POPIA, NDPR, Kenya DPA — What Every African Employer Must Know in 2026

If you employ people in South Africa, Nigeria, Kenya, Ghana, or Rwanda, your HR data is already covered by data protection law. These aren't future regulations — they are in force, they carry significant penalties, and regulators are starting to act.

The Five Laws You Need to Know

South Africa — POPIA (Protection of Personal Information Act)

In force since July 2021. Maximum penalty: R10 million or 10 years imprisonment for responsible parties. POPIA covers every piece of employee data you hold — names, ID numbers, payslips, performance records, disciplinary files.

Nigeria — NDPA (Nigeria Data Protection Act)

The NDPA came into force in June 2023, replacing the earlier NDPR framework. Maximum penalty: ₦10 million or 2% of annual gross revenue (whichever is higher). The Nigeria Data Protection Commission (NDPC) is actively issuing compliance notices.

Kenya — DPA (Data Protection Act)

In force since November 2019. Maximum penalty: KES 5 million or 1% of annual turnover. Kenya's Office of the Data Protection Commissioner (ODPC) has already investigated several organizations.

Rwanda — DPA (Law on the Protection of Personal Data)

In force since October 2021. Maximum penalty: RWF 5 million or 1% of annual turnover.

Ghana — DPA (Data Protection Act)

In force since 2012 — the oldest on the continent. Maximum penalty: GHS 60,000 plus 2 years imprisonment. Ghana's Data Protection Commission is one of the most active regulators in Africa.

What the Law Requires from HR

All five laws share a common framework, derived from international data protection principles:

1. Lawful basis for processing You must have a documented reason to collect and store employee data. Employment contracts typically provide this basis — but you need them to be signed and stored.

2. Purpose limitation Employee data collected for payroll cannot be used for marketing. HR data must stay in HR systems, not shared across teams without cause.

3. Data minimisation Only collect what you actually need. Storing a photocopy of every page of every employee's passport when you only need their ID number is a compliance risk.

4. Right of access Any employee can request a copy of all data you hold about them. You must be able to respond within 30 days (under POPIA) or 21 days (under NDPA). If your records are scattered across spreadsheets, WhatsApp chats, and filing cabinets, this is nearly impossible.

5. Right to deletion When an employee leaves and their retention period ends — or if they formally request deletion — you must be able to permanently remove their data and document that you did so.

6. Audit trail You must be able to show who accessed or changed employee data and when. This requires a proper HR system, not a shared spreadsheet.

7. Security Employee data must be encrypted, access-controlled, and protected from unauthorised access. Storing payroll data in an unprotected Google Sheet does not meet this standard.

The Most Common Violations in African Businesses

After speaking with HR teams across the continent, the same issues come up repeatedly:

• No audit trail — nobody knows who changed what in the HR spreadsheet
• No access controls — the office manager can see the CEO's salary
• Scattered data — employee records split across email, WhatsApp, Dropbox, and spreadsheets
• No retention policy — data from employees who left 5 years ago is still sitting in the system
• No response process — no way to respond to a data access request in the legally required timeframe

What Happens If You're Non-Compliant?

Beyond the financial penalties, enforcement typically follows one of three triggers:

1. An employee complaint — a former employee reports you to the regulator after a dispute
2. A data breach — unauthorised access to employee data triggers a mandatory notification obligation
3. A proactive audit — regulators are beginning to conduct sector-specific audits

In all three cases, being able to show a clean audit trail, proper access controls, and documented processes is the difference between a warning and a fine.

Getting Compliant Without a Compliance Team

Most African SMEs do not have a dedicated data protection officer. The good news is that compliance doesn't require one — it requires the right tools.

An HR system like Cedrios is built with these laws in mind from the ground up. Every employee record has an immutable audit trail. Access is controlled by a four-tier permission system. Data can be exported or deleted in minutes. Retention policies are configurable per country.

Compliance isn't a project you do once. It's a property of your systems.