For years, data protection in Nigeria lived in a somewhat uncomfortable space — governed principally by the Nigeria Data Protection Regulation (NDPR) of 2019, a subsidiary instrument issued by the National Information Technology Development Agency (NITDA). It worked, but it was never quite settled law. The Nigeria Data Protection Act (NDPA), 2023 changed that. Data protection now sits on a proper statutory footing, with the Nigeria Data Protection Commission (NDPC) as an independent regulator.
If your organization built its compliance posture around the NDPR alone, it is worth revisiting that posture now.
What Actually Changed
1. A Dedicated Regulator
The NDPC replaces NITDA's data protection bureau as the supervisory authority. It has broader powers of investigation, enforcement, and — notably — the ability to register data controllers and processors above a certain threshold of data processing activity.
2. Clearer Categories of Obligation
The Act distinguishes between data controllers and processors "of major importance" and everyone else, with the former carrying heavier registration and compliance obligations. Determining which category your organization falls into is now a threshold compliance question, not an afterthought.
3. Real Penalties, Tiered by Size
Where the NDPR's penalty regime was often criticized as vague in practice, the NDPA introduces tiered fines calibrated to whether a data controller/processor is a standard organization or one of "major importance," alongside the possibility of remedial orders. Enforcement is no longer theoretical.
4. Cross-Border Data Transfer Rules
The Act retains and refines the requirement that data transferred outside Nigeria go to jurisdictions (or under mechanisms) offering adequate protection — relevant for any business using foreign cloud infrastructure, SaaS tools, or outsourced processing.
What This Means in Practice
For businesses that already had an NDPR compliance framework:
- Revisit your registration status with the NDPC rather than assuming your old NITDA filing carries over.
- Update your privacy policy and data processing agreements to reference the NDPA, not just the NDPR.
- Reassess vendor contracts, particularly any that route personal data through servers outside Nigeria.
For businesses that treated data privacy as an afterthought:
- Conduct a data mapping exercise: what personal data do you collect, where is it stored, who processes it, and why.
- Appoint a Data Protection Officer if your processing volume or nature requires one.
- Build (or update) your breach notification protocol — the clock on notifying the NDPC after a breach is short, and organizations are regularly caught unprepared.
A Word on Enforcement Reality
Regulatory bodies in Nigeria have historically been criticized for inconsistent enforcement. That is changing. The NDPC has been active, and businesses — particularly in fintech, health-tech, and e-commerce, where personal data is the product — should not mistake a quiet regulator for an absent one.
Closing Thought
Compliance frameworks are sometimes treated as a cost center, a box to tick. I would encourage a different framing: in a market where consumer trust is increasingly a competitive differentiator, a serious data protection posture is a commercial asset. Getting ahead of the NDPA is not just about avoiding penalties — it is about signaling to your customers, partners, and investors that your organization takes their data seriously.
If your organization needs help mapping its NDPA obligations or building out a compliance framework, get in touch for a confidential consultation.