Who is required to report
Under the Nigeria Data Protection Act (NDPA) 2023, breach notification obligations apply to every data controller and data processor operating in Nigeria or processing the personal data of Nigerian residents. This is not limited to CBN-licensed institutions. If your fintech collects names, BVNs, NINs, email addresses, phone numbers, IP addresses, or biometric data, you are a data controller under the NDPA.
The obligation extends to processors as well. If you operate a BaaS (Banking-as-a-Service) platform that processes data on behalf of another fintech, you must notify your data controller client without "undue delay" after becoming aware of the breach, and the controller must then notify the NDPC.
There is no size exemption. A three-person startup processing 500 user records has the same notification obligations as a Tier-1 bank processing 10 million accounts. The NDPC has made this explicit in its 2025 enforcement guidance.
The 72-hour notification window
The clock starts the moment you become "aware" of a personal data breach. "Awareness" means the point at which you have a reasonable degree of certainty that a security incident has resulted in personal data being compromised.
Practically, this means:
- Alert from your SIEM or EDR tool showing data exfiltration triggers the clock when your security team reviews and confirms the alert.
- A customer reports suspicious activity and your investigation confirms unauthorised access. The clock starts when you confirm, not when the customer calls.
- A threat actor contacts you claiming to have your data (ransomware demand, extortion email). The clock starts immediately upon receipt.
- A third party notifies you that your data appeared on a dark web marketplace. The clock starts when you receive credible notification.
If you cannot complete the full notification within 72 hours, the NDPA allows you to submit an initial notification with available information and supplement it later. However, you must explain the reason for the delay. "We were still investigating" is acceptable. "We did not know we had to report" is not.
Late notification compounds penalties
The NDPC has publicly stated that failure to notify within the 72-hour window is treated as an aggravating factor in penalty calculations. In enforcement actions during 2024-2025, companies that self-reported promptly received significantly lower fines than those whose breaches were discovered through third-party reports or media coverage.
What the notification must include
A breach notification is not an email saying "we had an incident." The NDPA requires specific disclosures. Missing any of these gives the NDPC grounds to reject your notification as incomplete, resetting your compliance clock and increasing your liability.
1. Nature of the breach
Describe the type of incident: unauthorised access, data exfiltration, ransomware encryption, accidental disclosure, or insider threat. Specify the attack vector if known (e.g., exploited API vulnerability, compromised employee credentials, social engineering attack on support staff).
2. Categories of data affected
Enumerate the specific types of personal data compromised: full names, BVN numbers, NIN numbers, phone numbers, email addresses, residential addresses, date of birth, KYC documents (passport photos, utility bills), transaction histories, account balances, loan records, or biometric templates.
3. Number of data subjects
Provide the approximate number of individuals whose data was compromised. If you cannot determine the exact number, provide your best estimate and explain the methodology. "Between 10,000 and 15,000 users whose records were in the affected database table" is better than "an unknown number of users."
4. Likely consequences
Assess the potential impact on affected individuals: identity theft risk (if BVNs were exposed), financial fraud risk (if account credentials were compromised), reputational harm (if sensitive financial data like loan defaults were exposed). The NDPC evaluates whether you understood the severity of the breach.
5. Measures taken or proposed
This is where your response separates competence from negligence. Detail every action you have taken: systems isolated, credentials rotated, forensic investigation initiated, affected users notified, vulnerability patched. Then describe your forward plan: what additional measures you will implement to prevent recurrence.
This is also where a post-breach penetration test becomes invaluable. Including "we have engaged an independent security firm to conduct a verification pentest of the remediated vulnerability" demonstrates proactive remediation to the NDPC.
6. DPO contact details
Provide the name, email, and phone number of your Data Protection Officer (DPO). Under the NDPA, companies above the processing threshold must appoint a DPO. If you have not appointed one, the NDPC will note this as an additional compliance failure. The DPO serves as the primary point of contact for all NDPC communications during the investigation.
Template notification structure
Your breach notification letter should follow this structure. Have your legal counsel review and customise it before submission.
- Header: "Personal Data Breach Notification under Section 40 of the Nigeria Data Protection Act 2023." Include your company's NDPC registration number if applicable.
- Paragraph 1 - Incident summary: Date and time of discovery. Brief description of the incident type. Confirmation that the 72-hour window has not been exceeded (include exact timestamps).
- Paragraph 2 - Data scope: Categories of personal data affected. Approximate number of data subjects. Geographic scope of affected individuals.
- Paragraph 3 - Impact assessment: Likely consequences for data subjects. Whether the data was encrypted at rest (mitigating factor). Whether the exfiltrated data has appeared publicly (aggravating factor).
- Paragraph 4 - Response actions: Containment measures taken (with timestamps). Forensic investigation status. Root cause identification (if determined). Remediation steps completed and planned.
- Paragraph 5 - Data subject notification: Whether affected individuals have been notified. Method of notification. Content of notification provided to individuals. Protective measures offered (e.g., BVN fraud monitoring).
- Paragraph 6 - DPO contact: Full name, title, email address, and direct phone number of your DPO or designated contact person.
- Attachments: Incident timeline document. Forensic investigation preliminary findings (if available). Copy of notification sent to data subjects.
Need help preparing your breach notification or conducting a post-breach verification pentest?
Get Post-Breach SupportHow the NDPC investigates
After receiving your notification, the NDPC will assess whether a formal investigation is warranted. The Commission examines several factors:
- Adequacy of pre-breach measures: Did you have "appropriate technical and organisational measures" in place? This means encryption at rest and in transit, access controls, regular vulnerability assessments, penetration testing, security awareness training, and an incident response plan. If you cannot produce evidence of these measures, the NDPC presumes negligence.
- Speed and quality of response: Did you detect the breach promptly? Did you contain it effectively? Was your notification timely and complete? Companies with documented incident response plans that were actually followed receive more favourable treatment.
- Cooperation with the Commission: Did you provide requested documentation promptly? Were you transparent about the scope of the breach? Obstruction or evasion is treated as a separate offence.
- Prior compliance history: Has the NDPC previously issued guidance, warnings, or enforcement actions against your company? Repeat offenders face escalated penalties.
The investigation may include requests for your security audit reports, pentest reports, access control policies, encryption standards documentation, training records, and incident response logs. Producing these documents quickly (because they exist and are organised) versus slowly (because you are creating them after the fact) makes a material difference in how the NDPC evaluates your compliance posture.
The penalty structure
The NDPA introduced penalties with real financial teeth, a departure from the largely toothless NDPR that preceded it.
Data controllers
Up to ₦10 million or 2% of annual gross revenue, whichever is higher. For a fintech processing ₦5 billion annually, that is a potential fine of ₦100 million. This is per infraction, not a lifetime cap.
Data processors
Up to ₦5 million or 1% of annual gross revenue, whichever is higher. Processors who failed to notify their controller clients in time face independent liability.
Aggravating factors
Penalties increase when: notification was late or incomplete, the company lacked basic security measures (no encryption, no pentesting, no IR plan), the breach affected children's data or health records, or the company attempted to conceal the breach.
CBN additional penalties
CBN-licensed institutions face a parallel enforcement track. The CBN issued over ₦1 billion in cumulative cybersecurity-related fines in 2024. These penalties stack on top of NDPA fines, meaning a fintech can face dual regulatory action from both the NDPC and the CBN for the same incident.
How a post-breach pentest reduces your liability
The single most effective thing you can do to demonstrate remediation to the NDPC is commission an independent penetration test that specifically targets the vulnerability that was exploited in the breach.
This is not a routine annual pentest. It is a focused verification engagement that answers one question: "Is the specific vulnerability that caused this breach actually fixed?" The resulting report, produced by an independent third party, provides documented evidence that you have implemented "appropriate technical measures" to prevent recurrence.
When the NDPC asks "what have you done to prevent this from happening again?" your answer should be: "We patched the vulnerability within 24 hours and engaged Simpa Labs to independently verify the fix. Here is their report confirming the vulnerability is remediated and testing for related weaknesses."
This changes the regulatory conversation from "you were negligent" to "you responded effectively." It does not eliminate penalties entirely, but enforcement precedents consistently show reduced fines for companies that demonstrate rapid, verifiable remediation.
Common mistakes that make penalties worse
- Underreporting the scope: If you report that 5,000 records were affected and the NDPC's investigation reveals it was 50,000, you lose all credibility. Report your best estimate with clear methodology. It is better to over-estimate and later revise downward than to under-report and be caught.
- Destroying evidence: Wiping servers, deleting logs, or restoring from backup before forensic imaging makes it impossible to determine the true scope of the breach. The NDPC will assume the worst-case scenario for penalty calculation.
- Ignoring the processor notification chain: If you use third-party APIs or cloud services that process personal data on your behalf, and the breach originated from their systems, you are still the controller. You must still notify the NDPC. "Our vendor was breached, not us" is not a valid defence under the NDPA.
- Filing without legal review: Every word in your breach notification is a statement to a regulatory body with enforcement powers. Do not file without having legal counsel review the language. Admissions made in a breach notification can be used in subsequent civil litigation by affected data subjects.
- No evidence of pre-existing security measures: If you cannot produce a recent pentest report, a documented security policy, or training records, the NDPC presumes you had no security programme. This is the difference between "we were breached despite reasonable precautions" and "we were breached because we did nothing."
- Treating notification as a one-time event: The initial notification is just the beginning. The NDPC expects supplementary notifications as your investigation reveals additional details. Failing to update the Commission on new findings (e.g., additional data categories discovered to be compromised) is treated as concealment.
The NDPA changed everything
The predecessor regulation (NDPR 2019) lacked effective enforcement mechanisms, and many Nigerian fintechs treated data protection as optional. The NDPA 2023, backed by a fully empowered Nigeria Data Protection Commission, has changed the equation entirely. The Commission is actively investigating breaches, issuing fines, and publishing enforcement decisions. The era of consequence-free data negligence is over.
Frequently asked questions
What qualifies as a 'personal data breach' under the NDPA?
A personal data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This includes database exfiltration, ransomware that encrypts customer records, accidental exposure of data through misconfigured APIs, and even physical theft of devices containing unencrypted personal data.
Does the 72-hour clock start when the breach occurs or when I discover it?
The 72-hour notification window starts when you become 'aware' of the breach, not when the breach actually occurred. However, the NDPC will examine whether your detection capabilities were adequate. If an attacker was in your systems for 6 months before detection, the Commission will question whether you had appropriate monitoring in place.
Do I have to notify affected individuals as well as the NDPC?
Yes. If the breach is likely to result in a 'high risk' to the rights and freedoms of the data subjects (which includes financial data, BVNs, and health records), you must notify the affected individuals without undue delay. The notification must be in clear, plain language and must explain what data was compromised and what steps they should take.
Can a penetration test help after a breach has already occurred?
Yes. A post-breach penetration test validates that your remediation actually closed the vulnerability that was exploited. The resulting report serves as documented evidence to the NDPC that you have taken 'appropriate technical measures' to prevent recurrence. This can significantly reduce your fine exposure.
Related reading
Blog: NDPA vs NDPR: What Changed · Hacked: First 72 Hours · Cost of a Data Breach
Guides: NDPA Compliance Guide · After a Breach
Services: Penetration Testing · Secure Architecture Review