Nigeria Data Protection Act for Businesses: A Practical Compliance Guide

A woman in a blue blazer sitting at a desk with a laptop, discussing the Nigeria Data Protection Act for businesses in a modern office setting.

Nigeria Data Protection Act for Businesses: What You Need to Know

Most Nigerian businesses are already handling personal data, and many don’t realise the extent of it. Every contact form submission, newsletter sign-up, purchase record, and support ticket represents personal information that the law now requires you to manage responsibly.

The Nigeria Data Protection Act (NDPA) 2023 is in effect. The Nigeria Data Protection Commission (NDPC), the regulatory body responsible for enforcement, is operational and has moved beyond awareness campaigns into active enforcement engagement. The question is no longer whether this law applies to your business. It’s whether you’re ready for when it becomes relevant in a way you can’t ignore.

This guide breaks down what the NDPA requires, how to assess where your business stands on NDPA compliance in Nigeria, and how to move forward without being buried in legal complexity.

What Counts as Personal Data

Many businesses assume the NDPA targets only companies handling obviously sensitive records, like patient files or bank account details. That’s a narrow reading that leaves a lot of businesses exposed without knowing it.

Under the NDPA, personal data is any information that can identify a natural person, directly or indirectly. The list is broader than most people expect: names, phone numbers, addresses, email addresses, national identification numbers, IP addresses, device identifiers, transaction records, photographs, and location data. An employee’s salary or a customer’s purchase history both qualify.

The indirect identification piece matters. You don’t have to hold someone’s full name for data to be personal. A combination of an email address, a job title, and a company name can be enough. If information can be reasonably traced back to a specific living person, it falls within scope.

The practical implication: if you have a customer database in Excel, an email marketing list, a CRM, a WhatsApp Business account, or a website with a contact form, you are already processing personal data. The NDPA applies to you.

Does the NDPA Apply to Your Business?

The NDPA covers any individual or organisation that collects, stores, processes, or transfers personal data of Nigerian residents, regardless of where that organisation is based. There is no minimum revenue threshold, no employee count requirement, and no exemption for small businesses.

Sole proprietors, NGOs, cooperatives, startups, and informal businesses with any digital footprint are all in scope. A recruitment agency managing candidate CVs, a school with a student database, and a logistics company tracking delivery recipients: all carry obligations under the law.

The NDPA also distinguishes between two key roles. A data controller determines the purpose and means of processing personal data, typically the business itself. A data processor processes data on behalf of a controller, such as a cloud storage provider or payroll software company. Understanding the obligations of data controllers and processors under the NDPA matters because they differ, and the NDPC uses this distinction when assessing accountability. Your business may occupy both roles simultaneously.

Read more about the scope and key provisions of the NDPA

The Core Obligations Every Business Must Know

Getting Consent Right

Consent is one of six lawful bases for processing personal data under the NDPA, and it’s the one most businesses default to without fully understanding what it requires. The other bases include contractual necessity, legal obligation, vital interests, public interest, and legitimate interests. Knowing which basis applies matters, because choosing consent brings specific obligations that the other bases don’t.

When consent is the right basis, it must be freely given, specific, informed, and unambiguous. The person must actively indicate agreement, not just fail to opt out. Pre-ticked checkboxes, vague language like “by continuing to use this site you agree,” and buried clauses in terms and conditions all fail this standard. Consent must also be revocable, and withdrawal must be as easy as giving consent in the first place.

For businesses running email newsletters, promotional campaigns, or cookie-based tracking, this is typically where the most immediate compliance work sits.

Responding to Data Subject Requests

Under the NDPA, individuals have defined rights over their own data: access, correction, erasure, restriction of processing, and data portability. Businesses have legal obligations to honour each of them within 30 days of a valid request.

In practice, that means knowing where all your data lives and how to retrieve or delete it on request. For a business with data scattered across spreadsheets, a CRM, an email platform, and a WhatsApp archive, that’s harder than it sounds without preparation. A simple system covers most small businesses: a dedicated email address for data requests, a log to track timelines, and a staff member who knows the process.

Learn more about how the NDPC enforces data subject rights

Appointing a Data Protection Officer

A Data Protection Officer (DPO) monitors internal compliance, advises on data protection obligations, and serves as the primary point of contact with the NDPC. You are more likely to need one formally if your business processes data at scale, handles sensitive categories like health records or biometric data, or conducts systematic monitoring of individuals. Banks, hospitals, HR tech platforms, and telecoms typically fall into this category.

The role is less about policing behaviour and more about building awareness: training staff, reviewing new initiatives for data protection risks, managing subject requests, and liaising with the regulator. For businesses below the formal threshold, a part-time appointment or external consultant arrangement works. What matters is that the responsibility sits somewhere with real authority to act.

Understand when a DPO is required under Nigerian law

Managing Your Vendors and Third-Party Tools

Most Nigerian businesses use platforms like Mailchimp, Zoho CRM, HubSpot, Google Workspace, or WhatsApp Business API without thinking much about the data implications. Under the NDPA, the fact that a vendor handles your data does not transfer your legal responsibility. You remain accountable.

The key instrument is the Data Processing Agreement (DPA): a contract that specifies what data is being processed, the purpose, security measures, breach notification procedures, and what happens to the data when the relationship ends. Many major international platforms offer standard DPAs on request. If a vendor cannot or will not sign one, continuing to use them is a liability worth weighing seriously.

Cross-Border Data Transfers

Most tools Nigerian businesses use store data outside Nigeria, typically in the United States or Europe. International transfers are permitted only when the destination country offers adequate data protection, as assessed by the NDPC, or when appropriate safeguards are in place, such as NDPC-approved Standard Contractual Clauses (SCCs). Before adopting a new SaaS platform or cloud provider, ask where the data will be stored and what contractual commitments the vendor is making. Most reputable international vendors have SCCs built in. For less-established vendors, that due diligence falls to you.

Review cross-border data transfer standards

The 72-Hour Breach Notification Rule

A data breach is not just a hacking incident. Under the NDPA, it includes any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. A staff member accidentally emailing a client list to the wrong recipient, a stolen laptop with unencrypted records, a misconfigured cloud storage bucket: all qualify.

When a breach is likely to result in risk to individuals’ rights, you must notify the NDPC within 72 hours of becoming aware of it. If the risk to affected individuals is high, you must also notify them directly. That window is tight without preparation. A one-page incident response checklist covering what was breached, how, who is affected, and what steps you’ve taken costs almost nothing to produce and is worth significantly more when something goes wrong.

Check global breach notification standards at DLA Piper’s Data Protection site

Higher-Risk Industries

The NDPA applies broadly, but certain sectors attract closer regulatory attention because the data they handle creates greater potential for harm.

Healthcare providers handle health records, diagnostic histories, and biometric data, all of which qualify as sensitive personal data. Consent requirements are stricter, security standards are higher, and the consequences of a breach are more serious for patients and providers alike.

Fintechs, lenders, and payment processors hold financial records, credit histories, and often BVN or NIN information. The overlap between NDPA obligations and CBN guidelines creates a layered compliance environment requiring deliberate attention to both frameworks.

HR and recruitment platforms hold large volumes of candidate data often without clear retention policies, which itself violates the NDPA’s data minimisation principle.

Digital marketing agencies and e-commerce businesses collect behavioural and demographic data through analytics, pixels, and third-party enrichment tools. Cookie consent practices in this space are frequently insufficient.

If your business sits in any of these categories, baseline compliance is a starting point, not a destination.

How Compliant Are You Right Now?

Before mapping a path forward, consider this: if a regulator asked you tomorrow to explain how your organisation handles personal data, could you answer clearly and confidently? Work through these questions.

On data collection:

  • Do you have a privacy policy that accurately describes what data you collect and why?
  • Are you capturing proper consent before adding contacts to a marketing list?
  • Do you know what your website collects through analytics or tracking pixels?

On data storage:

  • Can you identify every place customer or employee data lives, including spreadsheets, cloud tools, email archives, and WhatsApp?
  • Do you know who has access, and is it limited to people who genuinely need it?
  • Are there legacy databases or unused systems holding personal data you’ve forgotten about?

On third parties and internal processes:

  • Have your key vendors signed a Data Processing Agreement?
  • Is there a named person responsible for data protection?
  • Do you have a documented process for data subject requests and a basic breach response plan?

If most of your answers are “no” or “I’m not sure,” you have meaningful gaps. That’s common in growing businesses, but it needs deliberate attention.

Explore PlanetWeb’s data protection compliance strategies for Nigerian businesses

The Real Cost of Non-Compliance

The NDPA empowers the NDPC to impose fines of up to 2% of annual gross revenue. Beyond the financial penalty, organisations found in breach face mandatory audits, public enforcement actions, and reputational damage that typically outlasts the fine.

NDPC enforcement also happens through individual complaints, not just formal investigations. A single customer who believes their data has been mishandled can trigger a regulatory inquiry. As consumer awareness of data rights grows, that route is becoming more common.

The other side deserves equal attention: compliance is far more manageable than most businesses assume. The foundational work typically involves a data audit, an updated privacy policy, functional consent mechanisms, DPAs with key vendors, and a named point of contact who assumes responsibility. None of that requires a legal department or a large budget. Complexity scales with the volume, sensitivity, and cross-border nature of your data. The framework is the same for everyone; what it looks like in practice depends on your actual risk profile.

The businesses most exposed are not the ones working toward compliance imperfectly. They’re the ones that haven’t started.

Where to Start

Phase 1: Map your data. Document everything you collect, where it’s stored, who has access, and why you’re holding it. This step routinely surfaces surprises: old data never deleted, tools still storing information after you stopped using them, and access permissions never properly scoped.

Phase 2: Fix the visible basics. Update your privacy policy to reflect what you actually do. Review consent mechanisms on forms, sign-ups, and cookie banners. Confirm your marketing tools have functional unsubscribe options.

Phase 3: Address your vendors. List every third-party tool that touches personal data, check whether each has a DPA, and sign it. If a vendor can’t provide one, assess whether the risk of continuing is justified.

Phase 4: Assign ownership and build processes. Name the person responsible for data protection. Document how you’ll handle data subject requests. Draft a basic breach response checklist. These don’t need to be elaborate. They just need to exist and be known to the right people.

At PlanetWeb, we help Nigerian businesses build data protection practices that are proportionate, practical, and sustainable. From privacy policy reviews to vendor assessments and staff training, we work with organisations at every stage of the compliance journey.

Talk to us about your compliance needs or book a free consultation to discuss where your business stands.

Frequently Asked Questions

Does the NDPA apply to sole proprietors and small businesses?
Yes. The NDPA applies to any individual or organisation that processes personal data in Nigeria, regardless of business size. If you collect customer information, manage an email list, or store employee records, the law applies to you.
What is the difference between the NDPA and GDPR?
The NDPA is Nigeria’s domestic data protection law, enforced by the NDPC. The GDPR is the EU equivalent. Both share similar principles, but being GDPR compliant does not automatically make you NDPA compliant.
Do I need consent to send invoices or transactional emails?
Not always. Transactional emails like invoices are typically covered under contractual necessity. Consent is required for marketing emails, newsletters, or any communication beyond the scope of an existing transaction.
How do I register with the NDPC?
Data controllers and processors above a certain threshold must register with the NDPC. Registration guidelines are available at ndpc.gov.ng. If you’re unsure whether your business qualifies, a compliance consultant can help you determine your classification.
What happens if one of my vendors gets hacked?
You remain accountable for personal data processed on your behalf, even by a third-party vendor. A vendor breach affecting your customers’ data may still trigger your own notification obligations to the NDPC and affected individuals.
What counts as sensitive personal data under the NDPA?
Sensitive personal data includes health records, biometrics, genetics, race or ethnicity, political opinions, religious beliefs, financial records, criminal history, and sexual orientation. This category attracts stricter consent and security requirements.
How long do I have to respond to a data subject request?
You have 30 days to respond. If a request is complex, you may ask for an extension, but you must notify the requester within the original 30-day window.
Is there a grace period for compliance?
No. The NDPA has been in force since 2023 with no formal grace period. The NDPC has the authority to investigate, audit, and fine organisations at any time.
Share this article:

Leave a Comment

Your email address will not be published. Required fields are marked *

🎯 Fresh Reads

👉 Browse by Category

Grow Your Business Today

PlanetWeb Solutions is committed to delivering IT services that support your goals. Whether you need day-to-day IT management, a digital overhaul, or strategic advice, we’re here to provide solutions that drive success.

Get Started
Scroll to Top