Welcome again to our Data Protection and Privacy Knowledge Management Series and we hope you are learning a lot. In articles 5 – 8, we explored Data Protection Impact Assessments (DPIAs), the Nigeria Data Protection Act 2023’s General Application and Implementation Directive 2025 (NDPA-GAID 2025), cross-border data transfers, and compared data protection frameworks across Africa and the African Union.
In Article 9, we turn to a subject that every data protection professional must be prepared for: data breaches. Every smart privacy professional must have a plan to navigate personal data breaches. This is because even the most compliant organisation can experience a breach. The real test of accountability lies not in whether a breach happens, but in how efficiently it is detected, contained, and reported.
1. What is a Data Breach?
Section 65 of the Nigeria Data Protection Act (NDPA) 2023 describes a personal data breach as a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. There are three broad categories of data breaches:
|
Type |
Description |
Example |
|
Confidentiality breach |
When data is disclosed or accessed by an unauthorised person. |
Sending payroll data to the wrong recipient. |
|
Integrity breach |
When data is altered or corrupted without authorisation. |
Malware changing customer records. |
|
Availability breach |
When data is lost or becomes temporarily or permanently unavailable. |
Server crash or ransomware attack. |
2. The NDPA’s Approach to Data Breach Management
The NDPA 2023 and its NDPA-GAID 2025 improved the structure in place to address data breaches. Both instruments set out specific timelines, responsibilities, and documentation requirements for controllers and processors.
a. Processor’s Obligation to Notify
When a data breach occurs, the data processor must immediately inform the data controller once it becomes aware of the breach. The processor is also legally obliged to respond to all information requests from the controller, to enable the controller to meet their own notification obligations.
This early notification should include available technical details such as the nature of the breach, the likely impact, and steps already taken to contain it. This duty is provided under Section 40(1) of the NDPA and Article 33(2) of the NDPA-GAID 2025.
b. Controller’s Obligation to Notify
The data controller has the main responsibility for assessing and reporting breaches. Once aware of a breach (either directly or through a processor), the controller must determine whether the incident is likely to pose a risk or a high risk to the rights and freedoms of affected data subjects. This is typically done through a data breach assessment.
If the breach is likely to result in a risk, the controller must:
– notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of the breach.
– notify the affected data subjects.
This procedure is provided in Section 40(2) of the NDPA and expanded in Article 33 of the GAID.
3. Determining When a Breach is “High Risk”
The NDPA-GAID 2025 explains what factors may elevate a breach from simple risk to high risk. According to Article 33(2), controllers should consider:
– The type and sensitivity of personal data involved, especially if it includes biometric, health, or financial data.
– The number of individuals affected.
– The potential for identity theft, financial loss, or reputational damage.
– The ease with which the individuals can be identified from the data.
– The availability of safeguards such as encryption or pseudonymisation.
If these factors suggest that the breach could significantly affect individuals’ rights, the incident qualifies as high risk, requiring direct communication with the affected data subjects.
4. Contents of a Breach Notification
Section 40(3) of the NDPA states that the notification to data subjects must be written in plain and clear language, explaining the breach, the context of the breach, the safeguards the controller has put in place, and other measures the data subjects can take to protect themselves and their personal data.
Article 33(5) of the NDPA-GAID 2025 lists the specific information that must be included in a breach notification to the NDPC or affected data subjects. The notification should include:
– A description of the nature of the breach, including the categories and approximate number of data subjects and records involved.
– The name and contact details of the Data Protection Officer.
– The likely consequences of the breach.
– The measures taken or proposed to address the breach and mitigate its effects.
– If notification is delayed, the reasons for the delay.
– If not all information is available immediately, the controller may submit the remaining details in phases, as long as there is no undue delay.
5. Record-Keeping and Accountability
Both controllers and processors must keep a detailed record of all personal data breaches, regardless of whether those breaches were reported to the NDPC (section 40(8), NDPA). This record is typically called a (Personal) Data Breach Register. This record should include:
– The facts of each breach.
– The impact(s) of each breach.
– The remedial action(s) taken, including notification of data subjects and supervisory authorities.
Maintaining this record helps organisations demonstrate compliance with the accountability principle in section 24 of the NDPA, and it supports internal learning and process improvement.
6. Building a Response Plan
Every organisation should have an internal breach response plan that clearly defines roles, escalation procedures, and communication channels. The plan should include:
-
Detection and Containment – Isolate affected systems and prevent further unauthorised access.
-
Internal Reporting – Report immediately to the Data Protection Officer or incident response team.
-
Risk Assessment – Evaluate whether the breach presents a risk or high risk to affected individuals.
-
Notification – Notify the NDPC and affected data subjects (if necessary) within 72 hours.
-
Documentation – Keep a full record of the event and decisions taken.
-
Review – Assess what went wrong and improve technical and organisational measures.
7. Why This Matters
Timely and transparent management of data breaches is essential for compliance and trust. Reporting within the required timeframe and keeping accurate records show accountability and preparedness. Failure to notify or unjustified delay can attract administrative sanctions under section 48 of the NDPA and could damage public trust in the organisation’s data practices.
Thank you for following this series so far. In the next article, we will discuss how to build a privacy programme for your startup or MSME.
Short Test
-
Who must first notify whom when a processor becomes aware of a data breach?
a) Controller notifies processor
b) Processor notifies controller
c) NDPC notifies both
d) None of the above
-
Within how many hours must a controller notify the NDPC of a reportable breach?
a) 24 hours
b) 48 hours
c) 72 hours
d) One week
-
True or False: All breaches must be reported to the NDPC, regardless of risk level.
-
What must every controller and processor maintain internally, even for unreported breaches?
a) Data inventory
b) Breach register
c) Compliance certificate
d) DPIA record
-
Which of the following factors helps determine whether a breach is high risk?
a) Sensitivity of the data involved
b) Type of computer used
c) Number of staff in the organisation
d) Colour of company logo