Section 1: NDPR Key Requirements

The NDPR imposes a comprehensive set of data protection requirements on organizations that collect, process, or hold personal data of Nigerian citizens, regardless of where the organization is located. Understanding these requirements is the foundation of NDPR compliance.

Lawful Basis for Processing
Every processing activity must have a lawful basis: consent, contract, legal obligation, protection of vital interests, public interest, or legitimate interests of the controller. Consent must be freely given, specific, informed, and unambiguous.
📋
Data Minimization
Only personal data that is adequate, relevant, and limited to what is necessary for the specified purpose may be collected and processed. Collecting excessive data — even with consent — is a NDPR violation.
🎯
Purpose Limitation
Personal data must be collected for specified, explicit, and legitimate purposes and must not be further processed in a manner incompatible with those purposes. Secondary uses require a fresh lawful basis.
Data Quality
Controllers must take reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date. Inaccurate data must be erased or rectified without delay.
🔒
Security Safeguards
Organizations must implement appropriate technical and organizational security measures to protect personal data against unauthorized access, loss, destruction, or damage. This includes encryption, access controls, and incident response capabilities.
🌎
Cross-Border Transfer Conditions
Personal data may only be transferred to a foreign country if NITDA (or the NDPC under the NDPA 2023) has approved the transfer or confirmed equivalent protections exist in the recipient country. Unauthorized cross-border transfers are a serious NDPR violation.
📊
Annual Data Audit
Organizations that process the personal data of more than 1,000 data subjects within a 6-month period, or more than 2,000 data subjects within 12 months, must file an annual data protection audit with NITDA (or the NDPC). This audit must be conducted by a licensed DPCO.
👀
Data Subject Rights
Data subjects have the right to request access to their personal data, request correction of inaccurate data, and withdraw consent at any time. Organizations must have processes to fulfill these requests within reasonable timeframes.

The NDPR applies to both data controllers (organizations that determine the purpose and means of processing) and data processors (organizations that process data on behalf of a controller). Controllers bear primary responsibility for compliance, but processors must implement security measures and operate only under controller instructions. Written data processing agreements between controllers and processors are required.

Section 2: NITDA Data Protection Compliance Organizations (DPCOs)

One of the most distinctive features of Nigeria's data protection regime is the requirement for many organizations to engage a licensed Data Protection Compliance Organization (DPCO). DPCOs are professional firms licensed by NITDA to conduct data protection audits, provide compliance advisory services, and file annual audit reports on behalf of organizations.

10,000+
Data subjects/year triggers DPCO requirement
2%
Annual gross revenue (maximum fine)
₦10M
Minimum maximum fine (whichever is higher)
Annual
Required audit filing frequency

Who Must Engage a DPCO

Organizations that process the personal data of 10,000 or more data subjects annually are required to engage a licensed DPCO for their compliance audit. The DPCO conducts a comprehensive review of the organization's data protection practices, documents the findings, and files the annual audit report with NITDA (or the NDPC). Organizations that process data of more than 1,000 data subjects within a 6-month period must file an audit, but may not require a full DPCO engagement depending on their total annual volume.

DPCO Selection and Management

When engaging a DPCO, organizations should verify that the firm holds a current NITDA license. The DPCO must have independence from the organization — a DPCO cannot audit an organization that it has a commercial relationship with that would impair its objectivity. The DPCO will typically request access to data inventories, processing records, security policies, consent mechanisms, and data subject request logs. Organizations that have not maintained these records will find the audit process difficult and the resulting report will reflect material gaps.

Penalties for Non-Compliance

Failure to file an annual audit report where required, failure to engage a DPCO where required, and failure to comply with NDPR requirements can result in administrative fines of 2% of annual gross revenue or ₦10 million, whichever is higher. The NDPA 2023 strengthens enforcement by vesting these powers in the newly established Nigeria Data Protection Commission (NDPC), which operates independently of NITDA.

Section 3: Common NDPR Violations

Enforcement patterns from NITDA and the early activities of the NDPC reveal a consistent set of violations that regulators identify most frequently. Understanding these patterns allows organizations to prioritize their remediation efforts.

  • Processing without a lawful basis — Many organizations collect and process personal data without documenting any lawful basis. Relying on implied consent or vague terms and conditions clauses does not satisfy the NDPR's consent requirements.
  • Failure to file the annual data audit — Organizations that qualify for the audit requirement — processing more than the threshold number of data subjects — frequently fail to engage a DPCO or file their annual audit report with NITDA/NDPC. This is one of the most common and straightforward violations to detect.
  • Inadequate or absent privacy notices — Privacy notices that do not disclose the categories of data collected, the processing purposes, data subject rights, or contact details for the data controller fail to meet the NDPR's transparency requirements. Notices buried in terms and conditions, or written in legal language that an ordinary person cannot understand, are also non-compliant.
  • Cross-border transfers without NITDA/NDPC permit — Organizations that transfer personal data to cloud providers, group companies, or third-party processors located outside Nigeria frequently do so without obtaining the required cross-border transfer approval or confirming equivalent protections. This is particularly common with organizations using US or European cloud infrastructure.
  • Lack of data subject rights mechanisms — Organizations that have no documented process for receiving, verifying, and responding to data subject access requests, correction requests, or consent withdrawal requests are in direct violation of the NDPR. This gap is frequently discovered during DPCO audits.
  • Inadequate security measures leading to breaches — Data breaches resulting from preventable security failures — particularly the absence of basic controls such as strong authentication, encryption of sensitive data, or access controls — attract both regulatory attention and significant financial penalties.

Section 4: Nigeria Data Protection Act 2023

The NDPA 2023 — A Landmark Upgrade

The Nigeria Data Protection Act 2023 (NDPA) was signed into law in June 2023 and represents the most significant development in Nigerian data protection law since the original NDPR was issued in 2019. The NDPA elevates data protection in Nigeria from a regulatory instrument to primary legislation, placing it on a firmer legal footing and significantly strengthening enforcement.

Critically, the NDPA establishes the Nigeria Data Protection Commission (NDPC) as an independent regulatory body — replacing NITDA's data protection enforcement role with a dedicated commission modeled in part on the EU's data protection authority structure.

NDPC as Independent Regulator

The NDPC is the primary enforcement authority under the NDPA 2023. It has authority to investigate complaints, conduct audits, issue compliance notices, impose administrative fines, and refer cases for criminal prosecution. Unlike NITDA — which had data protection as one of many responsibilities — the NDPC is wholly focused on data protection enforcement, signaling a significant increase in regulatory intensity.

Expanded Data Subject Rights Under the NDPA

The NDPA 2023 significantly expands the rights available to Nigerian data subjects, moving closer to the comprehensive rights framework established by the EU GDPR. These expanded rights include:

  • Right of Access — Data subjects can request a copy of their personal data and information about how it is being processed
  • Right to Rectification — Inaccurate or incomplete personal data must be corrected upon request
  • Right to Erasure — Data subjects can request deletion of their personal data in specified circumstances, including where the data is no longer necessary for its original purpose or where consent has been withdrawn
  • Right to Data Portability — Data subjects can request their personal data in a structured, commonly used, machine-readable format — a new right not explicitly provided for in the original NDPR
  • Right to Object — Data subjects can object to processing based on legitimate interests or for direct marketing purposes

Key Differences: NDPR vs NDPA 2023

Organizations that calibrated their compliance programs to the NDPR should be aware that the NDPA 2023 introduces additional requirements that were not explicit in the original regulation, including stronger data subject rights, an expanded scope of sensitive personal data categories, and enhanced obligations for organizations that engage in automated decision-making.

Is your organization NDPR compliant? Our free assessment identifies your compliance gaps and priority actions in minutes.

Free NDPR compliance assessment — check your readiness now

Section 5: NDPR Compliance Checklist

Use this checklist to evaluate your organization's NDPR and NDPA 2023 compliance posture. For organizations that qualify for the annual audit requirement, this checklist also provides a useful pre-audit preparation tool.

  • Lawful basis for each processing activity documented, reviewed by legal counsel, and communicated to data subjects in privacy notices
  • Privacy policy updated to comply with NDPR transparency requirements: categories of data, processing purposes, data subject rights, contact details for data controller, and cross-border transfer disclosures
  • Consent management in place where consent is the lawful basis, with records of when and how consent was obtained and a mechanism for withdrawal
  • Data subject rights process in place to receive, log, verify identity, and respond to access, rectification, erasure, portability, and objection requests
  • Annual audit filed with NITDA/NDPC where required (organizations processing 1,000+ data subjects in 6 months or 2,000+ in 12 months)
  • Licensed DPCO engaged where required (organizations processing 10,000+ data subjects annually) and data processing agreement with DPCO in place
  • Cross-border transfer assessment completed for all transfers of personal data outside Nigeria, with NITDA/NDPC permit or equivalent protection confirmed
  • Security measures documented and implemented, covering encryption, access controls, incident detection, and security awareness for staff handling personal data
  • Breach notification procedure documented — covering internal detection, escalation, NDPC notification, and data subject notification where required
  • Data inventory complete, documenting all categories of personal data held, processing purposes, data flows, retention periods, and third-party processors
  • Third-party processor (data processor) agreements in place with all organizations that process personal data on your behalf, including cloud providers and software vendors
  • Staff data protection training delivered to all personnel who handle personal data, covering NDPR obligations, data subject rights, and incident reporting

Section 6: NDPR and the African Data Protection Landscape

Nigeria's NDPR and NDPA 2023 exist within a rapidly evolving continental data protection landscape. Organizations operating across multiple African markets must navigate a patchwork of national frameworks, each with distinct requirements and enforcement bodies.

Country / Framework Year Enacted Regulator Max Fine Enforcement Maturity
Nigeria — NDPR / NDPA 2023 2019 / 2023 NDPC (formerly NITDA) 2% revenue or ₦10M High — active enforcement
South Africa — POPIA 2013 (enforced 2021) Information Regulator R10M or imprisonment up to 10 years High — active enforcement
Kenya — Data Protection Act 2019 Office of the Data Protection Commissioner (ODPC) KES 5M or 1% of annual turnover Medium — growing enforcement
Ghana — Data Protection Act 2012 Data Protection Commission GHS 60,000 + criminal penalties Medium — established framework
Rwanda — Data Protection Law 2021 Rwanda Utilities Regulatory Authority (RURA) Up to 2% of global annual revenue Developing

A notable trend across the African data protection landscape is the convergence toward GDPR-style frameworks. The African Union's Convention on Cyber Security and Personal Data Protection (Malabo Convention), while not yet widely ratified, provides a continental baseline that national frameworks are increasingly reflecting. Organizations that build a robust GDPR-aligned compliance program will find that significant components translate across African jurisdictions — though local nuances, particularly around regulator registration, audit filing, and cross-border transfer mechanisms, always require jurisdiction-specific attention.

For organizations operating across West Africa, where Nigeria and Ghana both have established data protection frameworks, a combined compliance approach that addresses NDPR, NDPA 2023, and Ghana's Data Protection Act simultaneously can reduce duplication of effort. Similarly, organizations with operations in both Nigeria and South Africa will find substantial overlap between NDPR and POPIA requirements, with the primary differences lying in enforcement bodies, specific filing requirements, and penalty structures.

Ready to Assess Your NDPR Compliance?

Our free NDPR readiness assessment evaluates your compliance against both the original NDPR and the NDPA 2023 updates. Understand your gaps, prioritize your remediation, and prepare for the DPCO audit process.

Free NDPR compliance assessment → check your readiness now

Trusted by compliance teams, DPCOs, and legal advisors across Nigeria and West Africa.

Related Compliance Resources

Explore related guides and assessments from Skyhigh Cybersecurity: