Home / Tools / Data Compliance

African Data Protection Compliance Checker

Assess your organisation's compliance with African data protection laws. Covers POPIA (South Africa), NDPA (Nigeria), DPA (Kenya), and DPA (Ghana).

POPIANDPA / NDPRKenya DPAGhana DPA
Compliance Assessment
Lawful Basis for Processing
Notice & Transparency
Data Subject Rights
Security & Breach Management
Governance & Accountability
Cross-Border Transfers
Third-Party Management
Penalties

POPIA (SA): Up to R10 million fine and/or imprisonment up to 10 years.

NDPA (NG): Up to ₦10 million or 2% of annual gross revenue (whichever is higher).

DPA (KE): Up to KSh 5 million or 1% of annual turnover.

DPA (GH): Up to GH₵6,000 fine and/or imprisonment.

Key Regulators

  • SA: Information Regulator
  • NG: NITDA / Nigeria Data Protection Commission
  • KE: Office of the Data Protection Commissioner (ODPC)
  • GH: Data Protection Commission

Data Protection Compliance in Africa

Data protection legislation across Africa has rapidly matured in recent years. South Africa's Protection of Personal Information Act (POPIA) became fully enforceable in July 2021. Nigeria replaced its NDPR with the comprehensive Nigeria Data Protection Act (NDPA) in 2023. Kenya's Data Protection Act 2019 is actively enforced by the ODPC. Ghana's Data Protection Act 2012 was one of the continent's earliest comprehensive data protection laws.

These laws share common principles derived from international standards: lawful processing, purpose limitation, data minimisation, accuracy, storage limitation, security, and accountability. They all require organisations to have a lawful basis for processing personal data, provide transparency through privacy notices, respect data subject rights, implement appropriate security measures, and manage cross-border data transfers responsibly.

For businesses operating across multiple African markets, compliance can be complex. Each jurisdiction has its own registration requirements, breach notification timelines, and specific rules around cross-border transfers. A pan-African compliance strategy should identify the strictest requirements and build baseline compliance around those, with country-specific additions where needed.

Common compliance gaps include: lack of a formal privacy policy, failure to register with the relevant authority, no documented data breach response plan, inadequate third-party processor agreements, and no mechanism for handling data subject access requests. This checklist helps you identify these gaps quickly and prioritise your compliance efforts.

Frequently Asked Questions

Do I need to comply with POPIA if I'm not in South Africa?

Yes, if you process the personal information of South African data subjects. POPIA applies to any "responsible party" that processes personal information in the context of activities in South Africa, regardless of where the processing physically occurs. This is similar to the GDPR's extraterritorial reach.

Do I need a Data Protection Officer?

Under POPIA, every responsible party must designate an Information Officer (and can appoint deputy Information Officers). Under the NDPA, organisations processing large volumes of personal data must appoint a DPO. Kenya's DPA requires a DPO for organisations processing sensitive data or monitoring individuals systematically.