Introduction
A data breach occurs when unauthorised entities gain entry to, disclose, or steal sensitive and confidential information. These breaches can take various forms, including cyber attacks, insider threats, or accidental data exposure. In essence, a data breach compromises the integrity and security of data, and the potential harm extends far beyond the stolen information itself. In today’s technology driven commercial environment, data is an essential tool for strategic growth and commercial leverage. However, this increased reliance on technology has occurred simultaneously with a rise in cyberattacks, which exposes sensitive information to unauthorised parties and poses significant risks to privacy, financial security and reputation of organisations.
Organisations are now faced with strict data protection obligations, including ensuring fair processing, appointment of a data protection officer where necessary, and taking the appropriate steps in the event of a breach. These obligations are all geared toward ensuring that the constitutional right to privacy and all other data subjects’ rights are safeguarded.
Responding To Data Breaches
When a data breach occurs, time becomes your adversary. Organisations have an obligation to act decisively to contain damage, protect data subjects, and align with statutory obligations under the Nigeria Data Protection Act 2023 (NDPA) and the Nigeria Data Protection Commission’s General Application and Implementation Directive 2025 (GAID). Following a data breach, data processors and controllers are guided by the following steps:








