The Nigeria Data Protection Act (NDPA) 2023 is Nigeria's first comprehensive, standalone data protection law, replacing the earlier Nigeria Data Protection Regulation (NDPR) of 2019. Signed into law on 12 June 2023, the NDPA establishes the Nigeria Data Protection Commission (NDPC) as an independent regulatory body and introduces binding obligations for every organisation that processes the personal data of Nigerian data subjects. Penalties for non-compliance can reach up to 2% of annual gross revenue or NGN 10 million, whichever is greater. This guide provides a structured compliance checklist for organisations operating in Nigeria. For a platform that centralises NDPA compliance alongside other governance requirements, see GRC software for Nigerian organisations.

What Is the NDPA?

The Nigeria Data Protection Act, 2023 is Nigeria's principal data protection legislation. It repeals the earlier NDPR (which was a regulation issued by NITDA) and establishes a comprehensive, statute-backed framework for the protection of personal data. The Act received presidential assent on 12 June 2023 and came into force immediately upon signing.

The NDPA is administered by the Nigeria Data Protection Commission (NDPC), an independent body established under Part II of the Act. The NDPC has the power to issue regulations, conduct investigations, impose administrative sanctions, and enforce compliance across all sectors of the Nigerian economy.

Key definitions under the NDPA:

  • Personal data: Any information relating to an identified or identifiable natural person — including name, identification number, location data, online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person (Section 65)
  • Sensitive personal data: Data revealing racial or ethnic origin, religious or similar beliefs, political opinions, health status, sexual life, genetic or biometric data, trade union membership, and criminal records (Section 30)
  • Data controller: A person who determines the purposes and means of processing personal data (Section 65)
  • Data processor: A person who processes personal data on behalf of a data controller (Section 65)
  • Data subject: An identified or identifiable natural person to whom personal data relates
  • Data Protection Officer (DPO): The officer responsible for monitoring internal compliance and advising the data controller or processor on data protection obligations
i

NDPA Replaces the NDPR

The NDPA supersedes the Nigeria Data Protection Regulation (NDPR) 2019 and the NDPR Implementation Framework 2020. However, regulations, orders, and guidelines issued under the NDPR remain in force to the extent that they are consistent with the NDPA, until the NDPC issues new replacements. Organisations previously compliant with the NDPR should conduct a gap analysis against the NDPA's expanded requirements.

Who Must Comply?

The NDPA applies to every organisation — public or private — that processes personal data of data subjects who are in Nigeria, regardless of whether the data controller or processor is located within or outside Nigeria (Section 2). This extraterritorial scope is similar to the GDPR.

Specifically, the Act applies where:

  • The data controller or processor is established in Nigeria and processes personal data in the context of that establishment
  • The data controller or processor is not established in Nigeria but processes personal data of data subjects who are in Nigeria, where the processing relates to offering goods or services to data subjects in Nigeria or monitoring the behaviour of data subjects in Nigeria
  • The processing is carried out by a Nigerian embassy, consulate, or mission abroad

Limited exemptions apply for personal or household activities, national security processing (subject to safeguards), and processing by a natural person in the course of a purely personal activity (Section 2(3)).

Key Provisions of the NDPA

The NDPA establishes a comprehensive set of obligations for data controllers and processors. Below are the principal provisions that organisations must address.

Lawful Basis for Processing (Section 25)

Processing of personal data is only lawful if at least one of the following grounds applies:

  • Consent — The data subject has given clear, informed consent for processing for one or more specific purposes
  • Contract — Processing is necessary for the performance of a contract to which the data subject is party
  • Legal obligation — Processing is necessary for compliance with a legal obligation to which the controller is subject
  • Vital interests — Processing is necessary to protect the vital interests of the data subject or another natural person
  • Public interest — Processing is necessary for the performance of a task carried out in the public interest
  • Legitimate interest — Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the rights of the data subject

Data Subject Rights (Part IV)

The NDPA grants data subjects the following rights:

  • Right to be informed — The data subject must be informed of the processing of their personal data (Section 34)
  • Right of access — The data subject may request confirmation of processing and access to their personal data (Section 35)
  • Right to rectification — The data subject may request correction of inaccurate personal data (Section 36)
  • Right to erasure — The data subject may request deletion of their personal data where there is no compelling reason for continued processing (Section 37)
  • Right to restrict processing — The data subject may request the restriction of processing in certain circumstances (Section 38)
  • Right to data portability — The data subject may receive their personal data in a structured, commonly used, and machine-readable format (Section 39)
  • Right to object — The data subject may object to processing based on legitimate interests or public interest grounds (Section 40)
  • Right not to be subject to automated decision-making — The data subject has the right not to be subject to a decision based solely on automated processing, including profiling (Section 41)

Breach Notification (Section 40)

Data controllers must notify the NDPC of a personal data breach without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach. Where the breach is likely to result in a high risk to the rights and freedoms of data subjects, the controller must also notify the affected data subjects without undue delay. The notification must include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.

Cross-Border Transfers (Section 43)

Personal data may be transferred to a country or international organisation outside Nigeria only if the NDPC has determined that the receiving country ensures an adequate level of protection, or if appropriate safeguards are in place — including binding corporate rules, standard contractual clauses approved by the NDPC, or the data subject's explicit consent. The NDPC may issue a whitelist of countries with adequate protection.

!

Cross-Border Transfers Require Documentation

Under the NDPA, every cross-border transfer must be documented with the lawful basis, the safeguards in place, and the assessment of adequacy of the receiving country. Organisations using cloud infrastructure hosted outside Nigeria must ensure their data processing agreements address these requirements explicitly. Failure to document transfers is a compliance gap that the NDPC can investigate.

NDPA Compliance Checklist

Use this structured checklist to assess and track your organisation's NDPA compliance. Each item maps to a specific provision and can be tracked as a compliance obligation in your GRC platform.

Governance & Accountability

  • Appoint a Data Protection Officer (DPO) where required under Section 31
  • Register with the NDPC as a data controller or data processor of major importance, if applicable
  • Develop and publish a data protection policy aligned with the NDPA
  • Establish a data governance structure with clear roles, responsibilities, and reporting lines
  • Conduct a data protection impact assessment (DPIA) for high-risk processing activities (Section 29)
  • Maintain a record of processing activities (ROPA) as required by Section 28

Lawful Processing & Consent

  • Identify and document the lawful basis for every processing activity (Section 25)
  • Where consent is the chosen basis, ensure it is freely given, specific, informed, and unambiguous
  • Implement a mechanism for data subjects to withdraw consent at any time
  • Maintain consent records with timestamps and details of what the data subject was told
  • Ensure special categories of personal data are processed only on permitted grounds (Section 30)

Transparency & Data Subject Notification

  • Draft and publish a privacy notice compliant with Section 34 requirements
  • Ensure the privacy notice is provided at or before the point of data collection
  • Include clear information about data subject rights, purpose of processing, retention periods, and transfer arrangements
  • Review all data collection points — forms, apps, websites, contracts — for compliance

Security Safeguards

  • Implement appropriate technical and organisational measures to protect personal data (Section 27)
  • Conduct a risk assessment to identify foreseeable internal and external threats
  • Deploy encryption, pseudonymisation, access controls, and intrusion detection as appropriate
  • Regularly test and verify the effectiveness of security measures
  • Ensure data processors have adequate security measures through binding data processing agreements

Data Subject Rights

  • Establish processes to receive, verify, and respond to data subject access requests
  • Establish processes for rectification, erasure, restriction, portability, and objection requests
  • Define response timelines (the NDPA generally requires responses within 30 days)
  • Train staff on how to identify and escalate data subject requests

Breach Response

  • Develop a documented data breach response procedure
  • Define escalation timelines — 72 hours to NDPC, without undue delay to data subjects
  • Establish a breach register to record all incidents, including those that do not meet the notification threshold
  • Conduct regular breach response exercises and tabletop simulations

Cross-Border Transfers

  • Identify all cross-border transfers of personal data
  • Assess the adequacy of data protection in each receiving country
  • Implement appropriate safeguards — SCCs, BCRs, or explicit consent — where adequacy is not established
  • Document the lawful basis for each transfer
  • Include transfer provisions in all data processing agreements

Data Protection Officer Requirements

Under Section 31 of the NDPA, certain data controllers and processors must appoint a Data Protection Officer (DPO). The DPO is responsible for:

  • Monitoring compliance — Ensuring the organisation complies with the NDPA, regulations, and internal data protection policies
  • Advising the organisation — Providing advice on data protection impact assessments and data processing operations
  • Serving as contact point — Acting as the liaison between the organisation and the NDPC
  • Training — Coordinating data protection awareness and training programmes for staff
  • Record keeping — Ensuring the maintenance of records of processing activities

The DPO must have expert knowledge of data protection law and practice. The NDPC may issue regulations specifying additional qualifications and certification requirements for DPOs. Organisations categorised as data controllers or processors of major importance by the NDPC are required to appoint a DPO.

i

DPO Independence

The NDPA requires that the DPO operate independently within the organisation. The DPO must not receive instructions regarding the exercise of their functions, must report directly to the highest management level, and must not be penalised for performing their duties. This independence requirement mirrors the GDPR's DPO provisions under Article 38.

NDPC Enforcement & Penalties

The NDPC has broad enforcement powers under Part VIII of the NDPA. Penalties are significant and are designed to ensure compliance across all sectors:

Violation Penalty
Non-compliance by a data controller of major importance Up to 2% of annual gross revenue or NGN 10 million, whichever is greater
Non-compliance by a data controller or processor not of major importance Up to NGN 2 million or 2% of annual gross revenue, whichever is greater
Failure to register with the NDPC (where required) Administrative sanctions and potential suspension of processing activities
Failure to notify a data breach within 72 hours Administrative fines and enforcement notices
Obstruction of the NDPC's investigation Criminal prosecution and additional fines

Beyond monetary penalties, the NDPC can also:

  • Issue enforcement notices requiring specific remedial actions within a defined timeline
  • Order the suspension or restriction of data processing activities
  • Conduct audits and compliance assessments of any data controller or processor
  • Refer matters for criminal prosecution where the Act provides for criminal offences
  • Order compensation to affected data subjects
!

The NDPC Is Actively Enforcing

The NDPC has inherited the enforcement activities previously conducted by NITDA under the NDPR and is actively expanding its supervisory capacity. Organisations that were previously audited under the NDPR should expect continued scrutiny under the NDPA. The transition from regulation to statute has given the NDPC stronger enforcement tools and greater independence.

NDPA vs GDPR Comparison

Nigerian organisations that operate internationally or serve EU customers often need to comply with both the NDPA and GDPR. While the NDPA draws heavily from the GDPR, there are important differences.

Area NDPA 2023 GDPR
Scope Natural persons whose data is processed in the context of Nigeria Natural persons in the EU/EEA
Regulator Nigeria Data Protection Commission (NDPC) National Data Protection Authorities (e.g., ICO, CNIL)
Lawful grounds for processing 6 grounds under Section 25 6 grounds under Article 6
Consent requirements Must be freely given, specific, informed, and unambiguous Must be freely given, specific, informed, and unambiguous
Breach notification timeline 72 hours to the NDPC 72 hours to the supervisory authority
Data Protection Officer Required for controllers/processors of major importance Required in certain circumstances (Article 37)
Data portability Explicitly provided under Section 39 Explicitly provided under Article 20
Cross-border transfer mechanism Adequacy determination, SCCs, BCRs, or consent Adequacy decisions, SCCs, BCRs (Chapter V)
Maximum fine 2% of annual gross revenue or NGN 10 million EUR 20 million or 4% of global annual turnover
Extraterritorial application Yes — applies to controllers outside Nigeria processing data of Nigerian data subjects Yes — applies to controllers outside the EU processing data of EU residents
Right to be forgotten Erasure right under Section 37 Right to erasure under Article 17

Organisations subject to both laws should map their controls to both frameworks simultaneously. Using a platform like Dimeri, a single security control can be mapped to both NDPA and GDPR requirements — tested once and credited to both frameworks, eliminating duplicate compliance effort.

How to Maintain Ongoing Compliance

NDPA compliance is not a one-time project. The Act requires ongoing monitoring, regular assessments, and continuous improvement of data protection practices. Here is how to build a sustainable compliance programme:

1. Integrate NDPA Obligations into Your Risk Register

Treat every NDPA obligation as a compliance risk in your central risk register. Each obligation should have a named owner, a deadline, mapped controls, and attached evidence. This ensures NDPA compliance is monitored alongside all other organisational risks — not managed in isolation.

2. Conduct Periodic DPIAs

Data protection impact assessments should be conducted for all new processing activities that are likely to result in a high risk to data subjects. Review existing DPIAs annually to confirm they remain accurate and reflect current processing practices.

3. Train Staff Continuously

Data protection compliance depends on staff awareness. Regular training — at onboarding and annually thereafter — should cover what personal data is, how to handle data subject requests, how to recognise a data breach, and the organisation's data protection policies.

4. Monitor Processor Compliance

Data controllers must ensure processors comply with the NDPA through binding data processing agreements. Conduct regular reviews of processor security measures and request evidence of compliance.

5. Use Technology to Automate Tracking

Manual compliance tracking does not scale. As processing activities grow and data subject requests increase, spreadsheet-based tracking becomes unsustainable. A compliance management platform like Dimeri links every NDPA obligation to its controls, evidence, and owner — providing a live compliance dashboard and generating audit-ready reports on demand.

Key Takeaways

  • The NDPA 2023 is Nigeria's first standalone data protection statute, replacing the NDPR and establishing the NDPC as an independent regulator
  • The Act applies extraterritorially — organisations outside Nigeria that process data of Nigerian data subjects must comply
  • Six lawful bases for processing are established under Section 25, mirroring the GDPR's approach
  • Breach notification must be made within 72 hours to the NDPC, with high-risk breaches also requiring notification to affected data subjects
  • Penalties can reach 2% of annual gross revenue or NGN 10 million, whichever is greater — a significant financial risk for large organisations
  • Organisations previously compliant with the NDPR should conduct a gap analysis against the NDPA's expanded requirements
  • Cross-border transfers require documented safeguards — adequacy assessments, SCCs, BCRs, or explicit consent
  • Continuous compliance — supported by risk registers, periodic DPIAs, staff training, and automated tracking — is essential for sustainable NDPA adherence

Frequently Asked Questions

Does the NDPA apply to small businesses in Nigeria?

Yes. The NDPA applies to every data controller or processor that processes personal data of data subjects in Nigeria, regardless of the size of the organisation. However, the NDPC may apply a risk-based approach and categorise organisations as data controllers or processors of "major importance" based on the volume and sensitivity of data they process. Smaller organisations may face proportionally lighter regulatory expectations, but the core obligations — lawful processing, data subject rights, security safeguards, and breach notification — apply to all.

What happened to the NDPR now that the NDPA is in force?

The NDPA 2023 supersedes the Nigeria Data Protection Regulation (NDPR) 2019. However, regulations, orders, directives, and guidelines issued under the NDPR continue to have effect to the extent they are consistent with the NDPA, until the NDPC issues replacements. Organisations that invested in NDPR compliance should review their existing controls against the NDPA's requirements, as the Act introduces additional obligations — particularly around DPO appointment, data protection impact assessments, and the expanded rights of data subjects.

Is a Data Protection Officer mandatory under the NDPA?

The NDPA requires data controllers and processors of major importance to appoint a DPO. The NDPC determines which organisations are classified as "of major importance" based on criteria including the volume of data processed, the nature of processing activities, and the sensitivity of the data involved. Even if your organisation is not classified as being of major importance, appointing a DPO is considered best practice and demonstrates a proactive commitment to data protection compliance.

How does the NDPA handle cross-border data transfers?

Section 43 of the NDPA permits cross-border transfers of personal data only where the receiving country provides an adequate level of data protection as determined by the NDPC, or where appropriate safeguards are in place. Acceptable safeguards include binding corporate rules, standard contractual clauses approved by the NDPC, or the explicit consent of the data subject. If your organisation uses cloud services hosted outside Nigeria, every such transfer must be documented and covered by one of these mechanisms.

Can data subjects in Nigeria claim compensation for data protection violations?

Yes. The NDPA provides data subjects with the right to seek compensation for material or non-material damage resulting from a violation of the Act. Data subjects may lodge a complaint with the NDPC, which has the power to order remedial measures including compensation. Additionally, data subjects may pursue civil remedies through the courts. This dual enforcement path — administrative and judicial — means organisations face both regulatory penalties and potential private litigation for non-compliance.