Data Localisation and Cross-Border Data Flows
The data sovereignty wave
Between 2019 and 2025, the number of African countries with comprehensive data protection legislation more than doubled, rising from 14 to 33. This regulatory acceleration reflects a global trend toward data sovereignty, but in Africa it carries particular significance for technology companies that depend on cross-border data flows to operate multi-market platforms, leverage cloud infrastructure hosted outside the continent, and serve customers across jurisdictional boundaries. In our experience advising startups across 18 African markets, data localisation requirements have emerged as one of the top three operational constraints that founders fail to anticipate, alongside foreign exchange controls and employment law complexity.
The stakes are not abstract. A fintech processing customer transaction data across borders without adequate legal basis risks regulatory penalties that can reach 2 percent of annual turnover in Nigeria, up to R10 million in South Africa, and criminal sanctions including imprisonment in certain jurisdictions. Beyond the direct legal risk, data compliance failures have become a recurring theme in due diligence processes, with investors increasingly treating data governance as a proxy for operational maturity. In our portfolio of advisory engagements, approximately 25 percent of Series A due diligence processes have surfaced material data compliance gaps that required remediation before closing, adding an average of 6 to 10 weeks to the fundraising timeline.
Understanding the spectrum of localisation requirements
Data localisation is not a binary concept. African jurisdictions impose requirements that fall along a spectrum from strict data residency mandates to conditional transfer frameworks, and understanding where each market sits on this spectrum is essential for designing a compliant and operationally efficient data architecture.
At the strictest end of the spectrum, Nigeria's Nigeria Data Protection Act 2023, which replaced the earlier NDPR, requires that personal data of Nigerian residents be stored on servers physically located in Nigeria, with cross-border transfers permitted only where the recipient country provides an adequate level of protection or where the data controller has implemented appropriate safeguards including binding corporate rules or standard contractual clauses approved by the Nigeria Data Protection Commission. The NDPC has been actively enforcing these requirements since its establishment, conducting audits and imposing compliance orders on companies that store Nigerian user data exclusively on foreign servers. For fintech companies, the Central Bank of Nigeria imposes an additional layer of data residency requirements through its Payment Card Industry guidelines, mandating that all payment transaction data be processed and stored within Nigeria.
South Africa's Protection of Personal Information Act, commonly known as POPIA, takes a more conditional approach. POPIA permits cross-border transfers where the recipient is subject to a law or binding agreement that provides an adequate level of protection substantially similar to POPIA's conditions, where the data subject consents to the transfer, where the transfer is necessary for the performance of a contract, or where the transfer is for the benefit of the data subject and consent cannot be obtained. The Information Regulator has not yet published a formal adequacy determination list, creating a degree of regulatory uncertainty that most companies navigate by implementing standard contractual clauses modelled on the GDPR framework. The practical effect is that South Africa allows data to leave the country but requires documented justification and protective mechanisms, a framework that adds compliance cost but does not fundamentally prevent cloud-based architectures.
Kenya's Data Protection Act 2019, enforced by the Office of the Data Protection Commissioner, follows a similar conditional transfer model but with some notable differences. Kenya permits cross-border data transfers where the recipient country has adequate data protection safeguards, where appropriate safeguards exist such as binding corporate rules, or where the data subject has given explicit consent. The ODPC has published guidance indicating that countries with GDPR-equivalent frameworks are generally considered adequate, providing more certainty than South Africa's framework. However, Kenya's financial sector regulator, the Central Bank of Kenya, imposes additional requirements for financial data, including the expectation that a copy of all critical financial data be maintained on servers accessible within Kenya, even if the primary processing occurs offshore.
The infrastructure reality: cloud availability and cost
Data localisation requirements are only meaningful if the infrastructure exists to comply with them. The good news is that cloud availability in Africa has improved dramatically. AWS launched its Africa (Cape Town) region in 2020, Google Cloud opened its Johannesburg region in 2022, and Microsoft Azure has operated South African regions since 2019. Nigeria has seen significant investment in local data centre capacity, with operators like Rack Centre, MainOne (now part of Equinix), and Africa Data Centres expanding capacity in Lagos. Kenya's data centre market is growing rapidly, anchored by facilities from East Africa Data Centre and IXAfrica.
However, the cost implications are significant. Hosting on African cloud infrastructure typically costs 20 to 40 percent more than equivalent capacity in US or European regions, driven by higher power costs, limited competition among providers, and the economics of smaller-scale operations. For an early-stage startup processing moderate transaction volumes, the incremental cost of local hosting might add $2,000 to $8,000 per month compared to a purely US-based cloud architecture. For a growth-stage company with substantial data processing requirements, the difference can reach $15,000 to $50,000 per month. These costs must be factored into unit economics from the outset, not discovered after a regulatory audit forces an emergency infrastructure migration.
The vendor selection decision for local hosting is more nuanced than simply choosing the nearest cloud region. Companies must evaluate not only price and performance but also the vendor's regulatory certification status in each jurisdiction, their data processing agreements' compliance with local law, and their ability to provide the audit trails and data access logs that regulators increasingly demand. We advise companies to negotiate data processing agreements that explicitly address local regulatory requirements before signing cloud contracts, rather than relying on the vendor's standard terms. AWS, Azure, and Google Cloud all offer customisable data processing addenda, but these must be reviewed by local counsel to ensure they satisfy jurisdiction-specific requirements. For companies that cannot justify the cost of hyperscale cloud infrastructure in every market, managed hosting providers offer a viable alternative. Local providers such as Rack Centre in Nigeria, Dimension Data in South Africa, and Safaricom's cloud services in Kenya can provide compliant hosting at 15 to 30 percent lower cost than hyperscale providers, though with less sophisticated tooling and smaller service catalogues. The trade-off between compliance cost and operational capability is one that each company must evaluate based on its specific technical requirements and data processing volumes.
Building a compliant multi-market data architecture
The most effective approach we have seen among multi-market African tech companies is a hub-and-spoke data architecture that combines local data residency with centralised analytics capabilities. The architecture works as follows: personal data and regulated financial data are stored and processed in local data centres or cloud regions within each jurisdiction, satisfying residency requirements. Anonymised or pseudonymised data is then replicated to a central analytics hub, typically hosted in South Africa's AWS or Azure region, where it can be used for business intelligence, machine learning model training, and cross-market reporting without triggering cross-border transfer restrictions on personal data.
This architecture requires careful implementation of data classification, encryption, and access controls. The first step is to classify all data into categories: personal data subject to localisation requirements, regulated financial data subject to sector-specific rules, business operational data with no specific localisation requirement, and anonymised or aggregated data that falls outside the scope of data protection legislation. In our experience, fewer than 15 percent of African startups have implemented a formal data classification framework by the time they reach Series A, creating a significant compliance gap that is expensive and disruptive to remediate retroactively. The cost of implementing a proper classification and architecture framework proactively is typically $20,000 to $60,000, compared to $80,000 to $250,000 for a retroactive remediation after a regulatory finding or investor due diligence discovery.
Beyond the technical architecture, companies must address the organisational requirements that data protection laws impose. Most African data protection frameworks require the appointment of a Data Protection Officer, though the specific requirements vary significantly by jurisdiction. Nigeria's NDPA requires a DPO for any organisation that processes personal data of more than 1,000 data subjects annually, effectively capturing every technology company operating at any meaningful scale. South Africa's POPIA requires the designation of an Information Officer, who must be registered with the Information Regulator and bears personal liability for certain compliance failures. Kenya's DPA requires controllers to register with the ODPC and designate a data protection officer for organisations processing sensitive personal data or data of more than 1,000 data subjects. For multi-market companies, the practical question is whether to appoint a single group-level DPO or separate officers for each jurisdiction. The most cost-effective approach for companies operating in three to five markets is a hybrid model: a senior group DPO, typically costing $60,000 to $90,000 annually, who owns the overall data protection strategy, supported by local compliance coordinators in each market who handle jurisdiction-specific filings, regulatory correspondence, and data subject requests. The local coordinator role can often be combined with an existing legal or compliance function at an incremental cost of $10,000 to $15,000 per market. Companies that delay DPO appointments until forced by a regulatory inquiry face expedited recruitment costs of 30 to 50 percent above market rates and the reputational damage of engaging with a regulator without an established compliance function.
The Malabo Convention and the path toward continental harmonisation
The African Union Convention on Cyber Security and Personal Data Protection, adopted in Malabo in 2014, represents the continent's most ambitious attempt at regulatory harmonisation. The Convention entered into force in June 2023 after achieving the required 15 ratifications, a milestone that took nearly a decade. The Convention establishes baseline principles for data protection including lawful processing, purpose limitation, data minimisation, and cross-border transfer safeguards that are broadly aligned with GDPR principles.
However, founders should not yet rely on the Malabo Convention as a practical compliance framework. Implementation remains uneven, several of the continent's largest economies including Nigeria and South Africa have not yet ratified the Convention, and the enforcement mechanisms are still being developed. The more practically relevant regional frameworks are those emerging from the economic communities: the Economic Community of West African States has developed supplementary data protection acts, and the East African Community is working toward harmonised data protection standards. These regional frameworks may eventually create zones of regulatory equivalence that simplify cross-border data flows within specific corridors, but for now, founders must still comply with each national framework individually.
The most costly data compliance mistakes we observe among African tech companies are not exotic edge cases but predictable failures of basic governance. The first and most common is the "single cloud account" problem: companies that run their entire multi-market infrastructure from a single AWS or Azure account in a non-African region, with no data residency controls, no data flow mapping, and no documented legal basis for cross-border transfers. When a regulator inquires about data handling practices, these companies cannot demonstrate compliance because they have never implemented the technical or organisational measures that compliance requires. The remediation cost for a complete infrastructure migration under regulatory pressure typically runs three to five times the cost of building a compliant architecture from the start. The second common mistake is treating privacy policies as compliance documents rather than operational frameworks. A well-drafted privacy policy is necessary but insufficient: what regulators actually assess is whether the company's operational practices match its stated policies, whether data subject requests are processed within the statutory timeframes of 30 days in most jurisdictions, and whether the company maintains records of processing activities as required by law. The third mistake is ignoring sector-specific data requirements. Financial regulators, telecommunications authorities, and health sector regulators in most African markets impose data handling requirements that go beyond the general data protection framework. A fintech company that is compliant with Nigeria's NDPA but non-compliant with the CBN's data residency guidelines is still exposed to regulatory action from the more powerful regulator. Companies entering regulated sectors should budget $15,000 to $30,000 per market for a comprehensive regulatory mapping exercise that identifies all applicable data handling requirements across general and sector-specific frameworks, conducted by local counsel with sector expertise rather than general practice data protection advisors.
The bottom line
Data is the raw material of technology businesses, and in Africa the rules governing where that material can be stored, processed, and moved are changing faster than most founders appreciate. The trend is unmistakably toward greater localisation, stricter enforcement, and higher penalties for non-compliance. Companies that design their data architectures with these constraints in mind from day one will find that compliance becomes a source of operational discipline and investor confidence rather than a drag on growth. Those that treat data governance as an afterthought will discover, often at the worst possible moment, that the cost of retrofitting compliance far exceeds the cost of building it in from the start.