Nigeria NDPR: Data Protection Regulation Compliance

Nigeria has Africa's largest economy and most populous nation, making it a critical market for businesses across the continent. Nigeria's data protection framework has undergone significant development: from the Nigeria Data Protection Regulation (NDPR) issued by the National Information Technology Development Agency (NITDA) in January 2019, to the Nigeria Data Protection Act 2023 (NDPA) — signed into law on June 14, 2023 — which established the Nigeria Data Protection Commission (NDPC) as an independent data protection authority and elevated data protection to statutory law.

Understanding both the NDPR (which remains relevant for transitional compliance) and the new NDPA 2023 framework is essential for any organisation with Nigerian operations, employees, or customers.

Key Takeaways

• The Nigeria Data Protection Act 2023 (NDPA) supersedes the NDPR and establishes the NDPC as the independent supervisory authority
• The NDPA applies to processing of personal data in Nigeria and extraterritorially where goods/services are offered to Nigerians or Nigerian individuals' behaviour is monitored
• Six lawful bases for processing exist, with consent as the primary basis for consumer data
• Sensitive personal data (health, biometrics, race, religion, political opinions, sexual orientation) requires explicit consent with limited exceptions
• "Data processors" and "data controllers of major importance" face specific additional obligations including audit and compliance filing requirements
• Cross-border transfer restrictions require adequacy, appropriate safeguards, or consent
• The NDPC can impose fines up to 2% of annual gross revenue or ₦10 million, whichever is higher, for general violations; up to ₦50 million for serious violations
• All data controllers must conduct annual data protection audits with NITDA-licensed auditors

---

Nigeria's Data Protection Framework

From NDPR to NDPA

NDPR 2019 (Nigeria Data Protection Regulation): Issued under NITDA's mandate, not a formal Act of Parliament. Applied to natural persons and entities handling personal data of Nigerian residents. Established basic data protection principles, individual rights, and compliance requirements including mandatory annual audits by NITDA-licensed auditors.

NDPA 2023 (Nigeria Data Protection Act): Enacted by the National Assembly and signed by the President on June 14, 2023. Establishes the NDPC as an independent statutory body; elevates data protection obligations to primary legislation; introduces new rights and obligations; aligns more closely with GDPR; supersedes conflicting provisions of the NDPR.

Transition: The NDPC has indicated that NDPR compliance mechanisms and guidance remain applicable during the transition period. Organisations that were NDPR-compliant should review the NDPA for additional obligations.

NDPA Scope

The NDPA applies to:

1. Processing of personal data in Nigeria
2. Processing of personal data by Nigerian entities regardless of where processing occurs
3. Processing by overseas entities where goods/services are offered to individuals in Nigeria, or where the behaviour of individuals in Nigeria is monitored

---

Key Definitions and Data Categories

Personal data: Any information relating to an identifiable individual — directly or indirectly identifiable by reference to name, identification number, location data, or one or more factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity.

Sensitive personal data (Schedule 1 of NDPA): Requires heightened protection and explicit consent. Categories include:

• Genetic or biometric data
• Health or medical records
• Race or ethnic origin
• Religious or political beliefs
• Trade union membership
• Sexual orientation or activities
• Data concerning a child

Child data: Specific protections apply to data of children (defined as individuals under 18 under Nigerian law). Parental or guardian consent required for processing children's personal data. Verified parental consent mechanisms must be implemented for online services directed at children.

---

Lawful Bases for Processing

Section 25 of the NDPA establishes six lawful bases:

1. Consent: Freely given, specific, informed, and unambiguous indication of agreement. Must be withdrawable at any time without detriment.

2. Contract: Processing necessary for the performance of a contract with the data subject, or to take steps at the request of the data subject prior to entering a contract.

3. Legal obligation: Processing necessary to comply with a legal obligation of the controller.

4. Vital interests: Processing necessary to protect the vital interests of the data subject or another person.

5. Public interest: Processing necessary for the performance of a task carried out in the public interest, or in the exercise of official public mandate vested in the controller.

6. Legitimate interests: Processing necessary for the purposes of legitimate interests pursued by the controller or a third party — except where overridden by the fundamental rights and freedoms of the data subject. (Note: This basis cannot be relied upon by a public authority in the performance of its tasks.)

Consent requirements: Must be specific to each processing purpose; freely given (no conditioning of contract on consent to non-essential processing); recorded and demonstrable; as easy to withdraw as to give. Pre-ticked boxes, silence, or inactivity do not constitute valid consent.

---

Data Subject Rights

The NDPA grants individuals the following rights, exercisable without undue delay from the controller:

Response timelines: The NDPA requires responses "without undue delay" — NDPC guidance indicates 30 days as a reasonable standard, with extension to 60 days for complex requests if the data subject is notified within the first 30 days.

---

Controller Obligations

Privacy Notice

Controllers must provide privacy information at or before collection:

• Identity and contact details of the controller
• Contact details of the Data Protection Officer (if applicable)
• Purposes and lawful bases for processing
• Recipients or categories of recipients of personal data
• Transfers to third countries and safeguards
• Retention periods or criteria for determining them
• Data subject rights and how to exercise them
• Right to withdraw consent (where consent is the basis)
• Right to lodge a complaint with the NDPC

Language: Privacy notices for Nigerian operations should be in English (Nigeria's official language) and may need to include vernacular translations for consumer-facing products in areas with significant non-English-speaking populations.

Data Protection Officer (DPO)

The NDPA requires appointment of a DPO for:

• Data controllers or processors of major importance (defined as those processing data of more than 10,000 data subjects per month, or processing sensitive data as a core activity)
• Public authorities

DPO responsibilities:

• Inform and advise on data protection obligations
• Monitor compliance with NDPA and internal policies
• Act as contact point for data subjects and the NDPC
• Cooperate with NDPC investigations

Annual Data Protection Audit

One of Nigeria's most distinctive compliance requirements: all data controllers must conduct and file an annual data protection audit with the NDPC (formerly NITDA under NDPR). The audit must be conducted by a NITDA-licensed Data Protection Compliance Organisation (DPCO). The DPCO issues an audit report covering the controller's data protection practices, compliance gaps, and remediation recommendations. This must be filed with the NDPC annually.

Audit scope covers:

• Data inventory and flow mapping
• Lawful basis documentation
• Privacy notice adequacy
• Security measures
• Data subject rights procedures
• Cross-border transfer compliance
• Breach notification procedures
• Staff training

Cost: Audit fees vary by DPCO; expect ₦500,000–₦5,000,000+ depending on organisation size and complexity.

Data Protection Impact Assessments (DPIAs)

Section 30 requires DPIAs for high-risk processing activities including:

• Systematic evaluation of personal aspects using automated processing, profiling, or predictions
• Large-scale processing of sensitive personal data
• Systematic monitoring of publicly accessible areas on a large scale

---

Security Requirements

Section 38 of the NDPA requires technical and organisational security measures appropriate to the risk. The NDPC and NITDA have issued technical guidance specifying:

Minimum technical measures:

• Encryption of personal data in storage and transmission (TLS for transmission, AES-256 for sensitive data)
• Access control with authentication and least privilege
• Pseudonymisation where feasible
• System audit trails and access logs
• Regular security testing (at least annually)
• Incident detection and response capabilities
• Secure backup and recovery

Minimum organisational measures:

• Documented privacy and security policies
• Staff training on data protection obligations
• Data classification framework
• Vendor/processor security assessments
• Physical security controls for data processing facilities

---

Cross-Border Data Transfers

Section 43 of the NDPA restricts transfers of personal data outside Nigeria. Permitted mechanisms:

1. NDPC adequacy decision: Transfer to a country determined by the NDPC to have adequate data protection
2. Appropriate safeguards: Transfer under safeguards providing enforceable rights to data subjects, including:
   • Legally binding instrument between public authorities
   • Binding corporate rules
   • Standard contractual clauses approved by NDPC
   • Certification mechanism with binding commitments
3. Explicit consent: Informed consent of the data subject about the proposed transfer, risks, and absence of adequate decision or safeguards
4. Contract necessity: Transfer necessary for contract between data subject and controller
5. Vital interests: Protection of vital interests where consent cannot be obtained
6. Public interest: Transfer necessary for important public interest

NDPC adequacy determinations: The Commission is developing its adequacy framework. As of early 2026, no formal adequacy decisions have been published. Standard contractual clauses are the recommended mechanism for routine cross-border transfers while the adequacy framework matures.

---

Breach Notification

Section 40 of the NDPA requires notification of personal data breaches:

Notification to NDPC: Within 72 hours of becoming aware of a breach that is likely to result in risk to the rights and freedoms of individuals.

Notification to affected individuals: Without undue delay, where the breach is likely to result in high risk to their rights and freedoms.

Notification content to NDPC:

• Nature of the breach and categories/approximate number of affected data subjects
• Categories and approximate number of affected personal data records
• Contact details of the DPO
• Likely consequences of the breach
• Measures taken or proposed to address the breach, including measures to mitigate adverse effects

Documentation: All breaches (even those not requiring notification) must be documented internally with facts, effects, and remediation actions.

---

NDPC Enforcement and Penalties

The Nigeria Data Protection Commission (NDPC) is an independent government agency established under the NDPA 2023. Powers include:

• Receiving and investigating complaints
• Conducting audits (planned and unannounced)
• Issuing compliance notices
• Imposing administrative sanctions
• Referring criminal violations to the Attorney General

Administrative penalties:

Criminal penalties: The NDPA provides for criminal liability for certain violations, including unlawful trading in personal data. NDPA Section 48 provides for criminal sanctions including imprisonment.

NITDA enforcement history: Under the NDPR, NITDA imposed fines including: Spenmo Technologies (₦10 million), Julius Berger Nigeria (₦10 million), Integrated Corporate Services Limited (₦4 million). These demonstrate active enforcement extending to both domestic and international companies operating in Nigeria.

---

NDPA Compliance Checklist

• NDPA applicability confirmed (Nigeria operations, Nigerian customers/employees)
• Personal data inventory completed
• Sensitive personal data identified — explicit consent obtained
• Children's data identified — parental consent mechanisms implemented
• Lawful basis documented for every processing activity
• Privacy notice prepared in English with all required disclosures
• DPO appointed where required (10,000+ data subjects/month or sensitive data core activity)
• Annual data protection audit planned with a NITDA-licensed DPCO
• Data subject rights procedures documented
• Cross-border transfer assessment completed — SCCs or other mechanism in place
• Security measures implemented (encryption, access control, audit logging)
• DPIA conducted for high-risk processing activities
• Breach notification procedure documented (72-hour NDPC notification)
• Employee training on NDPA obligations completed
• Processor agreements (Data Processing Agreements) reviewed and updated

---

Frequently Asked Questions

Is the NDPR still relevant now that the NDPA 2023 has been enacted?

The NDPA 2023 supersedes conflicting provisions of the NDPR. However, the NDPC has indicated that NDPR guidance and compliance mechanisms remain applicable during the transition period. Importantly, the annual audit requirement — one of NDPR's most distinctive features — continues under the NDPA. Organisations that built their compliance programmes around NDPR should review the NDPA for new or enhanced obligations, particularly around data subject rights, sensitive data, cross-border transfers, and the DPO requirement.

What is a Data Protection Compliance Organisation (DPCO) and why do I need one?

A DPCO is an organisation licensed by NITDA/NDPC to provide data protection audit and compliance services. The annual data protection audit required under Nigerian law must be conducted by a licensed DPCO — self-assessment alone does not satisfy the requirement. DPCOs review your data protection practices, issue a compliance report, and file the audit with the NDPC on your behalf. A list of licensed DPCOs is available on the NITDA and NDPC websites. For overseas companies with Nigerian operations, engaging a DPCO is essential for meeting the annual audit obligation.

What does "data controller of major importance" mean and what are the additional obligations?

Data controllers of major importance are defined as those who process personal data of more than 10,000 data subjects per month, or who process sensitive personal data as a core activity. Additional obligations for these entities include: mandatory DPO appointment, registration with the NDPC (separate from VERBİS-type registry), enhanced annual audit requirements, and potential additional compliance filings. Medium and large eCommerce businesses, financial services companies, health platforms, and telecoms operators are likely to qualify as data controllers of major importance.

How does Nigeria's NDPA compare to GDPR?

The NDPA draws heavily on GDPR in structure and content — six lawful bases, same categories of sensitive data (plus biometrics and genetic data), similar data subject rights, DPO requirements, DPIA obligations, and breach notification. Key differences: (1) Nigeria's mandatory annual external audit has no GDPR equivalent; (2) NDPC adequacy determinations are less developed than the EU Commission's adequacy framework; (3) Nigeria's enforcement infrastructure is newer and still developing; (4) The NDPA's penalties are generally lower in absolute terms than GDPR maximums for large companies; (5) Nigeria's cross-border transfer rules are similarly structured to GDPR but the specific mechanisms differ in implementation.

Does NDPA apply to Nigerian companies operating abroad?

Yes. The NDPA applies to Nigerian entities regardless of where processing occurs. A Nigerian company with offshore cloud infrastructure, overseas subsidiaries, or international operations remains subject to NDPA for processing Nigerian individuals' data. Conversely, overseas entities processing data of Nigerians within Nigeria, or offering goods/services to Nigerians, are also subject to the NDPA's extraterritorial provisions. This creates a dual obligation for Nigerian multinationals — NDPA compliance for Nigerian data plus compliance with laws in each country where they operate.

---

Next Steps

Nigeria's data protection landscape is maturing rapidly, with the NDPA 2023 establishing a stronger statutory framework and the NDPC building enforcement capacity. For businesses with Nigerian operations — whether local companies or international firms serving the Nigerian market — building a comprehensive compliance programme that satisfies both the NDPA and the NDPR's ongoing requirements is essential.

ECOSIRE helps businesses operating in Africa navigate Nigeria's NDPA compliance requirements, implement data protection by design, and establish the governance frameworks required by the NDPC.

Learn more: ECOSIRE Services

Disclaimer: This guide is for informational purposes only and does not constitute legal advice. Nigeria's data protection framework is evolving as the NDPC issues implementing guidance and regulations. Consult qualified Nigerian legal counsel for advice specific to your organisation.