Nigeria’s Data Protection Act Two Years In: From Paper Law to Enforcement Reality

When President Bola Tinubu signed the Nigeria Data Protection Act into law on June 12, 2023, the immediate response from the tech and legal community was cautious optimism. Nigeria had, at long last, elevated data protection from a regulatory instrument, the NDPR of 2019, to an act of parliament, with a dedicated independent commission to back it. The harder question was always going to be what followed. Two years on, the answer is becoming clear: enforcement is no longer symbolic.

From Regulation to Law: Why the Distinction Matters

Before 2023, Nigeria’s data protection framework rested on the Nigerian Data Protection Regulation (NDPR), issued by the National Information Technology Development Agency (NITDA) in 2019. The NDPR was a functional document because it established consent requirements, processing principles, and annual audit obligations, but it had two fundamental weaknesses. It was subsidiary legislation made by a government agency, not parliament, which limited its legal authority. And it was administered by NITDA, which was not an independent body.

The NDPA changed both of those conditions. It created the Nigeria Data Protection Commission (NDPC) as an autonomous regulator, gave data protection the weight of statute, and extended the law’s reach to any organization anywhere in the world that processes the personal data of people in Nigeria. For multinational companies operating across the continent, that last point carries real operational implications.

The Act also introduced concepts absent from the NDPR: legitimate interest as a lawful basis for processing, mandatory Data Protection Impact Assessments for high-risk activities, explicit rules on sensitive personal data, and clearer rights for data subjects, including the right to erasure and data portability.

The GAID: Turning Principles into Practice

Having the law was one thing. Making organizations comply with it was another. That process moved more slowly than advocates hoped. It took until March 20, 2025 for the NDPC to issue its General Application and Implementation Directive (GAID), the operational rulebook that translates the Act’s principles into concrete compliance steps. The GAID became fully effective in September 2025.

The directive settled several questions that had left legal teams uncertain: who qualifies as a Data Controller or Processor of Major Importance (DCPMI), how Data Protection Officers should be appointed and positioned within organizations, what periodic compliance audits must cover, and how cross-border data transfers are to be governed. Organizations that were established before June 2023 are required to file annual Compliance Audit Returns with the NDPC by March 31 each year, while those formed after that date have 15 months from establishment before their first filing falls due.

The delay in issuing the GAID reflected, in part, the practical challenge of building an independent regulatory institution from near-scratch. The NDPC had to establish staffing, licensing frameworks for Data Protection Compliance Organizations (DPCOs), and its own internal systems before it could credibly enforce anything. That groundwork, while unglamorous, matters.

Enforcement Arrives

The period between the Act’s passage and the GAID’s release was not entirely quiet. The NDPC spent much of 2023 and 2024 building compliance infrastructure, issuing guidance, and, by its own account, preferring remediation over punishment. National Commissioner Dr. Vincent Olatunji described the philosophy plainly in comments to Nairametrics: “It’s only when an organization is unwilling to comply with the law that we are forced to impose sanctions.”

That posture shifted notably in 2025. The most prominent signal was the N766.2 million fine levied against Multichoice Nigeria in June 2025, the largest single penalty since the Act came into force. The NDPC found that Multichoice had violated the privacy rights of both subscribers and individuals associated with them, and had transferred personal data outside Nigeria without a lawful basis. When the company’s remedial measures were deemed unsatisfactory, the Commission imposed the fine. The NDPC’s National Commissioner also ordered an investigation into all data collection channels operated by Multichoice in Nigeria.

The Multichoice case was not an isolated action. Around the same time, the Commission imposed a N555.8 million fine against another organization, and the details of which were referenced in legal advisories and, separately, concluded enforcement action against Meta Platforms that resulted in a $32.8 million penalty for data privacy violations, part of a broader suite of regulatory actions against the company across multiple Nigerian agencies.

Then, in August 2025, the NDPC issued compliance notices to 1,368 organizations spanning banking, insurance, pensions, and gaming. Those firms were given 21 days to submit evidence of filing their 2024 audit returns, proof of Data Protection Officer appointment, and documentation of their technical safeguards. The scale of that sweep, nearly 1,400 organizations across critical sectors simultaneously, has marked the clearest sign yet that the Commission was operating in full enforcement mode.

The Business Compliance Burden

For companies operating in Nigeria, the shift from advisory guidance to active scrutiny has sharpened the stakes. Penalties for Data Controllers of Major Importance can reach N10 million or 2% of annual gross revenue, whichever is higher. Criminal prosecution remains a possibility for serious violations. The NDPC has also introduced a late registration fee for organizations that missed the October 2024 registration deadline, while keeping the registration window open.

The compliance ecosystem has grown in parallel. Licensed DPCOs, the third-party firms authorized to conduct audits and prepare filings on behalf of organizations that have proliferated since 2023. The NDPC’s own estimates suggest the compliance services market could generate N13.8 billion in industry revenue as demand grows. For legal, technology, and advisory firms, that is a significant new practice area.

SMEs face a different reality. The tiered structure of the NDPA, which applies its most demanding obligations to DCPMIs, offers smaller businesses some breathing room. But the definition of what qualifies as a DCPMI, an entity that processes the personal data of 2,000 or more data subjects within a year, captures a wide range of businesses, including mid-sized fintechs, e-commerce platforms, and healthtech companies. Many of them are still finding their footing.

Where Nigeria Stands on the Continent

Nigeria’s regulatory trajectory is being watched across Africa. The NDPA draws heavily from the European Union’s GDPR, but it is not simply a copy. It includes local adaptations: requirements around data localization for certain categories, tiered obligations that acknowledge the SME-heavy nature of the Nigerian market, and an enforcement philosophy that, at least initially, prioritized getting organizations into compliance before reaching for punitive measures.

The NDPC’s standing in regional circles has grown. In 2025, the Commission won the Picasso Award from the Network of African Data Protection Authorities (NADPA) and hosted the network’s eighth annual meeting, a sign that its peers on the continent regard its institutional development as substantive.

Whether that standing translates into a continent-wide compliance baseline remains to be seen. Several African countries are still without comprehensive data protection legislation, and cross-border data flows remain a live tension. Nigeria’s extraterritorial reach is applicable to any processor handling data of people in Nigeria, regardless of where that processor is based. It is the most ambitious assertion of jurisdiction on the continent, but its practical enforcement against foreign entities with no Nigerian presence is untested.

What Still Needs Work

The framework has real gaps. Public sector compliance has received far less scrutiny than the private sector, despite the volume of personal data handled by government ministries, the National Identity Management Commission (NIMC), and public health institutions. The NDPA applies to public bodies, but enforcement against government entities has been minimal.

Data breach notification obligations, while present in the Act, remain inconsistently observed. There is no public register of reported breaches, and it is unclear how many go unreported or underreported to the NDPC. Consumer awareness, the demand side of data rights, remains thin. Most Nigerians do not know what rights the NDPA confers on them, let alone how to exercise those rights.

These are not unique problems. GDPR, seven years after its passage, still contends with uneven enforcement across EU member states. Nigeria’s challenge is to build the institutional muscle to sustain enforcement momentum while handling the structural pressures—funding, staffing, and political independence that test every young regulator.

The data protection law exists. The Commission is functional. The enforcement is real. That, by the standards of African regulatory reform, is meaningful progress. The harder work of embedding privacy as a norm in boardrooms, in software development cycles, and in the expectations of ordinary Nigerians is what the next phase requires.