How to Register With Data Protection Authorities in Nigeria and Kenya

If you’re a Paystack merchant operating in Nigeria or Kenya, data protection registration is now a required part of doing business. We know this process can feel overwhelming, especially if you’re just getting started.

This guide breaks it down step by step and helps you prepare the right information, even if you don’t have dedicated legal or compliance resources.

Data Protection Authorities in Nigeria and Kenya are increasing enforcement. Businesses are now expected to register with their local regulator and be ready to show proof of compliance when requested. In some cases, working with non-compliant businesses can also expose partners to regulatory risk.

Registering early helps you:

• Stay compliant with local data protection laws

• Avoid fines or enforcement actions

• Continue using Paystack without disruption

• Build trust with your customers

Before registering, you need to understand your role.

• Data Controller: You decide why and how personal data is used. Most merchants fall into this category.

• Data Processor: You process personal data on behalf of someone else, following their instructions.

In your relationship with Paystack, you are the Data Controller, and Paystack acts as a Data Processor. If your business also processes data internally, which is common, it’s often safest to register as both a Controller and a Processor.

How to decide if you’re a data controller or processor

Before starting registration in either country, gather the following:

• Your business registration details

• A valid company email address, not a personal email

• Details of your Data Protection Officer (DPO) or responsible contact

• A basic understanding of:

  • The types of personal data you collect

  • Why you collect it

  • How many customers or data subjects you serve

  • Whether you transfer data outside your country

• A list of basic security measures you use to protect data

You don’t need perfect documentation to start. You just need to understand your operations clearly.

In Nigeria, registration is done with the Nigeria Data Protection Commission (NDPC).

DPCOs are licensed professionals who can handle registration and ongoing compliance for you. If you’d like recommendations or guidance, you can email dpo@paystack.com.

1. Visit the NDPC portal and create an account using your company or DPO email address.

2. Verify your email address through the link sent to your inbox.

3. Read and accept the registration instructions and requirements.

4. Select whether you’re registering as an individual or an organisation.

   • Most merchants should select organisation.

5. Enter your RC number and confirm the auto-filled company details.

6. Provide information about:

   • Number of data subjects you serve

   • Types and purpose of personal data processed

   • Any cross-border data transfers

7. Enter details of your Data Protection Officer or responsible contact.

8. Select your security and organisational safeguards from the checklist.

9. Choose the correct registration category based on your data volume.

10. Verify your information, make payment, and submit your application.

After submission, you can download your registration certificate or provide a screenshot of your registration status as proof.

In Kenya, registration is done with the Office of the Data Protection Commissioner (ODPC).

1. Ensure you have a valid, correctly spelled business email address. Each entity must use a unique email.

2. Review the ODPC guidance on registering Data Controllers and Processors to choose the right category.

3. Prepare your documents in PDF format, including:

   • Business registration documents

   • Audited accounts or revenue statements for new businesses

4. Start your application on the ODPC portal and verify your email address.

5. Select whether you’re registering as a Data Controller or Processor.

6. Enter your organisation’s name exactly as it appears on official documents.

7. List the types of personal data you process, such as customer or employee data.

8. Explain the purpose of processing and any sensitive data collected.

9. Declare any cross-border data transfers and the countries involved.

10. Describe your technical and organisational security measures.

11. Select the correct employee and turnover category and upload supporting documents.

12. Make payment using one method and submit your application.

Once approved, you can download your registration certificate directly from the portal.

To support compliance checks, Paystack may request:

• A data protection registration certificate

• A registration number

• A screenshot showing ongoing registration

• A confirmation email from the regulator

Keeping these handy helps avoid delays.

• Use a company email address that won’t change if staff leave.

• Be honest and accurate when describing your data practices.

• If unsure, register as both a Data Controller and Processor.

• Don’t wait until enforcement begins. Early action is always easier.

If you need help or guidance at any stage, you can reach out to dpo@paystack.com or consult a qualified data protection professional.

Compliance doesn’t have to be complicated. Taking these steps now helps protect your business and keeps you ready for growth.