Data Protection Compliance in Nigeria: A Practical Strategy Guide for Businesses
Most Nigerian businesses know the NDPA 2023 exists. Fewer have done anything serious about it. The assumption has been that enforcement would remain light, that the NDPC would focus on large corporations, and that a privacy notice copied from another website would be enough to tick the box.
That assumption is no longer safe. The fines imposed on Fidelity Bank Plc and MultiChoice Nigeria signalled a regulator that is actively enforcing, and the NDPC has made clear that audits will extend beyond headline names. For businesses that have been waiting to see how serious this gets, the answer is now apparent.
This guide is not a legal summary of the NDPA. It is a practical framework for building a compliance program that holds up under scrutiny, covering where to start, what the priority actions are, and what good looks like at different stages of the journey.
This article is part of PlanetWeb’s NDPA compliance series. For the foundational framework, see our NDPA Compliance Guide for Nigerian Businesses and Key Features of the NDPA 2023. For the regulator structure, see our Nigeria Data Regulators Guide.
Where Does Your Business Stand?
Before prescribing strategies, it helps to know your starting point. Most Nigerian businesses fall into one of three stages.
Stage 1: Reactive. No documented data inventory. Privacy notice copied from another website or absent entirely. Consent is handled informally or not at all. No DPO or designated responsible person. Compliance is only considered after a complaint, an incident, or news of someone else being fined.
Stage 2: Developing. Some policies exist but are inconsistently applied across the business. A data inventory was started, but it is incomplete or out of date. NDPC registration has been initiated or is in progress. The compliance officer understands the obligations, but the frontline staff do not. Vendor contracts exist but lack data processing clauses.
Stage 3: Mature. A documented data map is maintained and reviewed at least annually. Lawful basis is recorded for each processing activity. Privacy notices are accurate, accessible, and current. NDPC registration is in place. A DPO has been appointed, or a licensed DPCO has been engaged. Vendor contracts include data processing agreements. A breach response plan exists and has been tested. Staff have been trained, and records have been kept to demonstrate it.
Most Nigerian businesses reading this are at Stage 1 or early Stage 2. This guide is structured to move them forward, whatever their starting point. The goal is not perfection. It is demonstrable, documented progress in the right direction.
The Real Cost of Compliance vs. the Cost of Getting It Wrong
Before diving into the how, it is worth being honest about the economics on both sides. This is the conversation compliance officers need to have with leadership, and vague warnings about fines rarely do.
What Non-Compliance Costs
NDPC fines may reach up to ₦10 million or 2% of gross annual revenue, whichever is higher, under Section 48 of the NDPA. For businesses in regulated sectors, sector regulator sanctions can stack on top. A fintech facing an NDPC fine may also receive a response from the CBN. Beyond financial penalties, the NDPC can issue orders to halt data processing, which, in practice, could mean your CRM, payment system, or HR portal is suspended during an investigation.
Enterprise clients, particularly banks, telecoms, and multinational companies, now routinely require evidence of NDPA compliance before signing contracts. Losing a tender or a partnership because you cannot produce a compliance record is a business cost that rarely gets captured in risk assessments, yet it is very real.
In M&A transactions and investor due diligence, data governance is now a review category in its own right. Buyers and investors increasingly request evidence of NDPC registration, lawful-basis documentation, and data-processing agreements with vendors. An undocumented data flow, a missing DPA, or a lapsed registration can delay a transaction or trigger additional legal review at a stage where neither party wants complications.
What Building a Compliance Program Costs
The foundational work of conducting a data audit, documenting lawful basis, updating privacy notices, registering with the NDPC, and reviewing vendor contracts is primarily an investment of time and process, not infrastructure. For a small Nigerian business, a baseline compliance program is achievable in weeks with the right focus. Larger organisations will take longer, but the trajectory matters more than the timeline.
Businesses that build compliance proactively have a materially easier audit experience than those scrambling to demonstrate it retrospectively. The NDPC looks more favourably on organisations that can demonstrate documented effort, even if the program is still in development.
Start with a Data Map
Every other compliance activity depends on this one. You cannot document a lawful basis, respond to data subject requests, or demonstrate accountability to the NDPC without first knowing what personal data you hold, where it lives, and what you do with it.
What a Data Map Should Capture
A data map should record the category of personal data, the source from which it was collected, where it is stored, the purpose for which it was collected, the lawful basis for processing, how long it is retained, and who has access to it, including third-party vendors and cloud platforms.
Where Data Maps Usually Fail
The failure points are predictable: data maps that cover customer data but ignore employee data, maps that miss archived records or data stored in spreadsheets on individual laptops, and maps that are completed once and never reviewed. A data map that is twelve months out of date is a liability in an audit, not an asset.
The data map is a business exercise, not a technical one. The content requires input from every department. Finance knows what payroll data is held and where. HR knows what employee records exist. Sales knows what the CRM contains. The compliance officer’s job is to gather and systematically document that knowledge.
For businesses using Microsoft 365, SharePoint’s compliance features can support access logging and document tracking as part of a broader compliance architecture. See our guide on SharePoint NDPA compliance for specific configuration guidance.
Lawful Basis: More Than Just Consent
One of the most common compliance errors in Nigerian businesses is treating consent as the default lawful basis for every processing activity. The NDPA provides six lawful bases, and consent is not always the right choice, or even a valid one.
The Six Lawful Bases
Consent is appropriate for marketing communications, newsletter subscriptions, and optional data collection. It must be freely given, specific, informed, and easy to withdraw. Critically, it cannot be bundled into general terms and conditions, and making service delivery conditional on consent to marketing is not valid consent under the NDPA.
Contractual necessity covers processing required to deliver a service the individual has signed up for, such as processing payment details, maintaining an account, or fulfilling a purchase order. If you need the data to perform the contract, this is the right basis.
Legal obligation covers processing required by Nigerian law: payroll records retained for FIRS purposes, customer records maintained under CBN requirements, and employment records kept under labour law. Where the law requires you to hold data, this is the basis to document.
Vital interests apply only in genuine medical or safety emergencies and are rarely relevant outside healthcare. Public interest applies primarily to government bodies and is generally not available to private sector businesses for routine commercial processing.
Legitimate interests are available to private sector organisations but require a balancing test. The organisation’s legitimate interest in processing must be weighed against the individual’s rights and expectations. It is not a catch-all for processing that does not fit the other bases, and the balancing assessment must be documented.
For every category of personal data in your data map, record which lawful basis applies and why. This is what the NDPC will ask to see first.
NDPC Registration
Registration with the NDPC is mandatory for data controllers that meet the NDPC’s classification thresholds. Unlike the GDPR, the NDPA includes no opt-out from registration: qualifying organisations must register to operate legally.
How to Register
Registration is completed through the NDPC portal at ndpc.gov.ng. The process requires information about the organisation, the categories of personal data processed, the purposes of processing, and details of the responsible person or DPO. Registration is subject to annual renewal, and an NDPC auditor will immediately check your registration status.
Data Controllers of Major Importance
Organisations classified as Data Controllers of Major Importance, defined by processing volume, sensitivity of data processed, or sector designation, have additional obligations beyond basic registration, including mandatory DPCO engagement or DPO appointment and annual data protection audits. For a full breakdown of how the NDPC classifies organisations and what each classification requires, see our Nigeria Data Regulators Guide.
Vendor Risk and Data Processing Agreements
Every Nigerian business uses vendors that touch personal data: payroll platforms, CRM systems, payment gateways, HR software, and email marketing tools. Under the NDPA, the data controller retains responsibility for what happens to that data regardless of who processes it. The vendor’s failure is, legally, the controller’s problem.
What a DPA Must Cover
A Data Processing Agreement with each vendor is not a formality. It needs to cover the subject matter and duration of processing, the nature and purpose, the categories of data and data subjects involved, the processor’s obligations and restrictions, security requirements, breach notification timelines, restrictions on sub-processing, and what happens to data when the contract ends, whether it is returned or deleted, and how that is confirmed.
The Nigerian Reality
Many local vendors do not proactively offer DPAs. International vendors often have standard agreements that may not satisfy every NDPA requirement. It is the data controller’s responsibility to request, review, and, where necessary, negotiate these agreements. Assuming a DPA is in place because a vendor is reputable is not a compliance position.
If a vendor causes a data breach, the NDPC will examine whether a proper DPA was in place. The absence of one compounds the controller’s liability regardless of fault. For breach notification requirements and what to do when a breach occurs, see our Responding to Data Breaches in Nigeria guide.
Record-Keeping: Your Compliance Defence
The NDPC does not take an organisation’s word for compliance. An auditor will ask for evidence, and record-keeping is what converts good intentions into a defensible position.
What to Keep on Record
Organisations should maintain records of their data map and revision history, lawful-basis documentation, consent records, data-subject request logs, DPIAs for high-risk activities, staff training logs, vendor contract reviews, and breach records, including the outcome of each assessment.
When to Start Keeping Records
The mistake most organisations make is treating record-keeping as something to organise after the compliance program is built. Records need to be created as part of the process itself. An auditor can tell the difference between records maintained over time and records assembled in a hurry.
Building a Compliance Culture
Policies and documentation will not protect a business if staff do not follow them. Most data incidents in Nigerian organisations result from human error: a file shared with the wrong person, a phishing email that bypasses controls, a customer database exported to a personal device.
What Meaningful Staff Training Covers
Effective training addresses what personal data means under the NDPA and what counts as sensitive data, what lawful basis means in practice for each role, how to recognise and respond to a data subject request, what to do when a potential breach is discovered, and who the DPO or responsible person is and how to reach them.
Training is not a one-hour onboarding session that is never repeated. It needs to be role-specific, refreshed at intervals, and documented. A customer-facing sales team has different obligations from a finance team processing payroll. Training that treats all staff the same tends to be remembered by none of them.
The Culture Dimension
Compliance that lives only with the compliance officer will not take hold. Leadership needs to treat data protection as an operational value: resourcing it properly, including it in business reviews, and holding every department accountable, not just the compliance function.
Sector-Specific Considerations
Compliance obligations under the NDPA apply to every organisation that processes personal data in Nigeria, but the practical implications differ significantly by sector.
Fintech and Financial Services
NDPA compliance sits alongside CBN’s data localisation requirement, which mandates that financial data be hosted within Nigeria. Both obligations apply simultaneously and independently. Open banking introduces additional consent requirements: consent to share data with third-party providers is distinct from general service consent and must be managed separately. The 72-hour breach notification window applies to both NDPC and CBN, which may require simultaneous notifications to two regulators. DPIAs are essential before launching any new data-intensive product feature. For guidance on cross-border data flows and dual compliance with international frameworks, see our NDPA vs GDPR Comparison.
Healthcare
Patient data is sensitive personal data under the NDPA, subject to explicit consent requirements and enhanced security measures. Role-based access is not optional. Clinical staff should access only records relevant to their patients, and that access should be logged. Retention policies need to balance data minimisation against clinical record-keeping practice, with medical necessity clearly documented as the justification. Telehealth platforms face additional considerations around data residency if diagnostic data is processed outside Nigeria. Our Electronic Health Records guide for Nigerian clinics covers implementation considerations specific to healthcare providers.
E-Commerce and Retail
Consent management at the point of collection, including checkout forms, account registration, and newsletter sign-up, is where most e-commerce businesses have significant gaps. Consent must be specific to each purpose; a single checkbox at checkout cannot simultaneously cover order processing, marketing emails, and data sharing with partners. Payment gateway data is subject to PCI-DSS requirements in addition to NDPA obligations, and the boundary of liability between the merchant and the payment provider needs to be clearly defined in a DPA. Customer data retention after a purchase or account closure is one of the most frequently overlooked obligations. Most businesses retain customer data indefinitely with no documented justification, which is both an NDPA violation and a practical security risk.
Next Steps
Building a compliant data protection program is not a one-time project. Enforcement precedents are accumulating, NDPC guidance continues to develop, and the obligations on Nigerian businesses will sharpen over time. What you build now needs to be maintained, not filed away.
Start with the data map. Everything else follows from knowing what you hold. From there, document your lawful basis, register with the NDPC if you have not already, review your vendor contracts, and put a breach response plan in place before you need one.
If your business is navigating these obligations and is unsure where the gaps lie, get in touch with PlanetWeb to discuss where your compliance program stands.
