Data Protection Compliance in Nigeria: What You Need to Know About NDPR & NDPA

Table of Contents

Data protection compliance

INTRODUCTION

In Nigeria’s fast-evolving digital landscape, data privacy and data protection compliance have become critical concerns. The Nigerian Data Protection Regulation (NDPR) 2019, issued by the National Information Technology Development Agency (NITDA), laid the foundation for data protection compliance in the country. The enactment of the Nigeria Data Protection Act (NDPA) in 2023 significantly expanded the regulatory framework, created the Nigerian Data Protection Commission (NDPC), and introduced new compliance requirements.

Nigeria has entered a new era of data protection compliance with the introduction of the Nigerian Data Protection Act (NDPA) 2023. Building on the foundation laid by the 2019 Nigerian Data Protection Regulation (NDPR), the NDPA updates compliance requirements and establishes the Nigerian Data Protection Commission (NDPC) to enforce the law. Key changes include annual filings and expanded support services.

Understanding these updates is essential for any organization handling personal data of Nigerian residents. This article highlights the revised NDPR/NDPA services, mandatory filings, and legal obligations for effective data protection compliance in Nigeria.

From NDPR to NDPA: A Significant Shift

The NDPA 2023 provides a stronger legislative backbone, replacing the NDPR which was a subsidiary legislation. The Nigerian Data Protection Regulation (NDPR) 2019, pursuant to Section 6(c) of the National Information Technology Development Agency Act 2007, provides foundational requirements for data processing, consent, audit, and cross-border data transfer. However, the Nigeria Data Protection Act (NDPA), enacted in June 2023, establishes the Nigeria Data Protection Commission (NDPC) under Section 4 of the NDPA Act 2023. This replaces NITDA as the regulator for data protection and further codifies and expands the NDPR into statutory law.

Key Services under the New Nigeria Data Protection Act (NDPA)

Mandatory Annual Data Protection Audit (DPA): Section 44(1) of the NDPA Requires data controllers/processors of major importance to submit audit reports, the report must cover: Data privacy policies and procedures, Record of data processing activities (ROPA) according section 34 of the NDPA Act, Staff training and awareness, Data security measures must be filed via an accredited Data Protection Compliance Organization (DPCO).

Registration of Data Controllers and Processors: Section 41 of the NDPA mandates registration for controllers/processors of major importance, The NDPC maintains a public register, the registration portal which (updated in 2025) allows for Profile creation and Annual audit uploads, and Data breach notifications pursuant to Section 38 of the NDPA Act.

Appointment of a Data Protection Officer (DPO): Section 32 of the NDPA requires certain organizations to appoint a DPO, The DPO ensures: Monitoring compliance, handling data subject access requests (DSARs) and Serving as contact point for NDPC

Engagement with Data Protection Compliance Organizations (DPCOs): NDPA recognizes DPCOs to guide entities through compliance according to Section 48 of the NDPA Act 2023, the services include Compliance gap assessments Training programs by virtue of Section 36 of the NDPA Act, Drafting privacy policies, Filing annual audits.

Sectorial Guidelines and Codes of Practice: Section 49 of the NDPA Act empowers the NDPC to issue sector-specific regulations in 2024 to 2025; codes have been developed for Financial Services, HealthTech Education, Governmental data handlers

READ ALSO: WHY DO YOU NEED TO REGISTER TRADEMARK IN NIGERIA

Updated Annual Filing Requirements (Audited Compliance Returns) as at 2025

The core obligation for Data Controllers and Data Processors of Major Importance remains the submission of an Audited Compliance Return, Key updates and clarifications include:

Who Must File?

The NDPA treats the concept of “Data Controllers and Data Processors of Major Importance” (DCPMIs). The NDPC has clarified thresholds, typically encompassing organizations:

  • Employing 200 plus persons.
  • Processing personal data of 2000 plus data subjects daily within a 6-month period.
  • Processing sensitive personal data (health, biometrics, genetics, etc.) of 1000 plus data subjects daily within a 6-month period.
  • Operating in specific critical sectors (Finance, Telecoms, Government, Education, Health, etc.) regardless of thresholds, if deemed significant by the NDPC.

Kindly note: All organizations, regardless of size, must comply with the NDPA principles; however, only DCPMIs are allowed to file the annual return.

What to file? 

A licensed Data Protection Compliance Organization (DPCO) must prepare and sign the audited Compliance Return, a comprehensive report that verifies adherence to the NDPA. This report includes evidence of a DPIA (where required), details of the appointed Data Protection Officer (DPO), records of data processing activities, and data protection policies and procedures. It also documents staff training and awareness, data breach management, and how the organization respects data subject rights.

Would you like me to break this into shorter sentences or improve the list formatting too?

How is the filing Process Done? 

Filings are submitted electronically via the official NDPC Compliance Portal with the link https://portal.ndpc.gov.ng.

Filing Requirements and Deadlines

There are certain filing requirements and deadlines which are provided according to the Nigeria Data Protection Act (NDPA). Specifically, Section 44(1) of the NDPA provides that organizations classified as data controllers or processors of major importance (e.g., banks, telecoms, fintechs, health services, etc.) must file an annual Data Protection Compliance Audit Report on or before 30th June of the following year (e.g., for 2024 data, it must be filed by June 30th, 2025).

In addition, Section 41 of the NDPA 2023 provides that all organizations processing personal data must register with the Nigeria Data Protection Commission (NDPC) via the online portal at the start of operations, and must update this registration annually or whenever there are changes in status.

Therefore, organizations must integrate these registration and audit requirements into their data protection compliance processes. As a result, timely registration and accurate annual reporting are essential components of effective data protection compliance.

Furthermore, organisations of major importance are required to appoint a Data Protection Officer (DPO) or assign the role to a qualified external DPCO to oversee data protection compliance. These organisations must notify the NDPC immediately upon the DPO’s appointment and report any changes, as stipulated in Section 32 of the NDPA 2023. When a breach occurs, pursuant to Section 38 of the NDPA 2023—such as loss, theft, or unauthorised access—the organization must notify both the NDPC and affected data subjects within 72 hours of becoming aware of the breach. Maintaining swift and accurate breach reporting is critical to sustaining trust and ensuring ongoing data protection compliance.

Furthermore, organisations must keep Records of Processing activities (ROPA) on what personal data is processed, why and how it is processed, who has access, retention periods and legal basis of processing. This is an ongoing obligation and should be available at all time for inspection or audit pursuant to section 34 of the NDPA, 2023.

Organisations must respond to data subject Access Requests (DSARs) as regarding access to their personal data, correction or deletion, processing explanations within 7 days of receiving a valid request in line with section 35 of the NDPA 2023.

READ ALSO:HOW A LANDLORD CAN EVICT A TENANT FROM HIS PREMISES

Are filing fees Applicable upon filing?

Filing fees are applicable and it varies according to the organization’s revenue and sector classification (Major, Default, Micro, Small & Medium Enterprises – MSMEs). Fees are paid directly through the NDPC portal.

Key Considerations for Organisations

1.  Determine Your Status: Confirm if your organization qualifies as a DCPMI requiring the annual audit and filing.

2.  Engage a Licensed DPCO: Select an NDPC-licensed DPCO early. Their expertise is invaluable for navigating the audit process and building a sustainable compliance program. Avoid unlicensed entities.

3.  Appoint a DPO: The NDPA mandates DPOs for public bodies and private organizations whose core activities involve large-scale, systematic monitoring or processing of sensitive data. Even if not mandatory, appointing a responsible person is best practice.

4.  Build a Compliance Framework: Develop and implement comprehensive data protection policies, procedures, and documentation (Records of Processing Activities – ROPA).

5.  Conduct DPIAs: Systematically assess high-risk processing activities before they begin.

6.  Train Staff: Regular, role-specific data protection training is essential.

Sanctions and Enforcement

Penalties under Section 50 of the NDPA include fines up to ₦10 million or 2% of annual revenue. Section 39 allows the Commission to investigate breaches, audit compliance, and issue enforcement orders. Non-compliant organizations may also be publicly listed on the NDPC’s non-compliance register.

Practical Compliance Steps

1. Conduct a Compliance Assessment and evaluate current data processing practices against NDPA requirements

2. Register with the NDPC Via the official NDPC portal as revamped in 2025

3. Engage a Licensed DPCO for assistance with compliance implementation and audit report filing

4. Appoint a Qualified DPO If classified as a data controller/processor of major importance

5. Implement Documentation Controls and Maintain Records of Processing Activities (ROPA) also Draft and publish a privacy policy and the organisations should Keep breach logs and evidence of consent

6. Organisations should train Employees regular awareness sessions according to the provisions of Section 36 of the NDPA.

Conclusion

Compliance with the NDPR and the new legal mandates under the NDPA 2023 is no longer optional; the law makes it a statutory obligation. The Nigeria Data Protection Commission actively enforces compliance, imposes penalties, and protects data subjects’ rights. Organizations, especially those processing large volumes of data, must prioritize their NDPR/NDPA filings, staff training, and audits to avoid reputational damage, financial penalties, or legal liability. As 2025 unfolds, organizations should align with the law and adopt the robust data governance practices introduced by the NDPA.

CONTRIBUTORS

Photo
OJIENOH SEGUN JUSTICE Esq.,

Managing Partner EKO SOLICITORS & ADVOCATES

Rindap Nanjul Danjuma Esq.,
RINDAP NANJUL DANJUMA Esq.,

Counsel EKO SOLICITORS & ADVOCATES

ONIFADE ADEOLU
ONIFADE ADEOLU

Counsel EKO SOLICITORS & ADVOCATES

Want to keep up with our blog?

Our most valuable tips right inside your inbox, once per month.

Related Posts

What You Need to Know About Expert Witnesses and Their Roles

Evidence Act, Procedural Law

CLAIMING MAINTENANCE AFTER DIVORCE IN NIGERIA: THE IMPORTANT THINGS YOU NEED TO KNOW

Divorce, Family Law, Matrimonial Causes
Jojobet GirişJojobet GirişMadridbetbetist girişCasibom Girişholiganbet girişholiganbet girişMarsbahis GüncelMarsbahis Güncel GirişHoliganbet GirişHoliganbet Güncel GirişMarsbahis GirişMarsbahis Güncel Giriş
error: