When They Get Hacked: What Companies Are Actually Required to Do With Your Data

You find out your bank was hacked the way most Nigerians do: a tweet, a WhatsApp forward, or a friend calling to say they just got a suspicious debit. Then you spend twenty minutes trying to figure out whether your information was compromised, whether anyone told you about it, and what you are supposed to do now. Usually, nobody told you anything.

That experience is common enough that it barely registers as outrage anymore. But it should, because the law actually requires companies to do better, and most of them are not doing it.

This piece is about what companies are legally obligated to do when your data is breached and what happens, in theory and increasingly in practice, when they don’t.

What counts as a data breach

The Nigeria Data Protection Act 2023 defines a personal data breach broadly. It covers any incident involving the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data that a company holds or processes. So this is not just hacking.

A staff member accidentally emailing a customer database to the wrong address is a breach, as is an insecure server leaving your medical records visible to the internet or a company sharing your information with a third party without authorization. The trigger is not the method; it is the outcome—which is a loss of control over your data.

The 72-hour rule

Under section 40 of the NDPA, once a data controller—meaning the company responsible for your data, becomes aware of a breach that is likely to cause risk to the rights and freedoms of data subjects, it must notify the Nigeria Data Protection Commission within 72 hours of that awareness.

Not 72 hours after the breach happened; 72 hours after the company knew about it. The distinction matters, because companies sometimes discover breaches weeks or months after the fact, and the clock starts ticking from the moment they find out.

The notification is not a casual heads-up or a "Hey, so we’ve been breached” type of statement; it must include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences of the breach, the contact details of whoever is responsible for handling it within the company, and the measures taken or proposed to address it. If the company cannot provide all of this information at once, the NDPA allows it to be provided in stages, but without excessive delay.

If the breach is serious enough to pose a high risk to data subjects specifically, the company must also notify the affected individuals directly and do so immediately. Not in the next newsletter and not in a brief note buried in the app’s update log. Immediately, with clear information about what happened and what the person should do.

There is one narrow exception: where notifying individuals directly would require disproportionate effort, the company may instead issue a public notice through widely used media channels.

What companies must do before a breach even happens

The framework is not reactive only. Under sections 24 and 39 of the NDPA, companies are required to implement appropriate technical and organizational security measures before any breach occurs. The law does not prescribe exactly which measures, as it works from a principles-based standard that considers the sensitivity of the data involved, the volume being processed, and the available technologies. But the measures the law explicitly contemplates include encryption, pseudonymization, regular security assessments, and backup and recovery systems.

For companies classified as data controllers of major importance—which under NDPC guidance includes any organization processing personal data of more than 200 people within six months, as well as financial services firms, fintechs, and companies providing technology services commercially, the obligations are more demanding still. These organizations must appoint a Data Protection Officer, file annual compliance audit returns with the NDPC, and conduct data protection impact assessments for high-risk processing activities.

Every social media platform operating in Nigeria, every fintech, every streaming service, every bank, falls into this category. They all know this. Whether they are complying is a different question.

What happens when they don’t

For a long time the honest answer was "not much." Nigeria had data protection regulations before the NDPA, going back to the 2019 NDPR, but enforcement was limited and penalties were modest enough that non-compliance was a reasonable business risk to be evaluated.

That calculation is changing.

The NDPC fined Multichoice Nigeria—the company behind DStv and GOtv, the sum of ₦766,242,500 in July 2025, following an investigation that found the company had processed subscriber data in ways the NDPC described as intrusive, unfair, unnecessary, and disproportionate and had transferred Nigerian users’ data abroad without meeting the legal requirements for cross-border transfers.

The fine came after Multichoice’s remediation efforts were deemed unsatisfactory. The NDPC was explicit: the cooperation failure is what drove the penalty to that level.

More significantly, in April 2025, the Competition and Consumer Protection Tribunal upheld a $220 million fine against Meta Platforms and WhatsApp, following a 38-month joint investigation by the FCCPC and NDPC into how WhatsApp’s 2021 privacy policy update handled Nigerian users’ data.

The tribunal found that Meta had denied Nigerians the right to control their own data, transferred and shared user data without authorization, and treated Nigerian users differently from users in other jurisdictions by giving them fewer protections while collecting the same data. A $220 million penalty, upheld on appeal, from a West African regulator, is not a figure that global companies can quietly absorb and move on from.

The NDPC has also launched sector-wide investigations into over a thousand organizations across banking, insurance, pension, and gaming, signaling that the Multichoice action was not an isolated event.

Under the NDPA, a data controller of major importance found in breach faces a fine of up to ₦10 million or 2% of annual gross revenue from the preceding financial year, whichever is higher. For a company turning over billions, 2% is the number that actually stings. For individuals within organizations who obstruct or fail to comply with NDPC orders, the law also provides for imprisonment of up to one year.

What this means for you

If a company that holds your data is breached, you are entitled to be told about it if there is a high risk to your rights, and you are entitled to be told quickly. You are also entitled to know the likely consequences and what you should do in response. If the company fails to notify you and you suffer harm as a result, the NDPA allows you to claim civil damages. You can also lodge a complaint directly with the NDPC under section 34 of the Act.

In practice, exercising these rights requires knowing they exist, which is why so many companies continue to get away with silent breaches and vague disclosures. A notification letter that says “we recently became aware of an incident affecting some user data” and nothing else is not compliance.

The standard the law sets is specificity: what data, what risk, and what you should do. If a company cannot meet that standard after a breach, the question worth asking is whether it was managing your data properly before one.

The bigger picture

Nigeria is in an interesting moment with data protection. The law is strong on paper, the regulator is becoming more assertive in practice, and the early enforcement actions have involved companies large enough that the fines are genuinely painful rather than cosmetic.

The question is whether that assertiveness sustains itself and whether it reaches the smaller, domestic companies like the local fintech, the logistics app, and the e-commerce startup, that collect just as much data and have far less compliance infrastructure than Multichoice or Meta.

For now, the most useful thing to know is this: if a company gets hacked and your data is involved, silence from them is not the end of the conversation. The NDPA gave you a right to information and a right to complain. The NDPC is, at least currently, listening.