Who is required to report

Under the Nigeria Data Protection Act (NDPA) 2023, breach notification obligations apply to every data controller and data processor operating in Nigeria or processing the personal data of Nigerian residents. This is not limited to CBN-licensed institutions. If your fintech collects names, BVNs, NINs, email addresses, phone numbers, IP addresses, or biometric data, you are a data controller under the NDPA.

The obligation extends to processors as well. If you operate a BaaS (Banking-as-a-Service) platform that processes data on behalf of another fintech, you must notify your data controller client without "undue delay" after becoming aware of the breach, and the controller must then notify the NDPC.

There is no size exemption. A three-person startup processing 500 user records has the same notification obligations as a Tier-1 bank processing 10 million accounts. The NDPC has made this explicit in its 2025 enforcement guidance.

The 72-hour notification window

The clock starts the moment you become "aware" of a personal data breach. "Awareness" means the point at which you have a reasonable degree of certainty that a security incident has resulted in personal data being compromised.

Practically, this means:

If you cannot complete the full notification within 72 hours, the NDPA allows you to submit an initial notification with available information and supplement it later. However, you must explain the reason for the delay. "We were still investigating" is acceptable. "We did not know we had to report" is not.

Enforcement Precedent

Late notification compounds penalties

The NDPC has publicly stated that failure to notify within the 72-hour window is treated as an aggravating factor in penalty calculations. In enforcement actions during 2024-2025, companies that self-reported promptly received significantly lower fines than those whose breaches were discovered through third-party reports or media coverage.

What the notification must include

A breach notification is not an email saying "we had an incident." The NDPA requires specific disclosures. Missing any of these gives the NDPC grounds to reject your notification as incomplete, resetting your compliance clock and increasing your liability.

1. Nature of the breach

Describe the type of incident: unauthorised access, data exfiltration, ransomware encryption, accidental disclosure, or insider threat. Specify the attack vector if known (e.g., exploited API vulnerability, compromised employee credentials, social engineering attack on support staff).

2. Categories of data affected

Enumerate the specific types of personal data compromised: full names, BVN numbers, NIN numbers, phone numbers, email addresses, residential addresses, date of birth, KYC documents (passport photos, utility bills), transaction histories, account balances, loan records, or biometric templates.

3. Number of data subjects

Provide the approximate number of individuals whose data was compromised. If you cannot determine the exact number, provide your best estimate and explain the methodology. "Between 10,000 and 15,000 users whose records were in the affected database table" is better than "an unknown number of users."

4. Likely consequences

Assess the potential impact on affected individuals: identity theft risk (if BVNs were exposed), financial fraud risk (if account credentials were compromised), reputational harm (if sensitive financial data like loan defaults were exposed). The NDPC evaluates whether you understood the severity of the breach.

5. Measures taken or proposed

This is where your response separates competence from negligence. Detail every action you have taken: systems isolated, credentials rotated, forensic investigation initiated, affected users notified, vulnerability patched. Then describe your forward plan: what additional measures you will implement to prevent recurrence.

This is also where a post-breach penetration test becomes invaluable. Including "we have engaged an independent security firm to conduct a verification pentest of the remediated vulnerability" demonstrates proactive remediation to the NDPC.

6. DPO contact details

Provide the name, email, and phone number of your Data Protection Officer (DPO). Under the NDPA, companies above the processing threshold must appoint a DPO. If you have not appointed one, the NDPC will note this as an additional compliance failure. The DPO serves as the primary point of contact for all NDPC communications during the investigation.

Template notification structure

Your breach notification letter should follow this structure. Have your legal counsel review and customise it before submission.

Need help preparing your breach notification or conducting a post-breach verification pentest?

Get Post-Breach Support

How the NDPC investigates

After receiving your notification, the NDPC will assess whether a formal investigation is warranted. The Commission examines several factors:

The investigation may include requests for your security audit reports, pentest reports, access control policies, encryption standards documentation, training records, and incident response logs. Producing these documents quickly (because they exist and are organised) versus slowly (because you are creating them after the fact) makes a material difference in how the NDPC evaluates your compliance posture.

The penalty structure

The NDPA introduced penalties with real financial teeth, a departure from the largely toothless NDPR that preceded it.

Data controllers

Up to ₦10 million or 2% of annual gross revenue, whichever is higher. For a fintech processing ₦5 billion annually, that is a potential fine of ₦100 million. This is per infraction, not a lifetime cap.

Data processors

Up to ₦5 million or 1% of annual gross revenue, whichever is higher. Processors who failed to notify their controller clients in time face independent liability.

Aggravating factors

Penalties increase when: notification was late or incomplete, the company lacked basic security measures (no encryption, no pentesting, no IR plan), the breach affected children's data or health records, or the company attempted to conceal the breach.

CBN additional penalties

CBN-licensed institutions face a parallel enforcement track. The CBN issued over ₦1 billion in cumulative cybersecurity-related fines in 2024. These penalties stack on top of NDPA fines, meaning a fintech can face dual regulatory action from both the NDPC and the CBN for the same incident.

How a post-breach pentest reduces your liability

The single most effective thing you can do to demonstrate remediation to the NDPC is commission an independent penetration test that specifically targets the vulnerability that was exploited in the breach.

This is not a routine annual pentest. It is a focused verification engagement that answers one question: "Is the specific vulnerability that caused this breach actually fixed?" The resulting report, produced by an independent third party, provides documented evidence that you have implemented "appropriate technical measures" to prevent recurrence.

When the NDPC asks "what have you done to prevent this from happening again?" your answer should be: "We patched the vulnerability within 24 hours and engaged Simpa Labs to independently verify the fix. Here is their report confirming the vulnerability is remediated and testing for related weaknesses."

This changes the regulatory conversation from "you were negligent" to "you responded effectively." It does not eliminate penalties entirely, but enforcement precedents consistently show reduced fines for companies that demonstrate rapid, verifiable remediation.

Common mistakes that make penalties worse

Compliance Reality

The NDPA changed everything

The predecessor regulation (NDPR 2019) lacked effective enforcement mechanisms, and many Nigerian fintechs treated data protection as optional. The NDPA 2023, backed by a fully empowered Nigeria Data Protection Commission, has changed the equation entirely. The Commission is actively investigating breaches, issuing fines, and publishing enforcement decisions. The era of consequence-free data negligence is over.

Frequently asked questions

What qualifies as a 'personal data breach' under the NDPA?

A personal data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This includes database exfiltration, ransomware that encrypts customer records, accidental exposure of data through misconfigured APIs, and even physical theft of devices containing unencrypted personal data.

Does the 72-hour clock start when the breach occurs or when I discover it?

The 72-hour notification window starts when you become 'aware' of the breach, not when the breach actually occurred. However, the NDPC will examine whether your detection capabilities were adequate. If an attacker was in your systems for 6 months before detection, the Commission will question whether you had appropriate monitoring in place.

Do I have to notify affected individuals as well as the NDPC?

Yes. If the breach is likely to result in a 'high risk' to the rights and freedoms of the data subjects (which includes financial data, BVNs, and health records), you must notify the affected individuals without undue delay. The notification must be in clear, plain language and must explain what data was compromised and what steps they should take.

Can a penetration test help after a breach has already occurred?

Yes. A post-breach penetration test validates that your remediation actually closed the vulnerability that was exploited. The resulting report serves as documented evidence to the NDPC that you have taken 'appropriate technical measures' to prevent recurrence. This can significantly reduce your fine exposure.

Related reading

Blog: NDPA vs NDPR: What Changed · Hacked: First 72 Hours · Cost of a Data Breach

Guides: NDPA Compliance Guide · After a Breach

Services: Penetration Testing · Secure Architecture Review