Comparison of NDPA 2023 and GDPR: A Practical Guide for Nigerian Businesses
Most conversations about the comparison of NDPA 2023 and GDPR focus on what the two laws have in common. That is a useful starting point, but it is not the whole picture. Nigerian businesses dealing with European clients, investors, and partners need to understand where the laws diverge, which one applies to them, and what happens when both do.
This is not a theoretical question. If your business processes the personal data of EU residents, the GDPR applies to you regardless of where you are incorporated. If you operate in Nigeria, the NDPA applies. For a growing number of Nigerian businesses, both are in play simultaneously, and the compliance requirements are not identical.
This article works through the comparison practically: what aligns, where the laws diverge, where the NDPA is actually stricter, and what dual compliance looks like for different types of Nigerian businesses.
This article is part of PlanetWeb’s NDPA compliance series. For the foundational framework, see our NDPA Compliance Guide for Nigerian Businesses and our breakdown of NDPA Key Features. For guidance on Nigeria’s data regulators and enforcement structure, see our Nigeria Data Regulators Guide.
Two Laws, One Shared Logic
The NDPA was drafted with deliberate reference to the GDPR. Nigeria’s approach to data protection was shaped by the recognition that international alignment would make Nigerian businesses more credible to foreign partners and open the door to cross-border data flows without friction.
The result is that both laws are built on the same foundational logic: personal data must be processed lawfully, transparently, and for defined purposes. Data collected for one purpose cannot be quietly repurposed for another. Only the data needed should be collected, and it should not be kept longer than necessary. Organisations are accountable for what happens to data under their control.
These shared principles mean the underlying compliance mindset is the same, even where specific rules differ. A business that has built a genuine GDPR compliance program has developed habits, documentation practices, and internal structures that transfer directly to NDPA compliance. The adjustment is real but manageable.
Which Law Applies to You
The answer depends on where your business operates, where your customers are, and where your data flows.
Nigerian business, Nigerian customers only. The NDPA applies. The GDPR does not apply unless EU residents’ personal data flows through your business in some way, for example, through a platform used by EU users or through data shared by a European partner.
Nigerian businesses with EU clients, partners, or users. Both laws apply. The GDPR’s extraterritorial scope under Article 3 means that processing the personal data of EU residents triggers GDPR obligations regardless of where the processing organisation is located. If you provide services to EU customers or monitor the behaviour of people in the EU, you are in scope.
EU or UK company operating in Nigeria or processing Nigerian data. The GDPR follows the data, so it applies to EU and UK organisations regardless of where they process. The NDPA applies to any organisation that processes personal data in Nigeria or targets Nigerian residents. Both laws apply simultaneously.
The practical rule for any business where both apply: comply with both. Where the requirements conflict, apply the stricter standard. This is not always onerous because the two frameworks are largely compatible, but there are specific areas where the NDPA imposes obligations that go beyond the GDPR.
One clarification worth making: the UK left the EU in 2020 and now operates under its own data protection regime, the UK GDPR, which sits alongside the Data Protection Act 2018. UK GDPR mirrors EU GDPR closely, but is a separate legal instrument with its own enforcement authority (the ICO). Nigerian businesses with UK clients or partners are dealing with UK GDPR, not EU GDPR, though the practical requirements are very similar.
Where the Two Laws Align
The alignment between NDPA and GDPR is genuine and substantive, not cosmetic.
Both laws require a lawful basis for every instance of personal data processing. The six lawful bases are the same under both: consent, contractual necessity, legal obligation, vital interests, public interest, and legitimate interests. The conditions attached to each basis are comparable, and consent under both laws must be freely given, specific, informed, and unambiguous.
Data subject rights are broadly equivalent. Under both the NDPA and the GDPR, individuals can request access to their personal data, seek correction of inaccurate records, request erasure in certain circumstances, obtain their data in a portable format, and object to certain types of processing. Both laws require organisations to respond to these requests within a defined timeframe.
Breach notification timelines are identical: 72 hours from the point of becoming aware of a high-risk breach. Both laws require notification to the supervisory authority and, where the risk to individuals is high, direct notification to affected individuals.
Data Protection Officer requirements follow similar thresholds under both laws, applying where an organisation processes large volumes of sensitive personal data or conducts systematic monitoring of individuals. Both laws also require privacy notices, data processing records, and documented security measures.
This level of alignment is commercially useful. Businesses that have invested seriously in GDPR compliance are not starting from scratch with the NDPA. The documentation, internal processes, and compliance culture transfer. What remains is to understand and address the differences.
For a deeper look at what NDPA compliance requires operationally, see our Data Protection Compliance Strategies guide.
Where They Diverge
The differences between NDPA and GDPR are real and in some cases operationally significant. The table below sets out the key points of divergence.
| Aspect | NDPA 2023 | GDPR |
|---|---|---|
| Regulator | NDPC (single national authority) | National authority in each EU member state |
| Registration | Mandatory with NDPC | Not required |
| Maximum fines | β¦10M or 2% of gross revenue (major importance); β¦2M or 2% (others) | β¬20M or 4% of global annual turnover |
| Cross-border transfers | Contractual safeguards; NDPC approval may be required, depending on the mechanism and destination | SCCs, BCRs, or adequacy decision |
| Data localization | CBN requires financial data hosted in Nigeria | No general localisation requirement |
| Sector-specific rules | CBN, NCC, and other sector rules apply alongside NDPA | GDPR operates without an additional sector layer in most cases |
| Age of consent | 13 | 13 to 16, depending on the member state |
| DPIAs | Encouraged, not always mandatory | Required for high-risk processing |
| Breach notification | 72 hours from awareness | 72 hours from awareness |
| Adequacy status | No EU adequacy decision | Varies by third country |
On penalties: GDPR fines are substantially larger in absolute terms. β¬20 million or 4% of global annual turnover dwarfs the NDPA’s ceiling in most cases. However, for large Nigerian businesses, 2% of gross annual revenue can still represent a significant sum, and the trajectory of NDPC enforcement suggests fines will grow in both frequency and scale.
On enforcement maturity: GDPR enforcement has years of precedent, published decisions, and established interpretation from national data protection authorities and the European Data Protection Board. NDPA enforcement is newer. The fines imposed on Fidelity Bank Plc and MultiChoice Nigeria signal that the NDPC is becoming an active enforcement body, but there is less established case law to draw on.
On sector-specific layering: This is a practical complexity that GDPR does not create in the same way. A Nigerian fintech must satisfy the NDPA and CBN’s data localisation requirements simultaneously. A European fintech operating under GDPR does not face an equivalent combination. This makes compliance planning more involved for Nigerian businesses in regulated sectors.
Where the NDPA is Stricter
The GDPR is not always the most demanding law. There are specific areas where the NDPA imposes obligations that go beyond what GDPR requires.
Mandatory NDPC registration. Any organisation that processes personal data above the defined thresholds is required to register with the Nigeria Data Protection Commission. GDPR has no equivalent registration requirement. This is an administrative obligation that GDPR-compliant businesses will not have encountered and must address separately.
NDPC authorisation for cross-border transfers. Under the GDPR, Standard Contractual Clauses are generally sufficient as a transfer mechanism for sending data outside the EU, provided they are supported by a Transfer Impact Assessment. Under the NDPA, depending on the transfer mechanism and destination, businesses may also need to obtain NDPC approval in addition to contractual safeguards, making the transfer process more involved than a standard SCC execution.
Data localisation for financial data. The Central Bank of Nigeria requires that financial data be hosted on servers within Nigeria. This applies regardless of what the NDPA permits on cross-border transfers. There is no GDPR equivalent. A Nigerian fintech using a cloud platform with servers outside Nigeria needs to confirm its financial data is properly localised, a requirement that sits entirely outside the GDPR framework.
For more on how sector-specific rules interact with the NDPA, see our Nigeria Data Regulators Guide.
Nigeria’s Adequacy Status and What It Means
Nigeria has not received an adequacy decision from the European Commission. This is a practical and commercially significant gap.
An adequacy decision is the European Commission’s formal finding that a third country provides a level of data protection essentially equivalent to the EU’s. Countries with adequacy decisions, including the UK (for now), Japan, and Canada, can receive personal data from the EU without additional transfer mechanisms. Nigeria is not on that list.
What this means for Nigerian businesses: you cannot rely on adequacy when transferring personal data to or from the EU. You must use Standard Contractual Clauses, the EU Commission’s standard contract templates that impose GDPR-equivalent obligations on both the data exporter and importer. In most cases, you will also need to conduct a Transfer Impact Assessment to evaluate whether the destination country’s laws undermine the protections the SCCs are meant to provide.
The EU Commission’s standard contractual clauses are available at commission.europa.eu. Nigerian businesses engaging in EU data flows should ensure these are in place and properly executed before transfer.
The NDPA’s alignment with GDPR is partly designed to build the case for a future adequacy application. Regulatory alignment signals to the European Commission that Nigeria’s framework meets international standards. This is a long-term process, but it gives Nigerian businesses a reason to take NDPA compliance seriously, not just for domestic enforcement.
The UK has its own adequacy framework post-Brexit. The UK government has granted adequacy to a defined list of countries under UK GDPR, though this is subject to periodic review. Nigeria is not currently on that list, which means the same SCC-based approach applies to UK data flows.
Dual Compliance in Practice: Three Business Scenarios
A Lagos fintech with EU investors and UK clients. This business is subject to the NDPA for its Nigerian operations. Its EU investor relationships likely involve sharing financial and corporate data with EU-based entities, bringing GDPR into play. Its UK client base triggers UK GDPR. CBN’s data localisation requirement applies to financial data. In practice, this means NDPC registration, SCCs for EU and UK data flows, CBN-compliant data hosting, and a compliance structure that satisfies the NDPA and GDPR’s requirements for consent, data subject rights, and breach notification.
A Nigerian SaaS company selling to African markets only. The NDPA applies. GDPR applies only if EU resident data is processed, for example, if an EU national working in Lagos uses the platform, or if the company’s cloud infrastructure routes data through EU servers. The practical question is whether EU residents’ data touches the system at all. If the answer is no, the GDPR compliance burden is minimal. If the answer is yes, even incidentally, it is worth understanding where the exposure sits and whether SCCs are needed.
A European company setting up Nigerian operations. GDPR follows the data and continues to apply to EU personal data regardless of where processing occurs. NDPA applies to Nigerian operations that process the personal data of Nigerian residents. This business needs to register with the NDPC, appoint a DPO if required under NDPA thresholds, and comply with CBN localisation requirements if operating in financial services.
Building a Compliance Framework That Covers Both
The most practical approach for businesses subject to both laws is a single compliance program, not two separate frameworks running in parallel.
The foundational requirements are shared across both laws: lawful-basis documentation, privacy notices, data-subject rights processes, breach-response procedures, and a DPO or equivalent appointment. These can be designed once and applied to both NDPA and GDPR obligations. What differs is the addenda: NDPC registration, cross-border transfer authorisation, CBN localisation compliance, and the specific procedural requirements of each regulator.
Mapping your data flows is the essential starting point. You need to know what personal data you hold, where it comes from, where it goes, who has access to it, and on what legal basis each processing activity rests. Without that map, you cannot reliably identify where GDPR applies, where NDPA applies, and where both do.
This is work that benefits from experienced guidance, particularly where regulated sectors, international data flows, and multiple legal frameworks intersect. If your business is navigating the overlap between NDPA and GDPR and you are unsure where your obligations begin and end, get in touch with PlanetWeb to discuss where your compliance framework stands.
The Commercial Case for Getting This Right
International data governance standards matter commercially, not just for regulatory compliance. European companies conducting due diligence on Nigerian partners, suppliers, and acquisition targets increasingly assess data governance maturity as part of that process. Investors with EU exposure look for evidence that portfolio companies are managing data risk appropriately.
In cross-border transactions, data governance due diligence now routinely covers lawful basis documentation, data transfer mechanisms, processor agreements, and regulatory registration status. An NDPA registration gap or undocumented transfer mechanism can delay or derail a transaction at a critical stage.
Properly documented NDPA compliance is a credible signal to foreign counterparts that your organisation handles data responsibly. It does not substitute for GDPR compliance where GDPR applies, but it demonstrates that your underlying governance framework meets recognised standards.
The businesses that treat this as a competitive asset rather than a regulatory burden are better positioned to win cross-border contracts, attract foreign investment, and operate globally without the disruption that a data governance gap creates when it surfaces at the wrong moment.
