A data protection compliance organisation, DataPro, has projected governance and litigation challenges as factors that would define the new year.

The firm’s Head of Emerging Services, Ademikun Adeseyoju, said this ahead of its week-long programme to mark this year’s privacy week, saying the challenges would be defined by board and executive ownership.

He anticipated a surge in individual claims and constitutional privacy actions, noting that organisations must remain “litigation ready” by preserving processing records and strengthening internal controls.

He said privacy in the new year would no longer be an information technology (IT)-only concern, but a standing governance issue that requires regular risk reports and dedicated budgets.

Highlighting some milestones from the 2025 ecosystem, Adeseyoju said the year marked Nigeria’s definitive transition from the Nigeria Data Protection Regulation (NDPR) to the full statutory power of the Nigeria Data Protection Act (NDPA) and the General Application and Implementation Directive (GAID) 2025.

The shift, Adeseyoju said, signalled a move from guideline-based compliance to a mandatory and enforcement-driven regime, which includes an active regulatory posture.

He said this was where the NDPC moved decisively into active enforcement, publicly naming non-compliant entities, particularly in the financial services sector.

On judicial precedents, DataPro said the landmark court rulings in 2025 affirmed that transparency in personal data handling was a constitutionally protected right.

He said courts awarded significant damages to data subjects for privacy breaches, signalling that organisational size no longer shields against accountability.

According to him, regulatory settlements with multinational technology firms have set a high bar for behavioural advertising and data processing standards in Nigeria.

On the cybersecurity landscape, the DataPro emerging services head also stressed that 2025 witnessed an unprecedented surge in cyber threats.

According to him, attackers shifted their focus from technical exploits to identity-driven campaigns, targeting valid credentials with high precision.

The “identity-centric” threat environment, he said, has made robust access management a non-negotiable requirement for corporate resilience.