Key Features of the Nigeria Data Protection Act 2023: A Summary of the Law
Nigeria’s digital economy has been growing faster than the rules governing it. For years, businesses collected personal data through websites, apps, and customer databases without a clear legal framework specifying what they were allowed to do with it, how long they could keep it, or what would happen if something went wrong.
The Nigeria Data Protection Regulation (NDPR) of 2019 was a step in the right direction, but it was a regulatory instrument rather than primary legislation. It had limited enforcement muscle and no dedicated body to drive compliance. The Nigeria Data Protection Act (NDPA) 2023 changed that. Signed into law in June 2023, it is now the primary legal framework governing personal data in Nigeria, backed by a statutory regulator with real enforcement powers.
This article breaks down the key features of the NDPA 2023: what the law says, who it applies to, and what it requires. If you’re looking for the practical business implications, our companion guide on NDPA compliance for Nigerian businesses covers that in detail.
From NDPR to NDPA: What Changed and Why It Matters
Understanding the NDPA starts with understanding what it replaced and why the change was necessary.
The NDPR 2019 was issued by the National Information Technology Development Agency (NITDA) under its existing powers. It established basic data protection principles and introduced the concept of Data Protection Compliance Organisations (DPCOs) to help businesses audit their practices. But as a subsidiary regulation rather than an Act of the National Assembly, it carried limited weight and had no dedicated enforcement body.
The NDPA addresses these gaps directly. It establishes the Nigeria Data Protection Commission (NDPC) as a fully independent statutory body with its own board, investigative powers, and authority to levy fines. It elevates data protection from a regulatory preference to a legal obligation. And it aligns Nigeria’s framework more closely with international standards, particularly the EU’s General Data Protection Regulation (GDPR), which is relevant to Nigerian businesses working with foreign partners or operating in multiple markets. For a detailed comparison of both frameworks, see our NDPA vs GDPR analysis.
If your organisation was previously considered NDPR-compliant, that is a starting point, not a finish line. The NDPA introduces obligations that the NDPR did not require, and the enforcement environment is meaningfully different.
Who the Law Applies To
The NDPA has a broad territorial reach. It applies to any organisation or individual that processes the personal data of Nigerian residents, regardless of where that organisation is based. A fintech company registered in the United Kingdom that serves Nigerian customers falls within scope. So does a local logistics startup with a basic customer database.
There is no minimum size threshold. Sole proprietors, NGOs, cooperatives, startups, and large enterprises are all subject to the same framework, though the practical obligations scale with the nature and volume of data being processed.
The law distinguishes between two key roles. A data controller is any entity that determines the purpose and means of processing personal data, typically the business itself. A data processor is an entity that processes data on behalf of a controller, such as a payroll software company or a cloud storage provider. These roles carry different obligations, and a single organisation can occupy both simultaneously: acting as a controller for its own customer data while acting as a processor when it handles data on behalf of a client.
The concept of joint controllers is also relevant when two or more organisations jointly determine the purpose of processing. In those cases, the law requires a clear arrangement between the parties defining their respective responsibilities.
The Data Protection Principles
Everything in the NDPA traces back to a core set of data protection principles. These are not aspirational guidelines. They are legal requirements that underpin every processing activity, and every obligation in the law flows from them.
Lawfulness, fairness, and transparency. Personal data must be processed on a valid legal basis, in a manner that is fair to the individual, and in a way that is transparent about what is being done with their information.
Purpose limitation. Data collected for one purpose cannot be repurposed for something incompatible without a fresh legal basis. A customer’s email address collected to send an order confirmation cannot be added to a marketing list without separate consent.
Data minimisation. Only data that is necessary for the stated purpose should be collected. Organisations frequently collect more information than they need, which creates both compliance risk and unnecessary storage liability.
Accuracy. Personal data must be kept accurate and up to date. Inaccurate data must be corrected or deleted without delay.
Storage limitation. Data should not be kept longer than necessary for the purpose it was collected. This requires a retention policy that is actually enforced, not just documented.
Integrity and confidentiality. Data must be processed securely, protected against unauthorised access, accidental loss, or destruction. This covers both technical security measures and organisational controls, such as access restrictions and staff training.
Accountability. Organisations must be able to demonstrate compliance, not just claim it. This is the principle that makes internal records, documented policies, and DPIAs necessary rather than optional.
Lawful Bases for Processing Personal Data
Before collecting or using personal data, an organisation must identify a valid lawful basis for doing so. The NDPA provides six.
Consent is the basis most businesses default to, but it is also the most demanding. Consent must be freely given, specific, informed, and unambiguous. It cannot be buried in terms and conditions or assumed from inaction. Critically, it must be as easy to withdraw as it was to give. When a person withdraws consent, processing for that purpose must stop.
Contractual necessity applies when processing is required to fulfil a contract with the individual or to take steps at their request before entering into one. Sending an invoice, processing a payment, or delivering a purchased service all fall under this basis. It is often more appropriate than consent for transactional processing, and it does not require the same revocability obligations.
Legal obligation covers processing required to comply with Nigerian law. A business that must retain financial records under NRS regulations, for example, is processing under this basis.
Vital interests are a narrow basis that applies in emergency situations where processing is necessary to protect someone’s life. It is rarely applicable in a standard business context.
Public interest is primarily relevant to public sector bodies, government agencies, and organisations performing functions officially delegated to them.
Legitimate interests are the most flexible basis and the one most frequently misapplied. It allows processing where the organisation or a third party has a genuine interest that is not overridden by the individual’s rights and interests. It requires a balancing test: the organisation must assess whether its interest is real, whether the processing is necessary to achieve it, and whether a reasonable person would expect and accept it. Marketing to existing customers, fraud prevention, and internal administrative functions are common examples. This basis cannot be used as a catch-all to avoid the obligations that come with consent.
Sensitive Personal Data: A Higher Standard
Not all personal data carries the same level of risk. The NDPA defines a category of sensitive personal data that attracts stricter requirements because of the potential harm its exposure can cause.
Sensitive personal data includes information about a person’s health, biometrics, genetics, race or ethnicity, political opinions, religious beliefs, financial records, criminal history, and sexual orientation.
Processing sensitive personal data generally requires explicit consent, meaning a higher and more deliberate standard than standard consent. It also requires stronger security measures and more careful documentation of the purpose and legal basis for processing.
Healthcare providers, hospitals, and clinics are the most obvious organisations affected, but the category is broader than most businesses assume. HR platforms that conduct background checks, lenders that process credit histories, and any organisation using biometric data for access control or identity verification are all handling sensitive personal data. If your business touches any of these categories, the baseline obligations under the NDPA are a starting point, not a ceiling.
Data Subject Rights
One of the most significant shifts the NDPA introduces is placing meaningful control over personal data in individuals’ hands. These rights are enforceable, and organisations have legal obligations to honour them.
The right of access allows individuals to request confirmation of whether their data is being processed and to receive a copy of that data, along with information about how it is being used.
The right to rectification requires organisations to correct inaccurate personal data and to complete incomplete data upon request.
The right to erasure allows individuals to request the deletion of their data when there is no longer a lawful basis for retaining it, when consent has been withdrawn, or when the data was processed unlawfully.
The right to restriction allows individuals to limit how their data is used in certain circumstances, for example, while a dispute about accuracy is being resolved.
The right to data portability allows individuals to receive their data in a structured, commonly used format and to transfer it to another organisation.
The right to object allows individuals to object to processing based on legitimate interests or for direct marketing purposes. Where an objection to direct marketing is raised, processing for that purpose must stop immediately.
Rights related to automated decision-making protect individuals from decisions made solely by automated processes that have significant effects on them, such as loan approvals or job screening, without human review.
Organisations have 30 days to respond to a valid data subject request. Failure to respond, or responding inadequately, is itself a compliance failure that can trigger an NDPC investigation.
Read more about data subject rights and how the NDPC enforces them
The Nigeria Data Protection Commission: Powers and Functions
The NDPC is the statutory body established by the NDPA to enforce data protection law in Nigeria. It operates independently of government ministries and reports to the President through the Attorney-General of the Federation.
Its functions include developing codes of conduct and guidelines for specific sectors, registering and licensing data controllers and processors that meet certain thresholds, conducting audits of organisations’ data practices, investigating complaints filed by individuals, and issuing enforcement notices and fines.
The NDPC’s enforcement powers are meaningful. Fines can reach up to 2% of annual gross revenue for organisations found in breach. For serious or repeated violations, the penalties are higher. Beyond fines, the Commission can mandate remediation, impose operational restrictions, and publish enforcement decisions, which carry its own reputational weight.
The complaint mechanism matters practically. Any individual who believes their data rights have been violated can file a complaint directly with the NDPC. The Commission is not solely reactive to formal investigations: it processes individual complaints and can open inquiries on that basis. As awareness of data rights grows among Nigerian consumers, this channel is likely to be used more frequently.
The NDPC also plays a role in approving Standard Contractual Clauses for cross-border transfers and developing sector-specific guidance. Its regulatory posture has been building progressively since 2023, with enforcement activity increasing as the Commission matures.
Learn more about the NDPC’s mandate and structure
Organizational Obligations
Beyond the principles and individual rights, the NDPA places specific operational obligations on data controllers and processors.
Data Protection Impact Assessments (DPIAs) are required when processing is likely to result in high risk to individuals, particularly when new technologies are introduced, when sensitive personal data is processed at scale, or when systematic monitoring of individuals is involved. A DPIA is a structured assessment of the risk posed by a processing activity and the measures in place to mitigate it.
Records of Processing Activities (RoPA) must be maintained by organisations processing personal data. This is a documented inventory of the data collected, the legal basis for processing, the purposes of processing, the data retention periods, and any third parties with whom data is shared. It is the foundation of demonstrable accountability.
Data Protection Officers must be formally appointed by organisations that process data at scale, handle sensitive personal data, or conduct systematic monitoring. The DPO is responsible for monitoring internal compliance, advising on obligations, managing data subject requests, and serving as the primary contact with the NDPC.
Privacy by design requires that data protection is built into systems and processes from the outset, not added as an afterthought. This means that when a new product, service, or internal tool is being developed, data minimisation and security should be considered at the design stage.
Staff awareness and training are implicit obligations under the accountability principle. Policies that staff don’t know about or understand cannot be relied upon as evidence of compliance.
See how Nigerian businesses are approaching these obligations in practice
Breach Notification Requirements
The NDPA defines a data breach broadly: any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This includes internal incidents, not just external attacks. A misdirected email containing client records, an unsecured database, or a former employee retaining access to systems they should no longer have all qualify.
When a breach occurs and is likely to result in risk to individuals’ rights and freedoms, the NDPC must be notified within 72 hours of the organisation becoming aware of it. If the breach is likely to pose a high risk to affected individuals, those individuals must also be notified directly without undue delay.
A compliant breach notification to the NDPC must cover what data was involved, how the breach occurred, the approximate number of people affected, the likely consequences, and the steps taken or planned to address it. Organisations that have mapped their data and documented their processes are significantly better positioned to meet this requirement than those operating without that foundation.
Check how breach notification requirements compare globally at DLA Piper’s Data Protection site
Cross-Border Data Transfers
Nigerian personal data cannot be transferred to another country without adequate protections in place. The NDPA permits international transfers where the destination country offers a level of data protection the NDPC considers adequate, or where appropriate safeguards exist.
The primary safeguard mechanism is Standard Contractual Clauses (SCCs) approved by the NDPC. These are contractual commitments between the exporting and importing organisations specifying how data will be protected in the destination country. Binding Corporate Rules, used primarily within multinational groups, are another recognised mechanism.
In practice, most Nigerian businesses use foreign SaaS platforms, cloud storage services, or payment processors that store data outside Nigeria. Checking whether those vendors have SCCs or equivalent safeguards in place is part of due diligence, and it is a question that should be asked before a tool is adopted, not after. Our NDPA compliance guide for businesses provides more detail on vendor due diligence.
Penalties and Enforcement in Practice
The NDPA gives the NDPC a tiered enforcement framework. Administrative fines of up to 2% of annual gross revenue apply for standard violations. Higher penalties apply for more serious breaches, particularly those involving sensitive personal data, large volumes of affected individuals, or deliberate non-compliance.
Beyond financial penalties, the NDPC can require organisations to cease specific processing activities, mandate remediation plans, and publish enforcement actions. Public disclosure of a breach finding carries reputational consequences that often outlast the fine itself.
The early awareness-focused phase has largely given way to more structured enforcement activity. Organisations that treat compliance as a future consideration rather than a current obligation are carrying real and growing risk.
Where to Go From Here
The NDPA is a framework built on clear principles, defined rights, and accountable institutions. Understanding what the law actually says is the foundation of any serious compliance effort.
For guidance on what this means in practice for your business, including a step-by-step compliance roadmap, read our NDPA compliance guide for Nigerian businesses. For a deeper look at compliance strategies, visit our data protection compliance strategies article.
If you want to assess where your organisation currently stands or need support building out a compliance framework that fits your specific context, talk to the PlanetWeb team.
