NIGERIAN DATA PROTECTION ACT: WHAT YOU NEED TO KNOW

Table of Contents

NIGERIAN DATA PROTECTION ACT

Introduction To The Nigerian Data Protection Act

In today’s digital world, every organisation collects and uses personal information, from customer names to financial details and online behaviour. To protect Nigerians’ privacy and regulate how this data is used, the Nigerian Data Protection Act (NDPA) 2023 was signed into law.

The Act establishes clear rules for how businesses must handle personal data and sets penalties for non-compliance. This article explains, in simple terms,   the key obligations every business must meet under the Act.

What Is the Nigerian Data Protection Act 2023?

The NDPA 2023 is the main law that governs how personal data is collected, stored, shared, and processed in Nigeria. It aims to:

  • Protect the privacy rights of individuals
  • Promote transparency in data processing
  •  Encourage responsible data use by organisations
  • Support Nigeria’s digital economy

The Act also created the Nigeria Data Protection Commission (NDPC) to oversee enforcement and ensure compliance.

Who Must Comply with the Act?

The law applies to:

  • All businesses and organisations operating in Nigeria
  • Foreign companies that process data of Nigerians
  • Government agencies handling citizens’ information
  • SMEs, start-ups, schools, hospitals, and online platforms that store or use personal data.

Whether you are a fintech company, real estate firm, school, or NGO, once you collect personal information, the law applies to you.

Key Obligations for Businesses under the NDPA 2023

  1. Obtain Lawful Consent Before Collecting Data

Businesses must always get clear and voluntary consent from individuals before collecting their personal information. Consent must be specific and informed, given freely and withdrawable at any time

For Instance, if your company collects customer emails for marketing, you must first explain what it will be used for and allow them to opt out.

  • Process Data for Legitimate Purposes Only

Organisations must use data only for lawful and transparent purposes. For example, a bank collecting customer information for account opening cannot sell or share it for marketing without permission.

  • Register with the Nigeria Data Protection Commission (NDPC)

The Act requires certain organisations to register as data controllers or data processors with the NDPC. Large companies and those handling sensitive data (such as health, biometrics, or financial information) must register and renew yearly.

  • Appoint a Data Protection Officer (DPO)

Every medium or large-scale organisation should appoint a Data Protection Officer to monitor compliance, handle data requests, and communicate with the NDPC.

  • Keep Personal Data Secure

Businesses must use proper technical and organisational measures to protect data from loss, hacking, or misuse. Examples include: password protection, data encryption, limiting staff access and regular security audits

If a data breach occurs, it must be reported to the NDPC within 72 hours.

  • Respect Data Subjects Rights

Individuals (called data subjects) have the right to know what data a company holds about them, request corrections or deletion, withdraw consent, restrict processing.

Businesses must have a clear procedure for handling such requests quickly.

  • Avoid Unauthorised Data Transfers

Companies cannot transfer Nigerians’ personal data outside Nigeria unless the receiving country has adequate data protection laws or specific NDPC approval.

Penalties for Non-Compliance

Failure to follow the Act can lead to heavy sanctions, including:

  1. Fines up to ₦10 million or 2% of annual gross revenue (for small data controllers)
  2. ₦200 million or 2% of annual gross revenue (for large controllers)
  3. Criminal prosecution for deliberate misuse or negligence

Besides financial penalties, non-compliance can damage a company’s reputation and destroy customer trust.

Steps to Achieve Compliance

Businesses can stay compliant by:

1. Reviewing how they collect and store data

2. Updating privacy policies and consent forms

3. Appointing a Data Protection Officer

4. Training staff on data handling

5. Registering with the NDPC

6. Performing regular data audits

7. Having a plan to manage data breaches

Why Compliance Matters

Compliance is not just about avoiding penalties, it’s about building trust. Customers are more likely to deal with businesses that handle their personal data responsibly. It also helps companies qualify for international partnerships and digital operations.

Conclusion

The Nigerian Data Protection Act 2023 marks a major step in safeguarding personal information in the digital age. Every business, big or small, must take data protection seriously by following the rules on consent, registration, security, and transparency.

Compliance protects your customers, improves your brand image, and prevents costly legal issues.

CONTRIBUTORS

Ojienoh Segun Justice
Ojienoh Segun Justice, Esq.,

Managing Partner, EKO SOLICITORS AND ADVOCATES

Salawa Abike Sule-Azeez
Salawa Abike Sule-Azeez

Counsel, EKO SOLICITORS AND ADVOCATES

Rindap Nanjul Danjuma Esq.,
Rindap Nanjul Danjuma Esq.,

Counsel, EKO SOLICITORS AND ADVOCATES

#TopLawFirmInNigeria #TopLawFirmInNigeria

Want to keep up with our blog?

Our most valuable tips right inside your inbox, once per month.

Related Posts

CORPORATE RESTRUCTURING IN NIGERIA: THE ULTIMATE GUIDE TO EVERYTHING YOU NEED TO KNOW

Capital Market, Commercial Law, Company law, Compliance with the Law

PERSONAL INCOME TAX DEDUCTIONS IN NIGERIA: THE ULTIMATE THING YOU NEED TO KNOW

Tax Compliance, TAXATION
jojobet girişJojobet GirişcasibomJojobet Girişcasibom girişmarsbahis girişJojobet GirişHoliganbet GirişHoliganbet GirişGrandpashabet Giriş
error: