The Nigeria Data Protection Act 2023 (NDPA) represents the most significant overhaul of data protection law in Nigeria's history. Signed into law in June 2023, it replaces the earlier NDPR framework and creates binding obligations for a far wider range of organisations than its predecessor.
If your organisation collects, processes, stores, or shares any personal data belonging to Nigerian residents, the NDPA applies to you.
Who Does the NDPA Apply To?
The NDPA applies to:
- Any organisation established in Nigeria that processes personal data
- Any organisation outside Nigeria that processes personal data of Nigerian residents
- Both the private and public sectors
There is no minimum size threshold. A sole trader who maintains a client contact list is technically within scope. The practical enforcement focus, however, is on organisations with significant data processing activities.
Key Obligations Under the NDPA
Lawful basis for processing: Every data processing activity must be grounded in one of the lawful bases defined in the Act — consent, contract, legal obligation, vital interests, public task, or legitimate interests. Processing without a lawful basis is a violation, regardless of whether harm occurs.
Data subject rights: Individuals have the right to access their data, correct inaccuracies, request erasure, object to processing, and in some cases port their data to another organisation. Organisations must have processes to respond to these requests within prescribed timeframes.
Privacy notices: Clear, accessible privacy notices must be provided at the point of data collection, explaining what data is collected, why, how long it is retained, and with whom it is shared.
Data Protection Officer: Organisations that process data at scale, or that process sensitive categories of data, are required to designate a Data Protection Officer (DPO). The DPO can be internal or external.
Data Protection Impact Assessments: High-risk processing activities require a formal DPIA before implementation. This includes large-scale processing of sensitive data, systematic monitoring, and automated decision-making with significant effects.
NDPC Registration: Data controllers and processors meeting certain thresholds are required to register with the Nigeria Data Protection Commission (NDPC) and file annual data protection compliance reports.
Penalties for Non-Compliance
The NDPA introduces tiered sanctions. For serious violations, fines can reach 2% of annual gross revenue or NGN 10 million, whichever is greater. For the most serious violations — those causing significant harm to data subjects — fines can reach 2.5% of annual gross revenue.
The NDPC also has enforcement powers including compliance orders, processing bans, and referral for criminal prosecution of responsible individuals.
Building NDPA Compliance
NDPA compliance requires a structured approach: data mapping (understanding what personal data you hold and how it flows), lawful basis assessment, privacy notice review, data subject rights procedures, and where required, NDPC registration and annual reporting.
At CHOLAL Professional Services, we guide organisations through full NDPA compliance — from initial gap assessment through to implementation and ongoing advisory. Compliance with the NDPA is not just a legal requirement; it is increasingly a commercial expectation from sophisticated clients and counterparties.