The Nigeria Data Protection Act 2023 (NDPA) is Nigeria’s primary data protection legislation, signed into law on 12 June 2023. It establishes the legal framework for how organisations collect, process, store, and transfer personal data of Nigerian residents — and creates the Nigeria Data Protection Commission (NDPC) as the independent regulatory body responsible for enforcement.
If your organisation processes personal data of Nigerian residents — whether you are based in Nigeria or operating remotely — the NDPA applies to you.
Who Does the NDPA Apply To?
The NDPA applies to any organisation (called a Data Controller or Data Processor) that:
- Processes personal data of Nigerian residents, regardless of where the organisation is based
- Is established in Nigeria and processes personal data, regardless of where the processing takes place
This extraterritorial scope means Nigerian fintechs, banks, health organisations, e-commerce platforms, and SaaS companies are all within scope — and so are international companies that have Nigerian customers or employees.
Key Obligations Under the NDPA
1. Lawful Basis for Processing
Every processing activity must be grounded in a valid lawful basis. The NDPA recognises six lawful bases, including consent, contract, legal obligation, vital interests, public task, and legitimate interests. You must document your lawful basis for each category of personal data you process.
2. Privacy Notices
Data subjects must be informed — clearly and in plain language — about what data you collect, why you collect it, how long you keep it, who you share it with, and how they can exercise their rights. This must be communicated at or before the point of data collection.
3. Data Subject Rights
The NDPA grants individuals the right to access, correct, erase, and port their personal data. You must have documented procedures to respond to these requests within 30 days.
4. Data Protection Officer
Organisations processing personal data at scale, or processing special categories of data (health, biometrics, ethnicity), must appoint a Data Protection Officer (DPO). The DPO must be registered with the NDPC.
5. Record of Processing Activities
You must maintain a Record of Processing Activities (ROPA) documenting all data processing operations — including the purpose, categories of data, recipients, and retention periods.
6. Data Breach Notification
Notifiable data breaches must be reported to the NDPC within 72 hours of discovery. Affected individuals must be notified without undue delay where the breach poses a high risk to their rights and freedoms.
7. Cross-Border Data Transfers
Transfers of personal data outside Nigeria require adequate safeguards — either a country adequacy decision from the NDPC, standard contractual clauses, or binding corporate rules.
NDPC Enforcement
The NDPC has begun conducting audits and investigations. Penalties for non-compliance can reach up to 2% of annual gross revenue or ₦10 million (whichever is higher) for general violations, and up to 2.5% of annual gross revenue for serious violations.
The NDPC has also introduced a mandatory annual data protection audit requirement for Data Controllers of Major Importance (DCMIs) — organisations processing data above defined thresholds.
Where to Start
If your organisation has not yet begun its NDPA compliance journey, the first step is understanding your current posture. Our free NDPA Self-Assessment Toolkit evaluates your readiness across 8 compliance domains in approximately 10 minutes — and gives you an instant compliance score with prioritised recommendations.
Take the free NDPA Self-Assessment →
If your assessment reveals significant gaps, or if you need structured implementation support, our advisory team can guide you through a full NDPA compliance programme — from data mapping through to NDPC readiness.