Data localisation compliance is about to become the defining data protection challenge for Nigeria’s financial sector. The Central Bank of Nigeria has drawn a firm line: by January 1, 2027, every bank, fintech, mobile money operator, and payment service provider operating in Nigeria must store and manage all payment transaction data locally. The directive is significant. It is timely. It is strategic. It is, in principle, the right approach to data sovereignty, regulatory oversight, and the protection of Nigerian consumers. It is critical in this increasingly complex digital payments landscape.
And what it is about to produce an enormous wave of compliance theatre.
I am not dismissing the mandate. I truly welcome it, and I will explain why. But I have watched this pattern play out too many times to pretend it will not happen here. A regulatory deadline arrives. Organisations scramble. Documentation is updated, infrastructure is migrated, returns are submitted, and somewhere a certificate is filed. The box is ticked. The auditor is satisfied. But has the actual culture, governance, and human capacity needed to make the regulation meaningful changed at all from before the deadline? That is the real question.
Otherwise, it becomes compliance theatre. The 2027 data localisation deadline, on its own, is not enough. Organisations and regulators must be deliberate about preventing compliance theatre from taking root.
Let’s look at specifics. The CBN’s directive focuses, correctly, on where data is stored. Local servers. Nigerian infrastructure. Domestic processing. These are legitimate and important requirements. Data sovereignty is not just a bureaucratic preference in this digital era. It is a governance necessity. When payment transaction data generated in Nigeria is processed and stored on foreign servers, under foreign legal frameworks, Nigerian regulators lose meaningful oversight. Nigerian consumers lose meaningful protection. The ability to investigate, audit, and hold institutions accountable is fundamentally weaker when the data sits beyond the reach of the Nigerian law.
So the localisation mandate is not the issue here. But, and this is a big but, localisation answers only one question: where is the data? It does not answer the questions that data protection practitioners, policymakers, and regulators should be equally concerned about. Who has access to it? Under what controls? What are the retention policies? How is consent managed? What happens when there is a breach? Is there a Data Protection Officer with genuine authority, or someone with that title and no real mandate? Is the institution’s leadership genuinely committed to data governance, or are they only committed to demonstrating compliance with the deadline? We must ensure substance, not theatre.
These are the issues that reveal whether an organisation is practising data protection or performing it. Genuine data localisation compliance requires answering and addressing all of them. It is not just the storage-location issue.
The risk I am identifying is not hypothetical. It is structural. There is a tendency for organisations under deadline pressure to do what organisations under deadline pressure always do. They simply focus on what is visible, what is measurable, and what it considers auditable. So, migrate the data. Update the policy. Submit the return. Check the box. But what about the deeper work of building data governance culture and training staff who genuinely understand their obligations? It also means empowering DPOs with real authority and embedding privacy considerations into how decisions are made. That work is slower, isn’t as visible, and unlikely to appear on regulatory checklists by January 1, 2027.
As the one who developed Nigeria’s first NDPC national DPO certification, I consider the capacity question one of the most serious issues in Nigeria’s data protection space. It is indeed one of the most serious issues in Nigeria’s data protection space. The 2027 deadline could expose an uncomfortable truth: the country simply does not have enough qualified data protection professionals to support genuine compliance across the entire financial sector. And I don’t mean just DPOs with certificates. I’m talking about practitioners who understand risk assessment, breach management, data governance frameworks, and how to build compliance cultures in complex organisations.
The shortage of experienced practitioners, weak mentoring, and inconsistent training quality is undeniable despite the best efforts and committed leadership shown by the NDPC CEO and the institution. This is not a new problem. I have raised it before, and the NDPC has continually highlighted this gap. A hard regulatory deadline will make this suddenly, visibly urgent. Our goal now should be to turn this into a good thing.
This is precisely why the development of Nigeria’s first national DPO certification programme was so important, and why I advocated from the beginning that it be built around practical capability rather than theoretical knowledge. A DPO who can recite the definition of data minimisation but cannot manage an active breach, conduct a genuine data protection impact assessment, or challenge leadership on a risky data decision is not ready for what the 2027 deadline requires. And an organisation that hires such a person and calls itself compliant has simply performed compliance at the human capital level. That is theatre not substance.
What genuine data localisation compliance requires between now and January 2027
- Infrastructure migration: necessary, but only the starting point, not the finish line
- Investment in human capacity: substantive development of professionals who understand what data protection actually demands, not box-ticking training or just paper certificate holders
- Executive buy-in beyond the IT budget: leadership engagement that goes further than approving server migration costs. Culture and mindset are just as critical.
- Governance structures with teeth: DPOs given real authority and real access, not just a title
- Honest assessment of current data practices: not just current data locations
For regulators, the question is equally important: what does compliance actually mean after January 1, 2027? Hopefully, it will not be limited to whether the data is on local servers. Even if the mandate achieves its infrastructure goal, it should not leave the governance gap entirely open and exposed. This moment should instead serve as a catalyst to deepen and improve data protection quality. Genuine regulatory oversight must look beyond “the where to the how”, and use this situation to examine and improve how data is governed, how breaches are managed, how rights are respected, how accountability is maintained.
The 2027 deadline is an opportunity. It is creating urgency, investment, and attention in a sector that needed all three. But urgency without depth produces surface-level adherence. And compliance theatre, in the financial sector, with the volume and sensitivity of data now being generated by Nigeria’s digital payments sector, is not just a governance failure.
The risk is that the very people this regulation is supposed to protect will suffer the consequences.
Author: Jide Awe
Science, Technology and Innovation policy advisor.
Nigeria’s Inaugural Tech Mentor of the Year
Find him on LinkedIn: Jide Awe on LinkedIn
Find him on TikTok: Realjidaw on TikTok
Find him on Twitter: @jidaw