Alicia Adefarasin is a Labour and Employment Lawyer and Senior Legal Counsel at Dentons ACAS-Law. Her expertise spans employment, data protection, fintech, and corporate regulatory advisory and compliance. Known for her insightful approach to the evolving regulatory landscape and cross-border compliance, Alicia supports both local and international clients—including start-ups, SMEs, and multinational corporations—in maintaining compliance in Nigeria.
With a hands-on approach to employment law matters, Alicia advises on workforce compliance, restrictive covenants, disciplinary and termination processes, and workplace policies that align with evolving data protection regulations and enforceable labour practices in Nigeria. She also assists employers with the preparation, drafting, and review of workplace policies, procedures, and agreements. Her focus on data protection ensures clients are well prepared for both Nigerian and global privacy standards. In this exclusive interview, Anchor Newsspeaks with Alicia to unpack the Data Protection Framework under the Nigeria Data Protection Act (NDPA) 2023 and the General Application and Implementation Directive (GAID) 2025—what the new laws mean for Nigerian employers, how HR can navigate them effectively, and why employee data protection is fast becoming a core pillar of workplace trust.
From your perspective as a labour and employment lawyer, what is the biggest change HR professionals need to understand under the NDPA 2023 and GAID 2025?
The biggest change for HR professionals is that protecting employee data is no longer just a “best practice”; it is now a legal requirement with real consequences. HR professionals must now handle employee personal data with the same seriousness as payroll, pensions, or tax compliance.
This is not simply an IT problem or something legal teams manage behind the scenes. HR is now at the frontline of data compliance under the NDPA and GAID. This shift requires a new mindset: data privacy is now a core part of HR compliance and operational risk management. Ignoring this can lead to fines, legal problems, reputational damage, and loss of employee trust.
Why should HR leaders treat workplace data privacy as more than just a legal requirement but also a strategic HR issue?
Workplace data privacy should no longer be seen as a compliance checkbox but as part of a modern HR strategy. As employees become more data-aware—especially in this era of digital surveillance and remote work monitoring—they are asking tougher questions about how their personal data is handled, from recruitment to exit.
Mishandling employee data could damage an employer’s brand and culture. In contrast, privacy-respecting practices demonstrate respect for employees and help attract and retain top talent, particularly younger, digitally savvy Gen Z and Millennial workers who value data ethics. Just as consumers prefer brands that protect their personal information, candidates value employers who protect employee data.
Ultimately, integrating data privacy into HR strategy signals that the organisation is not only legally compliant but also ethically grounded and future-ready. I see it as a strategic investment in trust, talent, and long-term organisational health.
How do the new laws affect employee monitoring practices such as CCTV, email checks, or biometric attendance systems?
The NDPA 2023 and GAID 2025 significantly reshape how Nigerian employers approach monitoring practices such as CCTV, email surveillance, and biometric attendance systems. A common misconception must be clarified: employee monitoring is not prohibited, but it is now highly regulated. Workplace surveillance—whether through CCTV, email tracking, keyloggers, access logs, or biometric scanners—involves processing personal data and must comply with the NDPA and GAID. Employers must have a clear reason for monitoring, inform employees about what is being monitored, and ensure such monitoring remains proportionate.
CCTV use is permitted, but cameras should not be installed in private spaces, and signage must clearly inform employees and visitors about CCTV use. Employers must conduct a Data Protection Impact Assessment (DPIA) if CCTV use is extensive or could significantly affect individual rights. Storage and access to CCTV footage must be secure and limited to authorised personnel. For email, browser history, or system monitoring, employers must disclose these practices clearly, for example, in an Acceptable Use Policy or IT Monitoring Policy. Monitoring must be proportionate to a legitimate business purpose, such as cybersecurity or compliance, and should avoid overreach. Personal emails or private browsing, even on company systems, may still be protected unless expressly prohibited. Consent should not be relied upon as the sole legal basis, particularly if monitoring is intrusive or ongoing. Biometric data—such as fingerprints or facial recognition—is considered sensitive personal data and subject to stricter rules. Employers must obtain explicit consent separate from the employment contract, prove necessity, and offer alternatives where possible. All monitoring data must be securely stored, accessed only by authorised staff, deleted when no longer needed, and auditable by regulators.
In recruitment and onboarding, what specific steps must HR take to ensure that data collected from job applicants and new hires is compliant?
Recruitment and onboarding are high-risk stages for personal data processing because they involve sensitive, high-volume information often handled quickly. HR must therefore implement clear, lawful, and documented procedures. A Recruitment Privacy Notice should be shared early with all applicants—preferably within online forms or portals—and should explain what data is collected, why, for how long, who it is shared with, and how applicants can exercise their rights. HR should only collect necessary data and avoid irrelevant questions such as religion, marital status, or national ID unless legally required. For optional data such as disability status, explicit consent must be obtained with a clear purpose statement. When collecting health data, biometric information, or conducting background checks, informed consent is crucial. Employers must also have a data retention policy—for example, deleting applicant data within six to twelve months after hiring—and inform candidates of this timeline. Access to applicant data should be limited to those directly involved in recruitment, with sensitive files protected by passwords and encryption. If third-party platforms (such as recruitment software or psychometric tools) are used, HR must ensure data processing agreements are in place and that vendors comply with NDPA principles, especially for data stored outside Nigeria.
Consent is no longer always valid for processing employee data. How should HR structure policies and notices to stay compliant without over-relying on consent?
Under the NDPA 2023, consent is not the primary lawful basis for processing employee data because of the inherent power imbalance in the employment relationship. HR professionals should instead rely on legitimate interest or contractual necessity as the legal basis for processing data related to employment contracts, payroll, benefits, and compliance.
Privacy notices must clearly state the lawful basis for each processing activity. HR should avoid making consent appear mandatory when it is not. Where consent is required, it must be freely given, informed, and specific.
What are the most common mistakes employers are likely to make under these new rules, and how can HR avoid them?
Common mistakes include collecting excessive data, misusing consent, failing to respond to employee requests (such as access or deletion) within statutory timeframes, and neglecting proper documentation. Many organisations also fail to maintain an updated Record of Processing Activities (RoPA) as required under GAID 2025 or to conduct DPIAs when introducing new HR technologies. To avoid these pitfalls, HR should:
The GAID 2025 introduced the SNAG mechanism. How should HR prepare for and respond to employee privacy complaints before they escalate to regulators?
The SNAG mechanism (Self-Notification and Guidance) allows organisations to handle data subject complaints internally before NDPC intervention. HR should establish a clear complaint process and assign a privacy contact person or team. Complaints should ideally be resolved within 7–21 days. Managers must be trained to identify and escalate privacy-related issues early, and all complaints should be documented. Employees should also be informed about the SNAG process in company policies or employee handbooks.
Consent is no longer always valid for processing employee data. How should HR structure policies and notices to stay compliant without over-relying on consent?
Under the NDPA 2023, serious violations may attract administrative fines of up to 2% of annual gross revenue or ₦10,000,000, whichever is higher. Minor breaches may attract fines up to ₦2,000,000 or corrective enforcement notices. Beyond financial penalties, non-compliance can lead to reputational damage, public enforcement notices, loss of employee trust, whistleblowing, suspension of HR systems, and costly audits or legal action. Non-compliance therefore threatens not just finances but also business continuity and employee relations.
Finally, what advice would you give HR professionals to future-proof their policies and avoid being caught off guard as enforcement becomes stricter?
HR professionals should embed data protection into all HR processes and technologies from the start. They should review and update privacy documentation regularly, prioritise employee awareness, and collaborate with IT and legal teams to ensure holistic compliance. Keeping up with NDPC updates and investing in HR-specific data protection training will ensure HR professionals are not only compliant but confident in handling employee data responsibly.
