Nigeria’s Data Protection Act: What Businesses Should Know

Introduction

In an age where data protection and privacy have become fundamental rights for individuals across the globe, today’s digital world has made data generation, storage, and processing central to modern society, increasing the importance of robust data protection laws. Nigeria has taken a landmark step with the enactment of its Nigeria Data Protection Act (NDPA) 2023. The NDPA was signed into law on June 12, 2023, establishing a comprehensive framework for the protection of personal data in Nigeria. The Act is operationalized by the General Application and Implementation Directive (GAID) 2025, which supports its framework.

This law provides the primary legislative framework for how organisations must handle personal data, govern data processing activities, and protect the rights of individuals, known as data subjects, in Nigeria’s increasingly digital business environment. The NDPA builds upon and replaces the Nigeria Data Protection Regulation (NDPR), which was previously issued by NITDA as secondary legislation, marking an evolution from regulation to comprehensive legislation with broader scope, enforcement, and international alignment. The Act is enforced and regulated by the Nigeria Data Protection Commission (NDPC) and other relevant government agencies, such as the Nigeria Data Protection Bureau (NDPB), which are charged with overseeing data protection matters, ensuring compliance, and safeguarding personal information from misuse, unauthorised access, and breaches.

For businesses operating in or targeting Nigerian consumers, understanding the obligations under the Nigerian Data Protection Act and associated data protection regulations is critical. The law applies to both automated and manual processing of personal data, meaning that virtually all organisations touching personal information must embrace robust data protection governance practices. The NDPA applies to any organization that handles personal data of individuals in Nigeria, no matter where the organization is based. It also governs how organisations collect personal data, process personal data, implement data security measures, and respond to data subject rights requests.

Key Provisions of the Act

The Nigerian Data Protection Act establishes comprehensive provisions that guide how personal data should be managed and protected. The Act marks an evolution from the earlier Nigeria Data Protection Regulation (NDPR), which served as the initial data protection regulation framework, to a more robust and comprehensive law. While the NDPR provided foundational rules, the new Act introduces a broader legal framework with stronger enforcement mechanisms, aligning Nigeria’s data protection strategy with global standards like the GDPR. Central to these provisions are principles that organisations, whether data controllers or data processors, must adhere to, including lawfulness, fairness, transparency, purpose limitation, and data minimisation. Organisations must ensure that any processing of personal data is based on a lawful basis, such as consent, contractual necessity, legal obligation, or legitimate interests. Legitimate interests can be relied upon as a legal ground when appropriate, but organisations must document their reasoning for choosing this basis. This ensures that individuals’ personal information is not misused or retained longer than necessary or without clear justification.

The Act importantly expands on what constitutes sensitive personal data, such as biometric data, health information, religious or philosophical beliefs, and political opinions, among others. Organisations must be especially careful when handling sensitive personal data: its processing often requires explicit consent or must be necessary for specific lawful purposes like vital interests or employment obligations.

A major reform under the NDPA is the introduction of the concept of Data Controllers and Processors of Major Importance (DCPMIs), entities that process personal data at scale or in ways significant to Nigeria’s economy, security, or society. DCPMIs are required to register with the Nigeria Data Protection Commission (NDPC) and conduct annual compliance audits. Data controllers and processors of major importance must register with the NDPC. These entities are subject to additional registration, compliance, and monitoring compliance mandates. The NDPA establishes the NDPC as a dedicated supervisory authority to oversee compliance and enforcement. The NDPC has the authority to issue compliance and enforcement orders to data controllers and processors, and to investigate complaints against them.

Additionally, the Act defines specific protocols for cross-border data transfers to ensure that personal data leaving Nigeria is subject to an “adequate level of protection” in the receiving country, which can be established through binding corporate rules, standard contractual clauses, laws, codes of conduct, or recognised certification mechanisms. In regions with data-porous operating environments, where weak data protection frameworks pose risks for data security and privacy, robust regulation like the NDPA is essential to mitigate these risks and foster trust for international business operations.

Data Protection Principles and Rights

At the heart of the NDPA are data protection principles designed to ensure ethical and lawful management of personal data. These principles include:

• Lawfulness, fairness, and transparency
• Purpose limitation: data must only be processed for specific, legitimate business reasons
• Data minimisation: Collect only what is necessary
• Accuracy, prevent inaccurate or outdated data from harming data subjects
• Storage limitation: Do not retain personal data longer than necessary
• Data security and integrity through adequate organisational and technical measures

The NDPA requires businesses to comply with core principles such as fairness, purpose limitation, and data minimization.

Organisations need to integrate these principles into their data processing practices to avoid violations and maintain trust. When collecting and processing customer data, businesses have specific obligations to protect data under the Act. Organizations must maintain clear privacy notices at data collection points, detailing the purpose, recipients, and retention periods for customer data.

The NDPA also enshrines important data subject rights that give individuals control over their personal information. Key rights include:

• Access to personal data and information about how it’s processed
• Correction or deletion of personal data
• Restriction or objection to processing
• Right to data portability, receiving personal data in a commonly used electronic format
• Right to object to automated decision-making that significantly affects them
• Right to withdraw consent at any time

To comply, organizations must process data based on valid legal grounds and record valid consent, ensuring all consent is properly documented. When organizations process data, they must obtain and document valid consent as part of their compliance obligations. Businesses are also required to protect data through appropriate technical and organizational measures to safeguard against loss, hacking, or misuse.

These enforceable data subject rights mean businesses must provide accessible mechanisms for individuals to exercise these rights without undue delay.

Roles and Responsibilities

Under the NDPA, both data controllers and data processors have clearly defined responsibilities:

• Data controllers determine the purpose and means of processing personal data and are accountable for ensuring all processing is lawful and transparent.
• Data processors manage personal data for controllers, adhering to instructions and applying suitable data security measures.

Both controllers and processors are required to establish robust internal controls and documentation, including records of processing activities detailing the purposes of collection, categories of personal data processed, retention periods, and legal bases for processing.

A key element of organisational accountability is the appointment of a Data Protection Officer (DPO). The DPO plays a critical role in advising on data protection matters, monitoring compliance, training staff, and serving as the primary point of contact with the Nigerian Data Protection Commission. The Act encourages, and in some cases mandates, that organisations, especially DCPMIs, designate a DPO with independence to operate effectively and report to senior management.

Data Processing and Transfer

The NDPA governs the entire lifecycle of personal data processing, from data collection to handling personal data, and to transferring personal data across borders. Any processing must meet the conditions prescribed under the Act, such as having a valid legal basis, often explicit consent, or a legitimate business need.

Cross-border transfers are strictly regulated. As a rule, personal data may not be transferred outside Nigeria unless the recipient entity or jurisdiction offers an adequate level of protection, based on laws, binding corporate rules, codes of conduct, contractual clauses, or certification mechanisms. Businesses must often conduct assessments before transfers to ensure compliance, and organisations should document and justify the legal basis for each transfer. Data processing agreements are essential legal contracts with data processors, ensuring compliance, security, and accountability under data protection laws.

There are limited circumstances where transfers may occur even without an adequacy decision, such as explicit consent from the data subject, necessity for contract performance, or compelling public interest. But organisations must approach these exceptions with caution and robust documentation to justify such transfers. Additionally, organizations that process the data of more than 200 subjects within six months may be classified as Data Controllers or Processors of Major Importance (DCPMI).

Data Breach Notification

A personal data breach can have significant consequences for both organizations and individuals. Under the Nigeria Data Protection Act 2023, data controllers are required to act swiftly in the event of a data breach. Specifically, they must notify the Nigerian Data Protection Commission (NDPC) within 72 hours of becoming aware of the breach, providing detailed information about the nature of the incident, the categories and approximate number of data subjects affected, and the steps taken to address and mitigate the breach.

Data processors also play a critical role in this process. If a data processor discovers a personal data breach, they must promptly inform the relevant data controller, enabling timely notification to the NDPC and affected data subjects. Transparency is key: data subjects have the right to be informed about breaches that may impact their personal data, as well as the measures being implemented to protect their information moving forward.

In some cases, the NDPC may require organizations to conduct a thorough data audit to determine the root cause of the breach and to ensure that effective safeguards are put in place to prevent future incidents. By reporting data breaches promptly and taking corrective action, businesses not only comply with data protection requirements but also reinforce their commitment to protecting personal data and maintaining the trust of their customers.

Compliance and Enforcement

Compliance with the NDPA is not optional; non-compliance can have serious legal and financial consequences. The Nigeria Data Protection Commission has broad enforcement powers, including the ability to investigate organisations, issue orders to fix compliance gaps, impose fines, and take legal action.

While the exact penalty structure is subject to detailed regulations from the NDPC, violations involving data breaches, failure to uphold data subject rights, or improper cross-border transfers can result in significant fines, in some cases tied to a percentage of annual gross revenue, and even criminal sanctions in severe cases.

Part of compliance involves regular data audits, maintaining up-to-date documentation, and ensuring security controls are appropriate for the scale and nature of processing activities. Organisations that fall under the category of DCPMI face heightened compliance requirements, including registration with the NDPC within mandated timeframes.

Data Protection Act 2023 Requirements

The NDPA places several obligations on organisations to systematise data protection. These include:

• Obtaining explicit, informed, freely given, and unambiguous consent before processing personal data, especially sensitive data
• Documenting and maintaining records of processing activities and legal bases
• Embedding data protection by design and default into projects, systems, and processes
• Conducting Data Protection Impact Assessments (DPIAs) for high-risk processing operations
• Reporting personal data breaches to the NDPC within 72 hours of discovery, and notifying affected data subjects where the breach is likely to result in a risk to their rights

These compliance requirements add structure and accountability to how organisations operate. The emphasis on consent, DPIAs, and breach reporting reflects global best practices that align with international data protection standards.

Data Protection Officer (DPO)

The role of the Data Protection Officer (DPO) under the NDPA is foundational to strong organisational compliance. At the same time, not all organisations must appoint a DPO; those handling large volumes of data or classified as DCPMIs are required to do so.

The DPO’s responsibilities include:

• Advising on data protection obligations and best practices
• Monitoring compliance with the Act and internal policies
• Conducting or supervising data protection audits and training
• Assisting with managing data subject rights requests and breach responses
• Liaising with the Nigerian Data Protection Commission and other relevant authorities

Importantly, the DPO must operate independently, report directly to senior management, and uphold confidentiality. Their oversight is crucial for maintaining trust and ensuring adequate data protection measures are in place across business operations.

Conclusion

The Nigeria Data Protection Act 2023 represents a major evolution in Nigeria’s approach to privacy and data governance. As the primary legislative framework for data protection, it sets out clear rules and expectations for how organisations should collect, process, protect, and transfer personal data in both digital and manual contexts.

By aligning business practices with the NDPA’s principles, from lawful processing and robust security to transparent handling and respect for data subject rights, organisations can safeguard customer trust, reduce the risk of costly data breaches, and ensure compliance with the Nigeria Data Protection Commission’s oversight. In today’s digital world, strong data protection compliance is not just a legal necessity but a strategic imperative that enhances reputation and competitiveness in the Nigerian market and beyond.