Why NDPR compliance is a live enforcement risk
The NDPA 2023 replaced the NDPR with a full statutory commission. The NDPC has formal enforcement powers: fines of up to 2% of annual gross revenue or ₦10 million. The Commission collected ₦7.2 billion in cumulative penalties by early 2026 and investigated over 1,300 firms in 2025 alone. See NDPC registration requirements and our Nigeria data protection guide.
CBN requirements layer on top
The CBN mandates CSAT cybersecurity assessments covering governance, risk management, technology controls, and incident response. False or incomplete submissions constitute a regulatory breach under BOFIA 2020. KYC, CDD, and AML obligations converge with data protection. See our CBN compliance guide.
Start with data mapping
BVNs, NINs, financial transaction records, device identifiers, location data, credit history, onboarding documents, behavioral event data, and third-party SDK data all constitute personal data under the NDPA. Every data point requires a documented lawful processing purpose. "We use it to improve the product" is not a lawful basis.
List every collection touchpoint: onboarding forms, in-app events, API integrations, and vendor connections. Document what data is collected, where stored, who can access it, how long retained, and actual usage. Map every instance of sharing with external processors. The data map also reveals where you need to stop collecting (data minimisation).
The NDPR data privacy checklist
1. DPO appointment and NDPC registration
Under NDPA Section 32, fintechs processing data at scale must appoint a DPO. Processing more than 1,000 individuals in six months or 2,000 in twelve months triggers major data controller status. This requires mandatory NDPC registration and annual CAR submission by March 15 through a licensed DPCO. See KPMG's NDPC registration guidance.
2. Consent management
Explicit, informed consent with no pre-ticked boxes, no bundled consent with T&Cs. Your privacy policy must be publicly available on all data collection mediums and cover data types, retention periods, third-party sharing, and user rights (access, rectification, deletion, portability).
3. DPIAs for high-risk processing
Required for large-scale credit scoring, behavioral profiling, biometric verification, and real-time transaction monitoring. A completed DPIA is your primary evidence of proactive compliance. Fintechs that skip DPIAs consistently fail audits.
4. 72-hour breach notification
NDPA Section 41 requires notification to the NDPC within 72 hours of awareness, and to affected data subjects when the breach poses a risk. The clock starts from when you become aware, not when the breach occurred. Your incident response plan must include detection protocols, escalation steps, assessment criteria, an NDPC notification template, and customer communication. The plan must be tested, not merely documented. See our after a breach guide.
Need a structured NDPR privacy audit for your fintech?
Get a Privacy AuditCross-border data transfers
Nigerian fintechs handling EU resident data cannot rely on Nigeria's domestic framework to satisfy GDPR. You need Standard Contractual Clauses or another GDPR-compliant mechanism. Fintechs using international processors (AWS, Google Cloud, Stripe) must contractually document transfer arrangements. Note: NDPR does not include "legitimate interests" as a lawful processing basis, unlike GDPR. See the EU adequacy framework.
Preparing for an NDPC audit
The NDPC audits three areas: people (DPO qualifications, training records), processes (policies, consent records, breach logs, DPIAs), and technology (encryption, access controls, data retention). The CAR requires a complete data processing inventory, security measures documentation, privacy policies, DPO proof, and NDPC registration confirmation. For fintechs using AI for credit scoring or fraud detection, documentation of those processing activities is specifically required.
Compliance calendar
- Annual CAR submission by March 15
- Periodic DPIA reviews when new processing activities launch
- DPO training cycles
- Annual security assessments
- Privacy policy reviews when products change
Start with the data map
Map every collection point, every processor, every retention period. Then appoint your DPO, register with the NDPC, implement consent controls, complete DPIAs, and test your breach response plan. If you're not sure where your gaps are, a structured privacy audit is the fastest way to find them.
Related reading
Blog: Nigeria data protection guide · Security audit before launch · Top Nigerian vulnerabilities
Guides: NDPR/NDPA compliance · CBN compliance · After a breach
Services: Penetration testing · Vulnerability assessment