The Nigeria Data Protection Act2023 (NDPA) is Nigeria’s primary data protection legislation, signed into lawon 12 June 2023. It establishes the legal framework for how organisationscollect, process, store, and transfer personal data of Nigerian residents — andcreates the Nigeria Data Protection Commission (NDPC) as the independentregulatory body responsible for enforcement.
If your organisation processespersonal data of Nigerian residents — whether you are based in Nigeria oroperating remotely — the NDPA applies to you.
Who Does the NDPA Apply To?
The NDPA applies to anyorganisation (called a Data Controller or Data Processor) that:
This extraterritorial scope meansNigerian fintechs, banks, health organisations, e-commerce platforms, and SaaS companies are all within scope — and so are international companies that haveNigerian customers or employees.
Key Obligations Under the NDPA
1. Lawful Basis for Processing
Every processing activity must begrounded in a valid lawful basis. The NDPA recognises six lawful bases,including consent, contract, legal obligation, vital interests, public task,and legitimate interests. You must document your lawful basis for each categoryof personal data you process.
2. Privacy Notices
Data subjects must be informed —clearly and in plain language — about what data you collect, why you collectit, how long you keep it, who you share it with, and how they can exercisetheir rights. This must be communicated at or before the point of datacollection.
3. Data Subject Rights
The NDPA grants individuals theright to access, correct, erase, and port their personal data. You must havedocumented procedures to respond to these requests within 30 days.
4. Data Protection Officer
Organisations processing personaldata at scale, or processing special categories of data (health, biometrics,ethnicity), must appoint a Data Protection Officer (DPO). The DPO must beregistered with the NDPC.
5. Record of Processing Activities
You must maintain a Record ofProcessing Activities (ROPA) documenting all data processing operations —including the purpose, categories of data, recipients, and retention periods.
6. Data Breach Notification
Notifiable data breaches must bereported to the NDPC within 72 hours of discovery. Affected individuals must benotified without undue delay where the breach poses a high risk to their rightsand freedoms.
7. Cross-Border Data Transfers
Transfers of personal dataoutside Nigeria require adequate safeguards — either a country adequacydecision from the NDPC, standard contractual clauses, or binding corporaterules.
NDPC Enforcement
The NDPC has begun conductingaudits and investigations. Penalties for non-compliance can reach up to 2% ofannual gross revenue or ₦10 million (whichever is higher) for generalviolations, and up to 2.5% of annual gross revenue for serious violations.
The NDPC has also introduced amandatory annual data protection audit requirement for Data Controllers ofMajor Importance (DCMIs) — organizations processing data above definedthresholds.
Where to Start
If your organization has not yetbegun its NDPA compliance journey, the first step is understanding your currentposture. Our free NDPA Self-Assessment Toolkit evaluates your readiness across8 compliance domains in approximately 10 minutes — and gives you an instantcompliance score with prioritized recommendations.
Take the free NDPA Self-Assessment →
If your assessment revealssignificant gaps, or if you need structured implementation support, ouradvisory team can guide you through a full NDPA compliance programme — fromdata mapping through to NDPC readiness.