Nigeria’s Data Protection Law Is Now a Compliance Reality, Not Just a Policy Statement

OKeyByOkey Chigbu Hours On Categories Cybersecurity
data protection

For years, the conversation around data privacy in Nigeria hovered in an uncomfortable space — strong rhetoric, weak enforcement. That period is over. Since the Nigeria Data Protection Act (NDPA) came into force in June 2023, the country has moved steadily, if unevenly, from legislative ambition to regulatory action. Businesses that treated data compliance as a formality are now receiving notices, paying fines, and facing the prospect of criminal prosecution.

Understanding how this law works and what it demands is no longer optional for any organisation operating in Nigeria’s digital economy.

From Regulation to Law: What Changed in 2023

Before the NDPA, Nigeria relied on the Nigeria Data Protection Regulation (NDPR) of 2019, which lacked clarity and the legislative weight needed for consistent enforcement. The new Act addressed that gap head-on.

Signed into law on June 12, 2023, by President Bola Ahmed Tinubu, the NDPA is the first comprehensive legislation on data protection in Nigeria, replacing the NDPR as the primary instrument on the subject. Crucially, it establishes the Nigeria Data Protection Commission (NDPC) as an independent governing body for data protection and regulation, replacing the National Data Protection Bureau that had been created under the previous administration.

The structural shift matters. The NDPC is not simply a renamed bureau — it has independent investigative powers, the authority to impose fines, and a mandate to pursue criminal prosecution where necessary. Its work is also anchored within a regional framework. The Act strengthens the legal foundations of Nigeria’s digital economy and supports the country’s trusted participation in regional and global economies through responsible use of personal data.

ALSO READ  Kaspersky Launches Online Course to Help Universities Integrate Cybersecurity into Curriculums

What the Law Actually Requires

The NDPA tells any organisation that handles personal data — names, emails, phone numbers, device IDs how to collect, use, share, and protect that data. The scope is broad and intentional.

The Act applies where the data controller or data processor is domiciled, resident, or operating in Nigeria; where data processing occurs within Nigeria; or where a controller or processor outside Nigeria is processing the personal data of individuals who are in Nigeria. A foreign company running an e-commerce platform or a SaaS product accessible to Nigerian users is, in principle, subject to Nigerian data protection law.

For businesses classified as data controllers or processors of major importance, a category determined partly by the volume of personal data they handle,  obligations are more extensive. Such entities must designate a Data Protection Officer with expert knowledge of data protection law and practices, and the ability to carry out the tasks prescribed under the Act. They must also conduct regular compliance audits, maintain data inventories, and register with the NDPC.

When a data breach occurs, the clock starts immediately. Organisations are required to file annual Compliance Audit Returns with the NDPC, with a deadline of March 15 each year. Late filing is permitted upon payment of a penalty fee. This is a tight window by any standard, and it requires organisations to have functional internal compliance processes in place before anything goes wrong.

The GAID: From Law to Practice

The NDPC has issued the General Application and Implementation Directive (GAID) 2025 to guide organisations on how to comply with the new law. The GAID has been in effect since September 2025 and formally replaces the implementation framework that existed under the old NDPR.

ALSO READ  Cybersecurity: BlackCat Ransomware Attacks Over 60 Companies Worldwide

The directive covers a wide range of operational details, from how to handle cross-border data transfers to cookie consent requirements for websites. Under Article 19 of the GAID, websites and apps must obtain opt-in consent before using cookies or tracking tools, except for essential cookies that enable core functions like security, stability, or accessibility. For companies building consumer-facing products in Nigeria, that is not a minor footnote.

Enforcement Is No Longer Symbolic

The most consequential shift since 2023 has been the NDPC’s move from guidance to enforcement. The Commission has adopted a remediation approach, allowing companies found in violation to do the right thing before a fine is imposed, but where organisations are unwilling to comply, sanctions follow.

That posture has produced some landmark penalties. The NDPC imposed a fine of N766,242,500 on Multichoice Nigeria for violating the Nigeria Data Protection Act, following an investigation into alleged breaches of privacy rights. The investigation, which began in the second quarter of 2024, was triggered by suspicions that Multichoice had unlawfully transferred personal data of Nigerian subscribers and non-subscribers across borders without appropriate consent or safeguards.

Separately, following a 38-month joint investigation by the FCCPC and NDPC, the Competition and Consumer Protection Tribunal upheld a $220 million administrative penalty against Meta Platforms and WhatsApp, after concluding the companies engaged in discriminatory and exploitative practices against Nigerian consumers. It remains the largest penalty imposed by any regulatory authority in the Global South against a technology company.

Then, in August 2025, the NDPC escalated further. The Commission issued compliance notices to 1,368 organisations, targeting 795 financial institutions, 35 insurance companies, 392 insurance brokers, 136 gaming companies, and 10 pension firms. Each was given 21 days to provide evidence of compliance or face sanctions.

ALSO READ  Kaspersky detects over 1 million daily tracking attempts

Legal experts at Aluko & Oyebode noted that while the Commission had signalled “massive and proactive” enforcement for 2025, the decision to publicly name non-compliant entities marked a significant shift. “This change reflects a more assertive stance, signalling increased regulatory pressure on organisations to proactively ensure compliance,” they observed.

What This Means Going Forward

Nigeria’s data protection framework is still maturing. A 2024 court ruling nullified parts of the Commission’s guidance on registering data controllers and processors of major importance, forcing many companies to reassess their compliance strategies. A 2023 judgement voiding the NDPC’s whitelist on cross-border data transfers created further uncertainty. Public awareness of individual data rights also remains limited outside major urban centres.

But the regulatory direction is clear. Sectors such as aviation, telecommunications, e-commerce, and healthcare, where large volumes of personal and sensitive data are processed, are likely to face scrutiny from the NDPC in the months ahead.

For startups and established tech companies alike, data protection is now an operational cost of doing business in Nigeria. Companies that have not audited their data flows, documented their processing activities, or appointed a Data Protection Officer face genuine regulatory exposure. The question is no longer whether to comply, but but how quickly they can close the gap.

 

OKey

Okey Chigbu is a Digital Solutions Consultant that provides tech and digital solutions for small businesses and personal brands at Donal Digital. He is a lover of tech and innovation.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *