What changed with the NDPA 2023
The NDPR 2019 was a NITDA instrument with limited enforcement teeth. The NDPA 2023 is primary legislation creating a fully independent supervisory authority. The territorial scope covers any organisation processing personal data about Nigerians, including foreign entities. For the full statutory text, see the full text of the NDPA 2023. For our practical guide to meeting these requirements, see our NDPR/NDPA compliance guide.
The NDPC's enforcement powers
The NDPC can create guidelines, investigate breaches, conduct audits, issue cease and desist orders, impose sanctions, and halt processing entirely during investigations. It collaborates with the Inspector General of Police's office for enforcement. See DLA Piper's Nigeria data protection guide.
Core obligations under the NDPA
Six data processing principles (Section 24)
Lawfulness, fairness, and transparency. Purpose limitation. Data minimisation. Accuracy. Storage limitation. Integrity and confidentiality. These six principles are the baseline against which the NDPC measures compliance.
Lawful basis for processing
Six lawful bases: consent, contract, legal obligation, legitimate interests, vital interests, and public task. Most Nigerian businesses default to consent without understanding what valid consent requires: freely given, specific, informed, and revocable. Pre-ticked boxes and bundled consent clauses do not qualify.
72-hour breach notification
When a breach occurs, you must notify the NDPC within 72 hours of discovery. That window requires having a breach response plan in place before an incident. For guidance on building yours, see our after a breach guide.
Data subject rights
The NDPA grants the right to be informed, access, rectification, erasure, restriction, objection, portability, and human oversight over automated decision-making. Data subjects can file complaints directly with the NDPC. See rights of a data subject under the NDPA.
The technical infrastructure is where most organisations fall short. Encryption, access management, data deletion workflows, and audit logging are engineering tasks, not policy documents. If your systems cannot locate a specific customer's data on demand, your compliance programme has a gap that paperwork alone will not close.
Need help building NDPA-compliant technical infrastructure?
Talk to an EngineerData Protection Officer requirements
Organisations classified as data controllers of major importance must appoint a DPO. The minimum qualification is a bachelor's degree in law, CS, IT, cybersecurity, or business administration plus two years of relevant experience. The NDPC DPO Training and Certification Programme is available in Abuja and Lagos.
What non-compliance costs
Major importance entities face fines of up to 2% of annual gross revenue or ₦10 million, whichever is greater. All others face up to 2% or ₦2 million. Failure to comply with Commission orders adds criminal liability. Fidelity Bank was fined ₦555.8 million in August 2024. The ₦7.2 billion total includes 246 breach investigations. Cease and desist orders are operationally more dangerous than fines: when the NDPC orders you to stop processing personal data, your customer-facing systems may stop functioning.
Compliance checklist
- Register with the NDPC based on classification level
- Audit data flows: what you collect, why, how long, who has access
- Update privacy policy to meet NDPA transparency requirements
- Establish and document a lawful basis for every processing category
- Appoint a DPO with NDPC-aligned certification
- Build a breach response plan enabling 72-hour notification
- Implement encryption, access controls, pseudonymisation, audit logs
- Conduct DPIAs for high-risk processing before it begins
For the fintech-specific version of this checklist, see our detailed NDPR data privacy checklist for fintechs.
Compliance is an operating condition, not a project
Organisations treating Nigeria data protection as a one-time project will keep getting caught out. The ones that build compliance into operations, with working technical safeguards and documented processes, will not need to scramble when a breach notification clock starts ticking.
Related reading
Blog: NDPR privacy checklist for fintechs · Protect your business from hackers · Top Nigerian vulnerabilities
Guides: NDPR/NDPA compliance · CBN compliance · After a breach
Services: Penetration testing · Vulnerability assessment