Data privacy regulation in Africa is evolving rapidly. With the passage of the Nigeria Data Protection Act 2023 and similar laws across the continent, organisations running digital training programs must navigate an increasingly complex compliance landscape.
The regulatory landscape
Twenty-seven African countries now have data protection laws, with several more in the legislative pipeline. The Nigeria Data Protection Regulation (NDPR) and Kenya's Data Protection Act are among the most advanced, modelled closely on the GDPR.
Key requirements for learning platforms
Learner data processed by learning platforms triggers specific obligations:
- Lawful basis for processing: consent or legitimate interest must be established
- Data minimisation: only collect what you need for the training purpose
- Storage limitation: delete learner data when it is no longer needed
- Cross-border transfer: ensure adequate safeguards when data leaves the country
- Data subject rights: learners can access, correct, and request deletion of their data
- Breach notification: report incidents within 72 hours
How Questence helps
We built Questence with data privacy by design and by default. Data is encrypted at rest and in transit, tenant data is fully isolated, and we provide tools for data export, deletion, and audit logging. Our DPA is available for all customers.
We recommend all customers work with local legal counsel to ensure their specific use of the platform complies with applicable regulations in their operating jurisdictions.
