Data Sovereignty in West Africa: A Guide for IT Directors
Data protection and localisation laws are tightening across West Africa, and enforcement is increasing. Here is what IT directors need to know about the regulatory direction across the region — and what it means for infrastructure decisions.
For most of the last two decades, data residency was a low priority for IT decision-making in West Africa. Data went wherever the cheapest, most reliable cloud capacity was — almost always outside the continent. Regulatory frameworks existed on paper in some countries but enforcement was minimal, and "data protection law" was something legal teams filed away rather than something that shaped infrastructure architecture.
That has changed, and the change has accelerated sharply in the last eighteen months. This article is a regional overview for IT directors — what's happening across West Africa's major economies, why it's happening now, and what it means for how infrastructure decisions should be made going forward.
The Continental Picture
Africa is expected to surpass 50 data protection laws by the end of 2026 — up from fewer than 20 a decade ago. But the more important shift isn't the number of laws. It's enforcement.
The real shift in 2025 was about enforcement. Data protection began to move beyond formal compliance, with regulators and courts holding both local actors and global technology companies accountable for how personal data is handled. This is the critical distinction for IT directors: a law that exists on paper but is never enforced doesn't change infrastructure decisions. A law that results in real penalties, real audits, and real court judgments does.
Across the continent, that shift has now happened. South Africa now requires organisations to respond to data erasure and rectification requests within 30 days. Kenya's data protection authority ordered a blanket deletion of biometric data collected without proper consent. Domestic fintechs, lenders, hospitals, and media houses — not just multinational technology companies — have all faced enforcement action.
Nigeria: The Region's Most Active Enforcement Environment
Nigeria's National Data Protection Act, enacted in 2023, became fully operational through a General Application and Implementation Directive issued in March 2025. The directive established a risk-tiered classification system — organisations are classified as Data Controllers or Processors of Major Importance at Ultra-High, Extra-High, or Ordinary-High levels, with higher tiers facing more stringent requirements including mandatory local Data Protection Officers and annual audits.
Enforcement has been real and significant. In July 2025, Nigeria's data protection authority imposed a fine of approximately ₦766 million (roughly $500,000) on a major media and entertainment company for violations under the Act. From September 2025, the regulatory framework empowers compulsory inspections — meaning organisations can be audited without having triggered a complaint first.
For IT directors at organisations operating in Nigeria — including Ghanaian companies with Nigerian operations, which is common in West African fintech — this regulatory environment is no longer something that can be addressed reactively after an incident.
Nigeria is also separately considering a policy proposal that would require data localisation for certain categories of personal data — moving beyond data protection compliance toward the kind of explicit residency requirements that Ghana's financial sector now faces under CISD 2026.
Ghana: From Data Protection Act to Active Localisation Policy
Ghana's regulatory direction has two parallel tracks worth understanding separately.
The general data protection framework is being revised. Ghana's Data Protection Commission launched a Privacy Seal in December 2025 — a visible certification with a scannable QR code that organisations display to demonstrate compliance with the Data Protection Act (Act 843). Simultaneously, Ghana published an early draft of a revised data protection framework for stakeholder consultation in October 2025, with further revisions expected.
The government has separately pursued active data localisation as economic policy. Ghana's approach illustrates how data sovereignty can serve broader economic goals — a government initiative to repatriate externally hosted government data to reduce costs, paired with partnerships with major cloud providers to build local data centre capacity. This is a distinct thread from data protection law — it's an infrastructure policy decision driven partly by cost (foreign-hosted government data represents an ongoing foreign currency cost) and partly by sovereignty.
The financial sector has the most concrete and immediate requirement. The Bank of Ghana's CISD 2026, which came into effect in March 2026, requires that core banking systems and critical customer data remain within Ghana's borders — a requirement we've covered in detail previously.
For an IT director in Ghana, the practical takeaway is that the financial sector has the clearest and most enforceable requirement right now, but the general direction — across data protection law, government policy, and sector-specific directives — all point the same way.
The Regional Framework: AfCFTA and Cross-Border Data
One development worth understanding because it will shape how these national laws interact: the African Union adopted annexes to the African Continental Free Trade Area Protocol on Digital Trade, including a specific annexure on cross-border data transfer. This establishes a harmonised framework intended to mandate the free flow of data for legitimate business purposes while preserving each country's regulatory space for privacy and security requirements.
In practical terms, this means the direction is not toward a fragmented continent where every country's data must stay strictly within its own borders for all purposes — but toward a model where cross-border movement is permitted for general business data, while specific categories (financial data, government data, health data, biometric data) face stricter localisation requirements at the national level.
For IT directors, this means the question is not "can data ever leave the country" but "which categories of data, for which purposes, are subject to localisation — and that answer varies by sector and is becoming stricter for the most sensitive categories."
What This Means for Infrastructure Architecture
Pulling this regional picture together, several practical conclusions emerge for IT directors making infrastructure decisions in West Africa today.
Sector matters more than geography. A financial institution in Ghana faces CISD 2026's specific requirements. A Nigerian fintech faces the NDPA's risk-tier classifications. A general enterprise in either country faces a less prescriptive but tightening data protection framework. The starting point for any infrastructure decision should be: what sector-specific rules apply to us, specifically, beyond the general data protection law?
"We're compliant because our cloud provider has a compliance certification" is no longer sufficient. Many organisations have historically relied on their public cloud provider's general compliance certifications (ISO 27001, SOC 2, etc.) as their compliance story. These certifications address security practices — they do not address data residency requirements that specify data must be located within a particular country's borders. A provider's global compliance certification does not change where your data physically sits.
New systems should be designed with residency in mind from the start, rather than retrofitted later. The cost and complexity of migrating an existing system to meet a new residency requirement is substantially higher than designing a new system with the requirement understood upfront.
Local infrastructure is increasingly the path of least regulatory friction, not just for the strictest cases (financial services core systems) but as a general hedge against a regulatory direction that is consistently moving toward more localisation, not less, across every country in the region.
The Honest Summary
The regulatory direction across West Africa is unambiguous, even if the specifics vary by country and sector: data protection enforcement has moved from theoretical to real, and data localisation requirements — particularly for financial, government, and sensitive personal data — are expanding rather than contracting.
For IT directors, the organisations that will navigate this most smoothly are the ones that treat data residency as an infrastructure architecture question now, rather than a compliance question to be addressed reactively when a specific directive forces the issue.
What SwiftInfra Does
SwiftInfra designs and deploys private cloud infrastructure located within Ghana for organisations that need to address data residency requirements — whether driven by sector-specific directives like CISD 2026, general data protection compliance, or as a strategic decision ahead of tightening requirements. We also manage the resulting environments under ongoing operations retainers, so data residency doesn't come at the cost of operational reliability.
If your organisation is assessing what data residency means for your infrastructure, we are ready to help you think through it.
SwiftInfra is a private cloud engineering company based in Accra, Ghana. We deploy and manage private cloud infrastructure for financial institutions, fintechs, universities, and enterprises across West Africa. This article provides a general regional overview and does not constitute legal advice. Organisations should consult legal counsel regarding their specific obligations in each jurisdiction they operate in.
Image Credit: Freepik