Africa's data protection landscape is no longer aspirational. Enforcement is active, regulators are issuing fines, and the legal obligations are real. We help organisations understand exactly what they owe under the laws of the jurisdictions where they operate, and build the compliance infrastructure to meet it.
Explainer video coming soon
Nine major African jurisdictions now have comprehensive data protection legislation in force. Each has its own definitions, timelines, registration requirements, and enforcement authority. Most were modelled loosely on GDPR but diverge in material ways the lawful basis framework under Nigeria's NDPA differs from POPIA; Kenya's 21-day response window for data subject requests is stricter than most; Ethiopia's 2024 law creates obligations that remain partly untested.
Organisations operating across multiple African markets cannot treat data protection as a single compliance exercise. They need jurisdiction-specific analysis, calibrated to what each regulator actually requires and what enforcement looks like on the ground.
The $290 million fine imposed on Meta by Nigeria's NDPC in 2024 was the largest data protection penalty ever issued by a Global Majority regulator. The Kenyan High Court's suspension of Worldcoin operations followed a DPIA failure. Africa's data protection regulators are not passive.
We work from the primary sources the legislation, the subsidiary regulations, the regulatory guidance, and the enforcement record. We do not produce generic compliance frameworks dressed up as Africa-specific work.
Our monitoring infrastructure tracks regulatory developments across all nine jurisdictions on a continuous basis. We read the enforcement decisions, attend to the guidance notes, and follow the regulatory correspondence. That operational depth informs everything we produce for clients.
We write for compliance professionals and in-house counsel people who can read a legal analysis and need precision, not reassurance. Our deliverables are designed to be used directly, not to generate follow-on work.
A structured analysis of your organisation's current data protection posture against the requirements of each relevant jurisdiction. We identify what is missing, what is insufficient, and what is adequate. The output is a prioritised remediation roadmap.
Mandatory DPIAs under Kenya's DPA and triggered assessments under other frameworks. We conduct the assessment, document the findings, identify high-risk processing activities, and produce the record required by law.
Records of Processing Activities built to meet the requirements of each applicable framework. We map your data flows, identify the legal basis for each processing activity, and document retention periods, third-party transfers, and safeguards.
African data localisation requirements vary significantly. We analyse where your data flows, which transfer restrictions apply, what safeguards are required (adequacy decisions, standard contractual clauses, binding corporate rules), and what each regulator actually expects.
Breach notification timelines across the nine jurisdictions range from 24 hours to 72 hours. We build your incident response procedures, notification templates, and regulator communication protocols before you need them.
Ongoing monitoring of regulatory developments across your operating jurisdictions. Enforcement actions, new guidance, legislative amendments, and regulator communications delivered as structured intelligence with compliance implications flagged.
We carry depth across the nine jurisdictions that collectively govern data protection for the majority of Africa's formal economy. All work is grounded in the primary legislation, not summaries of it.
If you are building your organisation's internal compliance capacity, the Africa Data Protection Compliance: A Practitioner's Guide course covers every core concept across all nine jurisdictions with real enforcement cases and jurisdiction-by-jurisdiction comparisons throughout.
Designed for in-house counsel and compliance officers. Launching April 2026.
View the Course βTell us about your organisation, the jurisdictions you operate in, and what you are trying to solve. We will tell you honestly whether and how we can help.
Request a Consultation β Subscribe to the Digest