As Nigeria strengthens its data protection framework through the Nigeria Data Protection Act (NDPA) 2023 and the General Application and Implementation Directive (GAID) 2025, employers and HR professionals are facing new legal and ethical responsibilities in handling employee data.
From recruitment and onboarding to workplace monitoring and exit processes, compliance is no longer optional — it is now a core part of HR practice. Speaking in an exclusive interview with Anchor News, Alicia Adefarasin, Labour and Employment Lawyer and Senior Counsel at Dentons ACAS-Law, said the laws have placed HR departments at the centre of compliance, warning that failure to adhere could attract heavy penalties and erode employee trust. “Protecting employee data is no longer just best practice; it’s now a legal requirement with real consequences,” Adefarasin said.
“HR must handle employee information with the same seriousness as payroll, pensions, or tax compliance.” She explained that the NDPA and GAID were introduced to strengthen Nigeria’s data privacy system and safeguard employees’ rights in the digital workplace. HR professionals, she said, are on the frontline of compliance because they manage sensitive data from recruitment to exit.Adefarasin noted that data privacy should form part of an organisation’s HR strategy, not just a box-ticking exercise. “Mishandling employee data can damage an organisation’s brand,” she said. “But companies that respect privacy show deeper respect for their staff and attract top talent, especially among Gen Z and Millennial workers.”
She also explained that the new rules extend to employee monitoring tools such as CCTV, email tracking, and biometric systems. According to her, while such monitoring is not banned, it must be transparent and proportionate. Employers are now required to conduct Data Protection Impact Assessments (DPIAs) for high-risk activities and inform staff about any surveillance in place. “Employee monitoring isn’t prohibited, but it’s highly regulated,” she said. “Employers must have a clear reason — not just convenience — and be transparent about what they monitor.”
On biometric data, Adefarasin said fingerprints and facial recognition are now classified as sensitive personal data and require explicit consent separate from employment contracts. Employers must justify the need and provide alternatives for staff who object.
She advised HR departments to be especially cautious during recruitment and onboarding, recommending that employers issue a Recruitment Privacy Notice outlining what data is collected, why it is collected, and how long it will be stored.
Under the NDPA, she explained, consent is no longer the main basis for processing employee data because of the unequal power balance between employers and employees. Instead, HR should rely on legitimate interest or contractual necessity for data processing.
Highlighting common compliance mistakes, Adefarasinmentioned over-collection of data, poor record-keeping, and lack of privacy assessments. She urged HR teams to conduct regular data audits, train staff, and collaborate with Data Protection Officers (DPOs).
She also drew attention to the Self-Notification and Guidance (SNAG) system introduced under the GAID 2025, which allows organisations to resolve privacy complaints internally before regulators step in.
Penalties for non-compliance, she said, could reach ₦10 million or 2% of annual gross revenue for serious offences, while minor violations attract fines of up to ₦2 million. Beyond fines, Adefarasin warned that reputational damage and business disruptions remain the biggest risks.
“Non-compliance doesn’t just create legal and financial risks,” she said. “It undermines employee trust and business continuity.”
She concluded by urging HR leaders to embed privacy into their processes and build awareness across teams.
“Data privacy is now part of HR’s identity,” Adefarasin said. “HR professionals must make it a culture, not just a compliance checklist.”
