Banwo & Ighodalo Logo

Legal And Regulatory Implications Of The GDPR On Business Organizations: Basic Compliance Strategies For Non-EU Entities


The GDPR is a first of its kind. Prescribing heavy penalties, enforced uniformly across the EU and applicable extraterritorially, it is no doubt a super regulation. Whilst it is incontrovertible that non-EU entities that process personal data of EU citizens/residents must comply with the provisions of the GDPR, it should be noted that application of the Regulations will have to be subject to extant local legislation across different jurisdictions.

In Nigeria, entities that serve EU citizens and residents, while taking the above recommended steps for compliance, will have to consider applicable statutory provisions relating to the processing of personal data. For instance, while the rights of data subjects to restrict the processing/transfer and disclosure of their personal data without consent may be in sync with extant regulatory and constitutional provisions in Nigeria, the right of erasure of personal data after withdrawal of consent by data subjects will not be absolute as certain entities are required to retain information, including personal data, collected in the ordinary course of business for specified number of years.

For instance, a financial institution in Nigeria is required under the Money Laundering (Prohibition) Act, to preserve the record of a customer’s identification for a period of at least five (5) years after the closure of the account or the severance of relations with the customer. ‎A bank is similarly required under the Anti-Money Laundering and Combating the Financing of Terrorism (Administrative Sanctions) Regulations of the Central Bank of Nigeria (CBN AML/CFT Regulations), to retain transaction information containing particulars of customers and, in some cases, forward same to certain regulatory agencies. ‎Also, a Credit Bureau is required under the Credit Reporting Act, to first retain credit information of persons for a period of not less than six (6) years after which such information shall be archived for a further period of ten (10) years before it can be destroyed. ‎Further, a service provider is required, under the Cybercrimes (Prohibition, Prevention, etc.) Act, to retain all traffic data and subscriber information, as may be prescribed by the relevant authority for communication services in Nigeria, for a period of two (2) years.

These obligations will necessarily limit the rights of EU data subjects, especially the right to withhold consent and the right of erasure. However, it is instructive to note that these statutory limitations are recognized under the “Restrictions” in Article 23 of the GDPR.

We note that while enforcement of the GDPR will be easy within the EU, the same cannot be said of other jurisdictions outside the EU. No doubt, it will be easier to sanction EU affiliates of Nigerian entities that contravene the GDPR. It is therefore imperative that multinationals ensure that their Nigerian subsidiaries/affiliates are in full compliance.  ‎Also, the issue of proportionality will obviously be taken into consideration in view of the challenges involved in extra territorial enforcement and big scale infringers may be targeted than small scale infringers.

The Grey Matter Concept is an initiative of the law firm, Banwo & Ighodalo

DISCLAIMER: This article is only intended to provide general information on the subject matter and does not by itself create a client/attorney relationship between readers and our Law Firm. Specialist legal advice should be sought about the readers’ specific circumstances when they arise.