The Nigeria Data Protection Commission (NDPC) has commenced the development of sector-specific data protection and privacy frameworks for the telecommunications, financial services and hospitality sectors.
This is part of efforts to strengthen compliance with the Nigeria Data Protection Act (NDPA).
Speaking at a stakeholder engagement in Abuja, the National Commissioner and Chief Executive Officer of the NDPC, Dr. Vincent Olatunji, said the initiative reflects the Commission’s commitment to collaborative rule-making and stakeholder-driven regulation.
“We believe in co-creation. Whatever we develop must be owned by stakeholders. Before issuing any regulation or guideline, we engage with industry players, the private sector, public institutions, civil society organisations, and multinational companies to obtain their input,” he said.
He noted that the participatory approach was instrumental in the drafting of the Nigeria Data Protection Act (NDPA), which he described as one of the most progressive data protection laws globally.
The National Commissioner highlighted the Commission’s independence, stressing that the NDPA empowers the NDPC to issue regulations, conduct investigations, and impose sanctions without requiring approval from any external authority.
“Our independence as a data protection authority allows us to act decisively and effectively. We are accountable to the law and committed to protecting the rights of Nigerians.”
Olatunji explained that while existing data protection regulations provide broad guidance applicable across sectors, the unique nature of data processing activities in different industries necessitates tailored frameworks.
“The requirements for data protection compliance in the financial sector are different from those in education, healthcare, hospitality, or telecommunications.
To deepen privacy protection, we need sector-specific guidelines that address the realities of each industry.
He described the telecommunications, financial services, and hospitality sectors as strategic priorities due to the volume of personal data they process daily.
In the telecommunications industry, he noted that mobile services reach more than 85 per cent of Nigerians, making the sector one of the largest repositories of personal information in the country.
“A significant portion of our daily lives now depends on mobile devices and digital communication. This makes the telecommunications sector extremely important from a data protection perspective”.
On the financial sector, Olatunji pointed to the rapid expansion of traditional banks and digital financial service providers.
He cited the growing customer bases of fintech companies such as PalmPay, OPay, and Moniepoint as evidence of increasing financial inclusion and the vast amounts of personal and financial data being processed.
He noted that the hospitality sector also handles substantial volumes of personal information through hotels, event centres, restaurants, and tourism-related services, making robust privacy safeguards essential.
The Head of Legal, Enforcement and Regulations at the NDPC, Babatunde Bamigboye, described the stakeholder engagement as a strategic milestone in advancing data privacy and protection in Nigeria.
He traced the legal foundation of privacy rights to the 1999 Constitution, which guarantees citizens’ right to privacy as a fundamental freedom.
“Every organisation has a binding obligation to implement appropriate technical and organisational measures to safeguard personal data and protect the privacy rights of individuals,” Bamigboye said.
He disclosed that the Commission had conducted more than 15 desk reviews and focus group discussions, as well as evaluations involving over 40,000 data controllers and processors through compliance audits and registration exercises.
According to him, findings from these engagements confirmed that each sector faces unique data protection challenges that require tailored regulatory responses.
Bamigboye identified key areas covered by the proposed frameworks, including lawful bases for data processing, data subject rights, cross-border data transfers, binding corporate rules, codes of conduct, data mapping, privacy governance, and emerging technologies.
He said the NDPC’s objective is to move organisations beyond mere documentation and toward a culture of compliance where respect for data protection principles becomes embedded in everyday business operations.
“The goal is to create an environment where violations of data protection standards are viewed not merely as legal breaches but as unacceptable cultural practices,” he said.
Providing insight into the proposed Hospitality Data Protection Framework, cybersecurity expert and stakeholder representative Abdul-Hakeem Ajijola of Consultancy Support Services (CS2) emphasized that trust remains the foundation of the hospitality industry.
He observed that hospitality businesses now function within a vast interconnected data ecosystem where personal information flows through booking platforms, transportation services, payment providers, hotels, restaurants, ride-hailing applications, and online review systems.
“Hospitality today is no longer just about rooms and food; it is increasingly about data. Every reservation, payment, loyalty programme registration, CCTV recording, Wi-Fi login, and customer review involves personal data processing,” Ajijola said.
He estimated that Nigeria’s hospitality industry processes between 150 million and 300 million interaction-level records annually, making it one of the country’s largest personal data ecosystems.
Ajijola warned that routine operational practices such as collecting excessive customer information, sharing guest details through unsecured messaging platforms, retaining CCTV footage indefinitely, and storing data on overseas platforms without adequate safeguards could expose organisations to privacy risks and regulatory violations.
He explained that the framework seeks to eliminate uncertainty by clearly defining responsibilities and accountability across the hospitality value chain.
Importantly, he clarified that the framework does not create new legal obligations but translates existing provisions of the Nigeria Data Protection Act and the General Application and Implementation Directive into practical guidance for hospitality operators.
“The law tells organisations what must be done. The framework explains how to do it,” he said.
Ajijola further noted that the framework adopts a proportional, risk-based approach. Small guest houses and family-owned establishments will have simplified compliance obligations, while larger hotel chains, international hospitality brands, and digital booking platforms will face enhanced requirements, including regular audits and dedicated data protection personnel.
He outlined six key compliance expectations for hospitality operators: understanding what data is collected, why it is collected, where it is stored, who it is shared with, how it is protected, and how compliance can be demonstrated consistently.
The stakeholder engagement forms part of the NDPC’s broader strategy to develop sector-specific privacy frameworks across Nigeria’s economy. The Commission indicated that similar consultations are being conducted with stakeholders in other sectors, including e-commerce and security services.
Participants at the forum were encouraged to provide feedback, identify industry-specific concerns, and contribute practical recommendations that would help shape final regulations and implementation frameworks.
 has commenced the development of sector-specific data protection and privacy frameworks for....){kind=link}