Assess your organisation's compliance with African data protection laws. Covers POPIA (South Africa), NDPA (Nigeria), DPA (Kenya), and DPA (Ghana).
Data protection legislation across Africa has rapidly matured in recent years. South Africa's Protection of Personal Information Act (POPIA) became fully enforceable in July 2021. Nigeria replaced its NDPR with the comprehensive Nigeria Data Protection Act (NDPA) in 2023. Kenya's Data Protection Act 2019 is actively enforced by the ODPC. Ghana's Data Protection Act 2012 was one of the continent's earliest comprehensive data protection laws.
These laws share common principles derived from international standards: lawful processing, purpose limitation, data minimisation, accuracy, storage limitation, security, and accountability. They all require organisations to have a lawful basis for processing personal data, provide transparency through privacy notices, respect data subject rights, implement appropriate security measures, and manage cross-border data transfers responsibly.
For businesses operating across multiple African markets, compliance can be complex. Each jurisdiction has its own registration requirements, breach notification timelines, and specific rules around cross-border transfers. A pan-African compliance strategy should identify the strictest requirements and build baseline compliance around those, with country-specific additions where needed.
Common compliance gaps include: lack of a formal privacy policy, failure to register with the relevant authority, no documented data breach response plan, inadequate third-party processor agreements, and no mechanism for handling data subject access requests. This checklist helps you identify these gaps quickly and prioritise your compliance efforts.
Yes, if you process the personal information of South African data subjects. POPIA applies to any "responsible party" that processes personal information in the context of activities in South Africa, regardless of where the processing physically occurs. This is similar to the GDPR's extraterritorial reach.
Under POPIA, every responsible party must designate an Information Officer (and can appoint deputy Information Officers). Under the NDPA, organisations processing large volumes of personal data must appoint a DPO. Kenya's DPA requires a DPO for organisations processing sensitive data or monitoring individuals systematically.
This workspace turns the privacy compliance command check result into a reusable matter note, dashboard item and gated PDF checklist. Use the app first, then save the evidence trail.
Benchmarked against Termly, OneTrust and enterprise consent platforms. The goal is not to copy them; it is to bring the useful workflow pattern into an Africa-first tool with official-source caution and local evidence capture.
This older compliance checker should function as a fast triage layer across NDPA, POPIA and Kenya DPA before users move into the deeper country-specific tools.
Before filing, signing, publishing, or sending anything, keep a short record that links the app result to evidence and official-source checks.
Save the country or regime, parties, dates, amounts, selected options, and final output. Add why this matters: Which law is the main risk driver for the product, customer base or data location.
Map personal data categories, purposes, vendors, countries and retention periods first. Also keep the strongest supporting document, receipt, portal reference, ID, contract, policy, or court file beside the generated result.
If you see this risk, pause and get qualified help: Treating POPIA, NDPA and Kenya DPA as identical because the checklist score is high.