that data must only be collected for specific, clear, and lawful reasons?

a) Data Minimisation

b) Accuracy

c) Purpose Limitation

d) Security

  1. Which of the following is a way to meet the security principle?

a) Keeping data forever in case it is useful later

b) Encrypting personal data both in storage and in transit

c) Collecting more data than necessary to be thorough

d) Ignoring risks if the data looks harmless

  1. If data is kept longer than necessary for its original purpose, this may breach the storage limitation principle. (True or False)

  2. Fairness in data processing means that data subjects must be able to understand how their personal data is being used. (True or False)

Bonus Question

  1. Which principle makes organisations responsible for proving that they follow data protection obligations?