Data Sovereignty for African Businesses: Where Your Data Lives, Who Controls It

"Our data is in the cloud" means very little as a statement of data governance. The cloud is a collection of physical servers, located in specific buildings, in specific countries, subject to specific laws, accessible to specific government agencies under specific legal frameworks.

When the Nigerian Data Protection Commission's regulations specify that personal data of Nigerian residents should not be stored or processed outside Nigeria without appropriate safeguards¹, "in the cloud" is not an adequate description of compliance posture. The question is: in which cloud, in which region, subject to which country's laws?

Data sovereignty is not primarily a technology concern. It is a governance concern about who has the right to access, compel production of, or govern your data — and whether that authority is accepted by your organisation, your customers, and the regulators you answer to.

What Data Sovereignty Actually Means

Data residency: Where data is physically stored. A database in AWS af-south-1 (Cape Town) stores data in physical servers in South Africa, subject to South African law. A database in AWS us-east-1 (Virginia) stores data in physical servers in the United States, subject to US law — including the CLOUD Act, which allows US authorities to compel cloud providers to produce data regardless of where it is physically located.

Data sovereignty: The ability of a nation, organisation, or individual to govern their data according to their own laws and preferences — independent of the governance claims of other jurisdictions. A Nigerian company storing sensitive financial data in a US cloud provider is subject to both Nigerian law (through FIRS and CBN requirements) and US law (through the CLOUD Act and the provider's terms of service).

Data localisation: A regulatory requirement that specific categories of data must be stored and processed within a defined geographic jurisdiction. Nigeria's NDPR includes data localisation requirements for certain sensitive personal data. CBN's circulars have included localisation requirements for financial sector data.

The Nigerian Regulatory Landscape

NDPR / NDPC requirements: The Nigeria Data Protection Regulation requires that personal data processed in Nigeria be stored or transferred with appropriate safeguards. Cross-border transfers to countries without adequate protection require explicit legal mechanisms (consent, contractual clauses, binding corporate rules).

CBN data localisation: The CBN's risk-based cybersecurity framework and circulars to financial institutions include requirements for transaction data and customer financial data to be stored on equipment located within Nigeria. Banks and fintechs operating under CBN supervision are required to ensure Nigerian customer transaction data is processed and stored locally for regulatory access purposes.

NITDA guidance: The National Information Technology Development Agency has issued data protection implementation frameworks that reference local storage requirements for government-related data and sensitive personal information.

The enforcement trend: Regulatory enforcement of data localisation requirements in Nigeria has been limited to date, but the direction is clearly toward stricter requirements rather than relaxation. International precedent (China's data localisation laws, Russia's data localisation requirements, India's Digital Personal Data Protection Act 2023³) suggests that African regulators will increasingly require local data residency as digital economies mature.

Assessing Your Current Data Residency

Most Nigerian businesses operating on cloud infrastructure have data in multiple countries without a clear map of where each category of data resides. A data residency audit:

Step 1: List all systems storing data

Primary business applications (ERP, CRM, accounting)
Communication tools (email provider, collaboration tools, CRM email history)
Analytics tools (Google Analytics stores data in US/EU; Cloudflare Analytics stores at edge)
Payment processors (Paystack, Flutterwave — where is their database?)
Backup systems

Step 2: Determine physical location for each The cloud provider's documentation specifies which region stores data for each service. For managed SaaS tools, their privacy policy or DPA discloses storage location. If it is not documented, it is not governed — request documentation from the vendor.

Step 3: Categorise data by sensitivity and regulatory exposure

Customer personal data (high regulatory sensitivity — NDPC requirements apply)
Financial transaction data (very high — CBN requirements may apply)
Employee data (moderate — NDPC requirements apply, HR data)
Business operations data (lower regulatory sensitivity, commercial sensitivity)

Step 4: Evaluate compliance gap For each high-sensitivity data category stored outside Nigeria or outside an approved jurisdiction: is there a valid legal mechanism for the transfer? (Contractual clauses with the vendor? Customer consent for their own data? BCRs for intra-group transfers?)

Technical Architecture for Data Sovereignty

Option 1: Cloud region selection for data residency

Major cloud providers offer Africa-region options. Selecting an African region for your database and storage does not guarantee Nigerian sovereignty but places data under African legal jurisdiction closer to Nigeria than US or EU options:

AWS af-south-1 (Cape Town, South Africa): South African Data Protection Act² jurisdiction
Google Cloud africa-south1 (Johannesburg, South Africa)
Microsoft Azure South Africa (generally available since 2019)

These regions satisfy the physical data residency requirement of storing data on the African continent while using major cloud infrastructure. They do not satisfy a strict Nigerian data localisation requirement (the servers are in South Africa, not Nigeria).

Option 2: Nigerian co-located infrastructure

For organisations with strict Nigerian data residency requirements (financial institutions, government-adjacent organisations, healthcare), co-location in a Nigerian data centre is the technically clearest solution:

MainOne (Lagos, acquired by Equinix in 2022): Tier III data centre, fibre connectivity, managed hosting options
Rack Centre (Lagos): Tier III data centre with UPS, generator, cooling
SCM Group: Data centre operations in Lagos and Abuja

Co-location places physical servers in Nigeria under Nigerian legal jurisdiction. The operational costs and responsibilities are higher than managed cloud services — but for organisations where regulatory compliance on data residency is a hard requirement, co-location is often the correct answer.

Option 3: Hybrid architecture

A practical compromise: Nigerian-sensitive data (customer personal data, transaction data) stored in Nigerian co-located infrastructure or at minimum af-south-1; operational and analytics data that is not personally identifiable stored in lower-cost cloud infrastructure.

This requires architectural separation of data categories — not simply storing everything in the same database.

Cloud Provider Contractual Considerations

When cloud providers process personal data of Nigerian individuals as part of your service (running your application, storing your database), they are acting as a data processor under NDPC frameworks. The Data Processing Agreement (DPA) with the provider specifies:

Location of data processing and storage
Security obligations of the processor
Sub-processor list (third parties the provider uses to deliver the service)
Data breach notification obligations
Data return and deletion on contract termination

Most major cloud providers (AWS, Google Cloud, Microsoft Azure) publish standard DPA templates and have GDPR-compliant DPAs that provide a reasonable basis for NDPC-compliant processing. Smaller or less well-documented providers may not have adequate DPA terms — a due diligence step before committing sensitive data to any service.

The Practical Priority

For most Nigerian businesses in 2026:

Map where your data actually lives — the audit process above, documented as a data register
Ensure valid legal mechanism for cross-border transfers — DPAs with cloud providers, NDPC-compliant transfer provisions in customer-facing contracts
Migrate the highest-sensitivity data to the most appropriate location — financial transaction data to Nigerian infrastructure if CBN requirements apply; customer personal data to at minimum African-region cloud if strict local requirements are not triggered
Monitor regulatory developments — NDPC enforcement guidance and CBN cybersecurity circulars are evolving. Data sovereignty requirements are more likely to become stricter than to relax.

The businesses that will be least disrupted by stricter data sovereignty regulations are the ones who have done the architecture work to understand and control their data geography before the enforcement arrives.

GDPR for Nigerian Companies Exporting to Europe — When international data protection law applies to your business
Compliance Roadmap: Startup to International Scale — Stage-by-stage compliance framework
Nigerian Tech Regulatory Landscape 2026 — Complete reference guide to Nigerian technology regulation

Sources

Nigeria Data Protection Act (NDPA) 2023 / NDPC
South Africa Protection of Personal Information Act (POPIA) 2013
Kenya Data Protection Act 2019
India Digital Personal Data Protection Act 2023
EU GDPR, General Data Protection Regulation 2016/679
African Union Convention on Cyber Security (Malabo Convention) 2014