High-risk sectors such as fintech, healthcare, and financial services are likely to face increased scrutiny for data protection breaches in 2026, as regulatory enforcement in Nigeria becomes more aggressive, a data protection expert has warned.
Ademikun Adeseyoju, Head of Emerging Services at DataPro Limited, disclosed this at the weekend, noting that data protection compliance has moved from advisory to non-negotiable, with strict penalties now firmly in place.
According to him, enforcement by the Nigeria Data Protection Commission (NDPC) is expected to intensify, particularly in sectors that process large volumes of sensitive personal and financial data.
Under existing regulations, major data controllers and processors risk fines of up to ₦10 million or two per cent of annual gross revenue, whichever is higher, in addition to possible imprisonment. Smaller organisations face penalties of up to ₦2 million or two per cent of annual revenue for breaches.
Adeseyoju spoke in a statement announcing the commencement of DataPro’s 2026 Privacy Week, themed “Privacy in the Age of Emerging Technologies: Trust, Ethics, and Innovation.” He said the observance provides an opportunity to review Nigeria’s evolving data protection environment and prepare organisations for stricter regulatory demands.
He explained that 2025 marked a major turning point with Nigeria’s full transition from the Nigeria Data Protection Regulation (NDPR) to the statutory enforcement regime under the Nigeria Data Protection Act (NDPA) and the General Application and Implementation Directive (GAID) 2025.
“This shift signalled the end of guideline-based compliance and the beginning of mandatory, enforcement-driven regulation,” he said.
According to DataPro, the NDPC adopted a more assertive posture in 2025, publicly naming non-compliant organisations, particularly within the financial services sector, while landmark court rulings affirmed that privacy and transparency in personal data handling are constitutionally protected rights.
The courts also awarded significant damages to data subjects, reinforcing the principle that organisational size no longer provides immunity from accountability. Regulatory settlements with multinational technology companies further raised standards for behavioural advertising and data processing in Nigeria.
On cybersecurity, the firm noted that 2025 witnessed a surge in identity-driven cyberattacks, with threat actors increasingly targeting valid user credentials rather than technical system vulnerabilities. This shift, it said, has made strong access management systems essential for corporate resilience.
Looking ahead, DataPro projected that 2026 will be defined by board-level and executive ownership of data privacy, with compliance becoming a core governance issue rather than an IT-only concern.
“We expect an increase in individual claims and constitutional privacy actions. Organisations must be litigation-ready by preserving processing records and strengthening internal controls,” Adeseyoju said.
He added that as a licensed Data Protection Compliance Organisation (DPCO), DataPro is positioned to support organisations in meeting and sustaining their compliance obligations under the NDPA in 2026.
