The Compliance Roadmap: From Nigerian Startup to International Scale

The compliance landscape for Nigerian technology companies has changed fundamentally since NDPR enforcement began in 2019.¹ A company operating five years ago could build its product, reach meaningful scale, and address compliance retrospectively. Today, compliance gaps discovered at scale — in a regulatory investigation, during due diligence for investment, or when entering a regulated contract — are more expensive to remediate and carry greater regulatory risk than they would have been if addressed earlier.

The answer is not to build enterprise compliance infrastructure from day one. That would be as impractical as it sounds. The answer is a staged roadmap: compliance built proportionally to the business's actual risk exposure at each stage, with clear triggers that identify when to move to the next level.

Stage 1: Pre-Revenue / Early Product (0–₦5M ARR)

At this stage, the company has limited users (typically under 5,000), limited data volume, and limited regulatory exposure. The compliance investment is about establishing foundations that will be much more expensive to retrofit later.

NDPR Minimum Baseline

Privacy policy: A legal document describing what personal data you collect, why, how it is processed, who it is shared with, and what rights users have. This is required by NDPR from the day you collect personal data — which for most applications is day one (account registration requires a name and email at minimum). The privacy policy should be genuinely descriptive of your actual practices; a copied template that does not match what you do is not compliant and is also not useful.

Data processing notice at collection: Every point where you collect personal data should have a notice explaining what you are collecting and why. Registration forms, contact forms, payment flows.

Consent mechanisms: Where consent is the legal basis for processing (newsletters, marketing communications, analytics), consent must be recorded — what was consented to, when, through which mechanism. A checkbox is not sufficient evidence; the system must record the consent event.

Data retention: Identify how long you will retain personal data and implement a mechanism to delete it. NDPR requires data not to be retained longer than necessary for the purpose for which it was collected. This is not an abstract statement — you need a schedule.

Cost at Stage 1: ₦150,000–₦400,000 for legal drafting of privacy policy and data processing notices. Technical implementation of consent recording and data deletion can be minimal at early scale.

Security Fundamentals

HTTPS everywhere (TLS termination at your edge)
Passwords hashed with a modern algorithm (bcrypt, Argon2) — never stored in plaintext or with weak encryption
Authentication tokens with appropriate expiry
Role-based access control at least rudimentarily implemented
Dependency vulnerability scanning (automated, integrated into CI pipeline)

Stage 2: Growth Stage (₦5M–₦100M ARR)

The company now has significant user scale (typically 5,000–100,000 users), is generating meaningful revenue, and may be handling sensitive data categories, payment information, or health data depending on the sector.

NDPR Full Compliance

Data Protection Impact Assessment (DPIA): Required under NDPR Article 2.4 for high-risk data processing. If your product processes sensitive personal data (health information, financial information, biometric data), a formal DPIA is required before or shortly after you begin that processing.

Data breach notification process: NDPR requires notification of data breaches to NITDA within 72 hours of discovery. You need a documented incident response process that triggers this notification, and you need to have tested it.

Data subject rights administration: Users have the right to access their data, correct it, and request deletion. Implement a mechanism (a user portal or a support process) that handles these requests within the required 30-day response window.

NDPR registration: Data controllers handling sensitive personal data categories are required to register with the Nigeria Data Protection Commission (NDPC), established under the Nigeria Data Protection Act 2023 to take over NITDA's data protection functions. Verify whether your data processing activities trigger this obligation.

Payment Security

If you handle cardholder data (card numbers, CVV, cardholder name), PCIDSS compliance is mandatory.² For most Nigerian businesses, the correct architecture is to use a compliant payment gateway (Paystack, Flutterwave) and keep cardholder data out of your own systems entirely — limiting your PCIDSS scope to SAQ-A (Compliance Self-Assessment Questionnaire A, the simplest level).

If your business model requires storing or processing cardholder data (recurring billing with card-on-file), engage a PCIDSS Qualified Security Assessor (QSA) at Stage 2.

Employment and HR Compliance

Employee data protection policy (employees are data subjects under NDPR)
PAYE and pension (PFA/PRA) obligations — these attract significant penalties if non-compliant
Staff contracts that include IP assignment and confidentiality clauses

Cost at Stage 2: ₦500,000–₦1,500,000 for legal and compliance work (DPO engagement or data protection audit), plus engineering time for compliance feature implementation.

Stage 3: Scale / Regulated Operations (₦100M+ ARR or Regulated Sector)

At this stage, the company may be operating in a CBN-regulated sector (fintech, digital banking), processing large volumes of sensitive data, or seeking investment from international investors or corporate clients who will conduct compliance due diligence.

CBN/SEC Regulatory Licensing

Financial technology operations require specific CBN licences depending on service type:

Payment service providers: Payment Solution Service Provider licence (PSSP)
Mobile money operators: Mobile Money Operator licence
Credit/lending: CBN approval or partnerships with licensed entities
Securities and investment products: SEC registration

Licensing requirements, minimum capital requirements, and ongoing compliance obligations are substantial and require specialist regulatory legal counsel. Budget ₦3M–₦8M for the licensing process including legal fees and minimum capital requirements.

ISO 27001 or SOC 2

Enterprise customers in Nigeria and internationally increasingly require evidence of a formal information security management system before entering contracts. ISO 27001 certification or SOC 2 Type II report³ demonstrates that your security controls have been externally assessed and meet defined standards.

(An earlier article in this series covers ISO 27001 vs SOC 2 in detail for Nigerian technology companies.)

ISO 27001 certification: ₦2.5M–₦6M including consultancy, gap remediation, and certification audit SOC 2 Type II: More commonly required for international enterprise customer sales

International Market Entry

GDPR (EU): If you serve EU residents, GDPR applies regardless of where you are incorporated. At minimum: update privacy policy to GDPR standards, appoint an EU representative, map data processing activities, and ensure transfers out of the EU are handled with appropriate mechanisms (Standard Contractual Clauses).

CCPA (California): For US residents in California, basic CCPA rights compliance if you meet the revenue or data volume thresholds.

Country-specific requirements: Expansion to other African markets triggers local data protection law obligations. South Africa (POPIA), Kenya (Data Protection Act), Ghana (Data Protection Act) all have their own requirements. The GDPR-adjacent frameworks (South Africa and Kenya) are the most established.

The Sequencing Principle

The compliance roadmap is not primarily a list of boxes to check. It is a risk management tool. The sequencing principle is: address compliance obligations in proportion to the risk they represent at your current stage.

NDPR privacy policy is low-cost and immediately obligatory — Stage 1. CBN licensing is high-cost and only relevant if you are operating in a regulated activity — sequence when you reach that activity. ISO 27001 is significant investment required by large enterprise customer contracts — sequence when those contracts are being actively pursued.

Over-investing in compliance before the triggering conditions exist diverts engineering and legal resources from product development. Under-investing creates technical debt that is expensive to remediate and regulatory risk that crystallises at the worst possible time.

The company that builds compliance foundations at Stage 1, expands them systematically at Stage 2, and prepares for regulated operations at Stage 3 is positioned to move through each stage without compliance blocking growth. The company that ignores compliance until Stage 3 and then scrambles to retrofit it spends 3–5× more for the same outcome and takes longer to get there.

Build it in order. Start small. Add complexity only when the risk justifies it.

NDPR Readiness Checklist for Nigerian SaaS — Practical implementation checklist
GDPR for Nigerian Companies Exporting to Europe — When international data protection law applies
Nigerian Tech Regulatory Landscape 2026 — Complete reference guide to Nigerian technology regulation

Sources

Nigeria Data Protection Regulation (NDPR) 2019, issued by NITDA; Nigeria Data Protection Act (NDPA) 2023; Nigeria Data Protection Commission (NDPC) — ndpc.gov.ng
PCI Security Standards Council — pcisecuritystandards.org
ISO/IEC 27001:2022 standard; AICPA SOC 2 framework
CBN licensing framework — Payment Solution Service Provider (PSSP) licence