The auditor is coming. Are you ready?
African data protection laws aren't suggestions. POPIA fines reach R10 million. NDPR penalties hit ₦10 million or 2% of revenue. If your employee records are in filing cabinets and WhatsApp groups, you're not compliant. You're just not caught yet.
Data protection in Africa is no longer optional
In the last 5 years, every major African economy has passed data protection legislation. These laws apply to employee data — names, IDs, medical records, bank details, addresses. If you hold people's personal information, you're regulated.
| Country | Law | In force | Max penalty | HR data covered |
|---|---|---|---|---|
| South Africa | POPIA | July 2021 | Up to R10 million or imprisonment | Employee records, payslips, medical data, performance reviews, recruitment data |
| Nigeria | NDPR / NDPA | 2019 (NDPR), 2023 (NDPA) | Up to ₦10 million or 2% of annual revenue | Employee IDs, BVN, tax records, emergency contacts, disciplinary records |
| Kenya | DPA | November 2019 | Up to KES 5 million or 1% of annual turnover | National ID, KRA PIN, NSSF/NHIF numbers, leave records, contracts |
| Rwanda | DPA | October 2021 | Up to RWF 5 million or 1% of annual turnover | Employee records, identity documents, health data, employment history |
| Ghana | DPA | 2012 | Up to GH₵ 6,000 or imprisonment | Ghana Card numbers, SSNIT records, employment contracts, payroll data |
Where most businesses fail on compliance
Employee data is everywhere — and nowhere
Contracts in a cabinet. IDs in a drawer. Medical records in a shared Google Drive folder. Phone numbers in WhatsApp. There's no single system of record — and no access controls on any of it.
Everyone can see everything
The intern can open the HR folder and see disciplinary records. The receptionist can access medical certificates. There's no permission hierarchy — because the filing cabinet doesn't have one.
No trail of who did what
Someone changed a start date. Someone deleted a warning letter. Someone approved leave they shouldn't have. With Excel and paper, there's no way to know who, when, or why.
Data export request? That'll take a week
Under POPIA, NDPR, and DPA, any person can request a copy of all their data. When that request comes, you need to dig through 5 systems and 3 filing cabinets. If you can respond at all.
Right to deletion? Good luck
A former employee asks you to delete their data. How do you delete someone's information from a paper file, an Excel sheet, an email thread, and a WhatsApp group? You can't prove it's done.
Expired documents nobody noticed
A work permit expired 4 months ago. A safety certification lapsed. A contract was never renewed. Manual tracking means things slip through — and you only find out during an audit.
What data protection laws actually require from HR
| Requirement | What it means | How Cedrios helps |
|---|---|---|
| Lawful processing | You must have a legal basis to collect and store employee data | Employment contracts and consent tracking built into onboarding flow |
| Purpose limitation | Data must only be used for the purpose it was collected | Structured data categories prevent misuse — HR data stays in HR |
| Access controls | Only authorised people should access personal data | 4-tier role-based access: Super Admin → HR Admin → Manager → Team Member. Sensitive data flag for medical and disciplinary records. |
| Data security | Personal data must be protected from unauthorised access, loss, or damage | TLS 1.2+ in transit, AES-256 at rest, bcrypt password hashing, multi-tenant isolation |
| Audit trail | You must be able to show who accessed or modified data and when | Immutable audit log of every action — create, update, delete, approve, export. Cannot be edited by anyone. |
| Right of access | Any person can request a copy of all data you hold about them | One-click data export generates a complete ZIP of all their data in under 5 minutes |
| Right to deletion | A person can request permanent deletion of their data | Permanent deletion with documented proof, logged in the audit trail |
| Data retention limits | You shouldn't keep data longer than necessary | Configurable retention policies per document category. Auto-flag documents past retention for review. |
| Breach notification | You must notify authorities and affected individuals of a data breach | Centralised system means you know exactly what data exists and who's affected — no guessing across 5 systems |
Compliance built in, not bolted on
Cedrios doesn't have a ‘compliance add-on.’ Every feature is built with data protection in mind from the ground up. When you use Cedrios, you're compliant by default.
Immutable audit trail
Every action logged permanently. Who did what, to which record, when, from where. Cannot be edited or deleted by anyone — not even Super Admins. Your evidence for any dispute or investigation.
Every create, update, delete, approve, and export — logged forever.
Role-based access controls
Four-tier permissions enforced across every module. Sensitive documents flagged and restricted. A manager cannot see medical records. An employee cannot see another's contract.
Super Admin → HR Admin → Manager → Team Member. Privacy by design.
Encryption everywhere
All data encrypted in transit (TLS 1.2+) and at rest (AES-256). Passwords hashed with bcrypt. Multi-tenant isolation ensures complete data separation between organisations.
Your data is never accessible to other organisations. Ever.
One-click data export
When someone requests their data, generate a complete ZIP of everything you hold — profiles, documents, leave history, asset records, activity log. Under 5 minutes.
Fully compliant with right-of-access requirements in all 5 countries.
Documented deletion
When someone requests data deletion, remove their data permanently with a documented, timestamped record of the deletion. Proof you complied.
Audit log preserves the deletion record even after the data is gone.
Document expiry alerts
Automatic reminders at 90, 30, and 7 days before any document expires. Work permits, certifications, contracts — never miss a renewal.
Dashboard widget shows everything expiring in the next 90 days at a glance.
Policy acknowledgement tracking
Prove your people received and read the handbook, code of conduct, or safety policy. Timestamped records of who acknowledged what and when.
Undeniable in a dispute. HR Admin gets notified of any non-acknowledgement.
Country-specific statutory fields
Nigeria: NIN, TIN, BVN, PFA. South Africa: SA ID, Tax Ref, UIF. Kenya: National ID, KRA PIN, NSSF, NHIF. Ghana: Ghana Card, SSNIT. Auto-configured per your country.
The right fields for your jurisdiction — no setup required.
How Cedrios handles real compliance situations
“An auditor requests all employment contracts”
3 days searching through filing cabinets. Some contracts are missing. Auditor flags non-compliance.
Search 'contracts' → select all → export as ZIP. Done in 2 minutes. Every contract accounted for.
“A former employee requests all their personal data”
Check email, WhatsApp, Excel, filing cabinet, Google Drive. Takes a week. You miss something. They complain to the regulator.
Open their profile → click 'Export All Data' → ZIP file generated in under 5 minutes. Complete and documented.
“An employee claims they never received a warning”
You know you gave them one, but there's no signed copy, no timestamp, no proof. You lose the case.
The warning letter is stored in their profile. Acknowledgement tracked with timestamp. Audit log shows when it was uploaded and by whom.
“A work permit expires without anyone noticing”
You find out during a government inspection. Fines follow. The employee is technically working illegally.
Cedrios alerted you at 90, 30, and 7 days before expiry. The dashboard flagged it. You renewed on time.
“Someone accesses medical records they shouldn't see”
Medical certificates in a shared folder. Anyone who finds the folder can read them. You'd never know if they did.
Medical records restricted to HR Admin and Super Admin only. Every access logged in the audit trail.
“A data breach requires notification”
Data is spread across 5 systems. You can't determine what was exposed or who was affected. Response takes weeks.
All data in one system. You know exactly what exists, who it belongs to, and who accessed it. Respond accurately and quickly.
Your compliance checklist
How does your business score?
Paper & Excel vs. Cedrios — compliance edition
Frequently asked questions
Compliance shouldn't cost a fortune.
Audit trails, encryption, access controls, and data export are included on every plan — even Free. No add-ons, no compliance tax.