Who’s Watching the Watchers? Nigeria’s Data Regulators and What They Expect

Introduction: Privacy, Power, and the Price of Progress

Every day, millions of Nigerians hand over personal information—whether it’s signing up for a loan app, registering a SIM card, or accessing public services. But where does all that data go? Who protects it? And when something goes wrong, who’s held accountable? That’s where Nigeria data regulators come in.

In 2023, reports surfaced that National Identity Numbers (NINs) were being sold online for as little as ₦100. Just two years earlier, a biometric leak allegedly exposed the personal data of over 6 million Nigerians. Victims faced identity theft, leading to unauthorized loans, SIM card registrations, and widespread fraud.

These incidents spotlight a critical question: Who holds the keys to Nigeria’s data vault—and ensures they aren’t stolen?

👉 See also: Nigerian Data Breach Case Studies: Lessons and Strategies for Business Compliance

Let’s break down Nigeria’s data regulators, what they expect from businesses, and why compliance is no longer optional—it’s a competitive edge.

1. Nigeria Data Regulators: Who’s Watching What

NITDA – The Policy Strategist

National Information Technology Development Agency

Once the lead enforcer of data protection through the 2019 Nigeria Data Protection Regulation (NDPR), NITDA now focuses on:

• Developing national IT policies,

• Supporting digital innovation,

• Promoting ethical tech practices.

It aligns with Pillar 1 of Nigeria’s National Digital Economy Policy: fostering innovation-friendly regulation. It no longer enforces data privacy, but it sets the tone for the ecosystem.

NDPC – The Enforcement Powerhouse

Nigeria Data Protection Commission

Formed under the Nigeria Data Protection Act (NDPA) 2023, the NDPC is Nigeria’s primary privacy watchdog. It has the authority to:

• Conduct compliance audits,

• Investigate breaches,

• Issue sanctions and fines (up to 2% of annual gross revenue for major violations),

• Publish guidance on best practices.

The NDPC mirrors global frameworks like the EU’s GDPR, emphasizing:

• User consent and transparency,

• Accountability and documentation,

• Upholding data subject rights.

This is the regulator most businesses will interact with.

👉 Read: The Nigeria Data Protection Commission: Guardians of Digital Privacy

NIMC – Identity Gatekeeper Under Scrutiny

National Identity Management Commission

Best known for managing the National Identification Number (NIN) system, NIMC plays a critical role in digital identity. But its centralized database has raised alarms.

In 2021, a leak exposed biometric data of millions. Victims faced identity theft, fraudulent loan applications, and deepening mistrust.

NIMC’s integration across banks, telcos, and government services means its security lapses ripple across sectors. Oversight of its data governance remains a hot-button issue.

CBN, NCC, and NHIS – Sector-Specific Enforcers

These agencies enforce data rules within their industries:

• CBN (Central Bank of Nigeria)
  Regulates financial data. In 2022, it mandated that all customer data must be hosted locally, promoting sovereignty and national security.

• NCC (Nigerian Communications Commission)
  Oversees telecom providers. In 2023, it fined MTN ₦5.2 billion for SIM registration violations and mishandling subscriber data.

• NHIS (National Health Insurance Scheme)
  Manages health data oversight. In 2023, it was criticized for sharing patient data with third-party insurers without explicit consent. The draft Digital Health Bill seeks to plug these gaps.

These Nigeria data regulators operate alongside NDPC and NITDA—sometimes causing confusion over who enforces what.

👉 Related: Data Protection Compliance in Nigeria: Strategies for Businesses to Secure Data and Avoid Penalties

2. What They Expect: The Compliance Checklist

Any business handling personal data must understand what Nigeria data regulators expect—especially around transparency, security, and legal accountability.

✅ Transparency and Consent

• Disclose what data you collect and why.

• Get freely given, informed, and specific consent.

• Avoid default opt-ins or vague disclosures.

✅ Data Subject Rights

Enable users to:

• Access, correct, or delete their data.

• Withdraw consent or restrict processing.

✅ Data Protection Officer (DPO)

Required for:

• Large-scale or sensitive data processors (e.g., in finance, health, education).

• Even if not mandated, appointing a DPO shows commitment to accountability.

✅ Data Security

• Encrypt sensitive data.

• Apply role-based access controls.

• Establish breach response protocols.

• Conduct regular risk assessments.

📊 A 2023 NITDA audit found that 60% of companies lacked documented breach response plans.

✅ Timely Breach Reporting

• Report any data breach to NDPC within 72 hours.

• Failure to do so increases penalties and reputational fallout.

✅ Data Localization & Vendor Preferences

• CBN: Financial institutions must store customer data within Nigeria.

• Other sectors: Strongly encouraged to use local cloud providers and IT vendors to align with national digital sovereignty goals.

✅ Proactive Documentation

Keep updated records of:

• Consent logs,

• Employee training,

• Data flows,

• Security policies.

Tip: Use NDPC’s Compliance Checklist as a self-audit tool.

3. Why It’s Not Always Easy: Key Compliance Challenges

⚖️ Fragmented Oversight

One business might need to navigate policies from five different regulators. For instance, a fintech may answer to:

• NDPC (data),

• CBN (finance),

• NIMC (identity),

• NCC (communications),

• NITDA (platform standards).

PalmPay’s 2022 market expansion was delayed by over six months—costing an estimated ₦1.2 billion in lost opportunities—due to unclear compliance pathways across multiple agencies.

🧠 Public Awareness Is Still Low

Public trust in data protection remains shaky, especially after years of inconsistent enforcement and highly publicized data leaks. Leaks, vague policies, and lack of enforcement have damaged trust.

NDPC has launched public education campaigns, but much of the population remains unaware of their rights—or how to report violations.

👉 Explore: Data Subject Rights – Your Digital Shield in Nigeria’s Data Protection Landscape

🔄 Inter-Agency Coordination Is Improving, But Slowly

The Data Protection Bill 2023 aims to:

• Streamline sector-specific rules,

• Create uniform enforcement,

• Centralize oversight through NDPC.

Until fully implemented, regulatory overlap remains a real risk for businesses.

4. Where Nigeria Fits Globally

Nigeria isn’t operating in isolation. It’s aligning with international norms:

• ✅ GDPR-style principles via the NDPA 2023,

• ✅ Malabo Convention signatory, promoting cybersecurity and privacy standards across Africa,

• 🚫 Not yet signed the Budapest Convention, which would allow Nigeria to:

  • Cooperate on cross-border cybercrime investigations,

  • Work with Interpol and other global crime units.

📌 Joining would close a critical gap in prosecuting international fraud and digital crime networks.

👉 Comparison of NDPA 2023 and GDPR: How Nigeria Aligns with International Data Protection Standards

5. What Smart Businesses Are Doing Now

To stay ahead of both regulators and public expectations, here’s what top Nigerian companies are already doing:

🔍 Audit Your Data

• Use NDPC tools to map how data is collected, stored, and shared.

• Prioritize audits to preempt regulatory scrutiny.

👨🏽‍💼 Appoint a DPO

• Even if you’re not required to, it shows seriousness and gives regulators a direct point of contact.

🎓 Train Your Team

• Use gamified tools like PrivacyIQ, a privacy awareness platform, to keep staff engaged and informed.

📁 Document Everything

• From consent logs to training schedules and breach response drills, having a paper trail is key.

📚 Learn from Others

• ✅ Flutterwave’s 2023 breach response was fast, transparent, and user-focused—earning praise.

• ❌ Farmcrowdy’s 2021 incident lacked communication and clarity—resulting in user backlash and lost trust.

🤝 Engage the Ecosystem

• Attend summits like TechCabal’s Data Privacy Summit,

• Subscribe to NDPC’s regulatory updates,

• Contribute feedback on draft laws and frameworks.

Conclusion: Compliance Is Trust, and Trust Is Power

We often talk about data as the new oil. But raw oil is only valuable when it’s refined—and refining data means handling it ethically, securely, and transparently.

Nigeria data regulators are getting sharper. The penalties are growing. The public is paying attention.

In a data-driven economy, compliance is your competitive edge—build trust, or risk becoming obsolete.

The watchers are being watched.
The question is:
Are you doing enough to be trusted with what you’re watching?