Nigeria Data Regulators: Who They Are, What They Expect, and How to Stay Compliant
Most Nigerian businesses know they should be data compliant. Far fewer understand who is actually watching them, what those regulators have the power to do, and what happens when they come looking.
In 2024, the NDPC fined Fidelity Bank β¦555.8 million for data privacy violations, including insufficient encryption and inadequate breach notification procedures. In 2025, Multichoice Nigeria was fined β¦766.2 million for data privacy violations and illegal cross-border data transfers. These are not isolated incidents. They are enforcement signals, and they are directed at every business that processes personal data in Nigeria.
The challenge is that Nigeria’s data protection landscape is not a single regulator with a single rulebook. It is a layered system of national and sector-specific authorities, each with their own mandate, enforcement tools, and expectations. For a fintech, a hospital, or a telecoms company, that means navigating obligations that sometimes point in different directions.
This guide breaks down who Nigeria’s data regulators are, what they expect from the businesses operating under their watch, and what compliance actually looks like in practice, including what happens when the NDPC comes to audit you.
This article is part of PlanetWeb’s NDPA compliance series. For the broader legal framework, see our NDPA Compliance Guide for Nigerian Businesses and our breakdown of NDPA Key Features. If your business deals with international clients or partners and you are navigating both the NDPA and GDPR, see our NDPA vs GDPR comparison.
Meet Nigeria’s Data Regulators
The NDPC: The Primary Enforcement Authority
The Nigeria Data Protection Commission (NDPC) is the central authority for data protection in Nigeria, established under the Nigeria Data Protection Act 2023. If you process personal data in Nigeria or process the personal data of Nigerians anywhere in the world, the NDPC has jurisdiction over you.
Its powers are broad. The NDPC can conduct compliance audits, investigate data breaches, issue enforcement notices, and impose fines. Under Section 48 of the NDPA, the penalty structure is tiered: Data Controllers and Processors of Major Importance face fines of up to β¦10 million or 2% of annual gross revenue, whichever is higher. All other organisations face fines of up to β¦2 million or 2% of annual gross revenue, whichever is higher. The NDPC can also require mandatory deletion of unlawfully processed data and impose orders to change data handling practices.
The NDPC drew its framework heavily from the EU’s General Data Protection Regulation, which means businesses with experience in GDPR compliance will recognise the underlying logic. That said, the NDPA has its own provisions, enforcement priorities, and local context that require separate attention.
The bottom line: If you process personal data in Nigeria, the NDPC has jurisdiction over you. Enforcement is active, and penalties are real.
You can access the official NDPA text and compliance resources at ndpc.gov.ng.
NITDA: Policy Architect, Not Enforcer
The National Information Technology Development Agency (NITDA) was the primary enforcement body under the Nigeria Data Protection Regulation 2019, before the NDPA came into effect. Today, its direct enforcement role has shifted. The NDPC now holds that mandate.
NITDA shapes Nigeria’s digital policy environment, setting national IT standards, promoting digital infrastructure, and guiding technology adoption across sectors. The older NDPR framework still influences how many businesses structure their legacy compliance programs. But if you are asking who investigates a breach or imposes a fine under the NDPA, that is the NDPC.
Understanding this distinction matters because some businesses are still operating as though NITDA is their primary data protection regulator. That is no longer accurate.
NIMC: Biometric Data and Cross-System Risk
The National Identity Management Commission (NIMC) manages Nigeria’s National Identity Number system and the biometric data tied to it. That sounds like a government-only concern until you consider how deeply NIN data is embedded in everyday Nigerian business.
Banks require NIN for account opening. Telecom companies require it for SIM registration. Government agencies use it across services. This cross-system integration creates a particular kind of risk: when NIMC’s data is exposed, the damage ripples through every institution that shares or references it. Any organisation that stores, processes, or relies on NIN data should treat that dependency as a compliance and security consideration in its own right.
More information is available at nimc.gov.ng.
Sector Regulators: CBN, NCC, and the Health Sector
Several industry regulators carry data-related enforcement powers that run alongside the NDPC’s mandate.
The Central Bank of Nigeria (CBN) requires that financial data be stored within Nigeria’s borders. This is not a guideline. It is a condition of operating in the financial sector, and violating it can trigger sanctions beyond NDPC fines, including operational restrictions on the business itself.
The Nigerian Communications Commission (NCC) demonstrated its enforcement weight when it fined MTN Nigeria β¦5.2 billion for SIM registration irregularities, one of the largest regulatory fines in Nigerian tech history.
In the health sector, the National Health Insurance Scheme (NHIS) faced public criticism for sharing patient data with third-party insurers without clear consent. The draft Digital Health Bill is intended to address the gap between national data protection standards and health-specific obligations, but it has not yet been enacted. Healthcare businesses should not wait for it to arrive before tightening their consent frameworks.
The Regulatory Overlap Problem: What to Do About It
A Sector-by-Sector Guide to Who Leads
One of the less-discussed challenges in Nigerian data compliance is that businesses in regulated sectors often report to multiple authorities simultaneously, and those authorities do not always agree on what compliance looks like.
A fintech processing loan applications may have obligations to the NDPC under the NDPA, to the CBN under financial services regulations, and to NIMC if it processes NIN data for identity verification. These obligations do not cancel each other out. They stack.
The working principle is that the NDPC governs data protection across all sectors as a baseline. Sectoral regulators impose additional requirements on top for their specific industries. Where the two conflict, sectoral rules generally take precedence within their domain. CBN’s data localisation requirement is the clearest example: the NDPA permits cross-border data transfers under certain conditions, but CBN’s rules override that permission for financial data.
For financial services, comply with the NDPC as your floor, then apply CBN’s additional obligations on top. Where the two conflict, CBN wins on financial data questions. For telecoms, both the NCC and NDPC apply. For healthcare, the NDPC is currently the primary framework, with sector-specific rules incoming. For general commerce, the NDPC is your primary authority.
This is not legal advice. It is a practical starting point for understanding where to direct your compliance resources when you are navigating more than one set of rules.
What Nigeria’s Data Regulators Expect from Your Business
Lawful Basis, Consent, and Transparency
The NDPA requires that every instance of personal data processing have a lawful basis. Consent is one such basis, but not the only one. Legitimate interests, legal obligations, and contractual necessity can also apply depending on context.
Where consent is the basis, it must be freely given, specific, informed, and unambiguous. Pre-ticked boxes do not satisfy this.
A privacy notice should accurately reflect what data you collect, why, how long you keep it, and who you share it with. Many Nigerian businesses still treat this as a legal formality copied from another company’s website. If your practices have changed since you last updated your notice, that is a compliance gap.
Appointing a Data Protection Officer
Businesses that process large volumes of sensitive personal data, or that conduct systematic monitoring of individuals, are required to appoint a Data Protection Officer. For businesses below that threshold, appointing a DPO signals genuine intent to comply.
A DPO is not a ceremonial title. The role carries real responsibilities: advising on data protection obligations, monitoring internal compliance, acting as a point of contact with the NDPC, and managing data subject requests.
There is also a DPCO pathway. A Data Protection Compliance Organisation is a licensed third-party firm that helps businesses meet their NDPA obligations, a practical option for smaller businesses without the resources to maintain in-house expertise. The NDPC maintains a register of licensed DPCOs at ndpc.gov.ng.
Security, Breach Response, and the 72-Hour Rule
The NDPA requires appropriate technical and organisational measures to protect personal data: encrypting sensitive data, controlling access, and documenting how you would respond to a breach.
The 72-hour notification obligation is frequently misunderstood. The clock starts when the business becomes aware that a breach poses a high risk to data subjects’ rights, not when the breach occurred. Any business without a documented breach response procedure is not meeting this obligation, regardless of whether it has experienced a breach.
Data Localisation and Cloud-Hosted Data
CBN requires that financial data be hosted on servers located within Nigeria. This is a hard requirement, not a preference.
Most Nigerian businesses now run operations on cloud platforms such as Microsoft 365, Google Workspace, and Zoho. The data held in these platforms does not automatically sit in Nigeria. Many businesses assume their cloud provider handles localisation compliance by default. That assumption can be expensive.
Where a provider has Nigerian data centre options, businesses need to confirm that those options are properly configured for their accounts. The NDPA permits cross-border transfers where adequate safeguards are in place, but for financial data, CBN’s requirement takes precedence. If you are uncertain where your cloud data is physically held, that uncertainty is itself a compliance risk.
Record-Keeping and Audit Readiness
Regulators want evidence that compliance is real, not theoretical. That means maintaining records of consent logs, data processing activities, staff training, data mapping, and breach response tests.
A business that cannot produce these records has very limited ability to demonstrate good faith during an investigation, even if its actual practices are reasonable. Documentation is the mechanism by which you prove to a regulator that you are doing what you say you are doing.
What Happens When the NDPC Audits You
Audits are most commonly triggered by individual complaints filed via the NDPC’s portal, proactive sector-wide audits, or media reports of data incidents.
When a business receives an audit notice, the most important thing it can do is respond promptly and cooperate. Non-response is treated as non-cooperation and typically escalates the situation. The NDPC will typically request your privacy policy, consent management records, evidence of DPO or DPCO engagement, your breach response plan, and records of any incidents. Having these documents accessible before a notice arrives is far better than assembling them under pressure.
Beyond financial penalties, the NDPC can impose mandatory data-deletion orders, require changes to data-handling practices, and publicly disclose enforcement findings. For businesses in regulated sectors, an NDPC enforcement finding can also affect their licensing relationships with sector regulators. The reputational cost of a public enforcement action frequently exceeds the monetary penalty.
Being prepared before a notice arrives is the difference between a manageable process and a crisis.
Third-Party Vendors and Your Compliance Exposure
One of the least appreciated sources of data protection risk for Nigerian businesses is not internal. It comes from the vendors, platforms, and service providers that handle personal data on their behalf.
Under the NDPA, a data controller remains responsible for ensuring that any processor it engages handles personal data in accordance with the law. If your CRM provider, payroll software, or cloud storage vendor suffers a breach involving your customers’ data, the obligation to notify the NDPC sits with you, not the vendor.
The mechanism for managing this risk is a Data Processing Agreement, a contract that sets out the processor’s obligations: what they can do with the data, how they must protect it, and what they must do in the event of a breach.
If you cannot explain which vendors process your customers’ data, you do not have visibility into your own compliance exposure. Reviewing your vendor contracts against your data map will quickly reveal where your exposure sits.
Where Nigeria Sits Globally
The NDPA’s alignment with GDPR is deliberate. It draws on the same foundational principles: lawful basis, purpose limitation, data minimisation, security, and accountability. Businesses that have navigated GDPR for international clients will find the structure recognisable, and properly documented NDPA compliance is a credible answer when international partners ask for proof of data governance standards.
Nigeria has signed the Malabo Convention, the African Union’s framework for cybersecurity and personal data protection. It has not ratified the Budapest Convention on Cybercrime, which limits Nigeria’s ability to participate in formal cross-border cybercrime investigations. This is a relevant gap for businesses that experience breaches involving actors operating across multiple jurisdictions.
Building a Dual-Compliance Strategy
For businesses in regulated sectors, the challenge is not meeting one set of compliance requirements. It is meeting two or more simultaneously, where the requirements sometimes conflict.
The most practical approach is a single compliance calendar mapped against all applicable obligations, with your relevant regulators listed, their requirements noted, and clear ownership assigned for each. Where obligations overlap, document it. Where they conflict, document the hierarchy.
This is not a one-time exercise. The NDPA is new, and guidance continues to develop. Sector-specific rules are evolving, particularly in healthcare and fintech. A compliance strategy that was correct twelve months ago may have gaps today.
If your business operates across multiple regulatory frameworks and you are unsure how NDPC and sectoral obligations intersect, that is not a risk to leave unaddressed. PlanetWeb works with Nigerian businesses to build frameworks that stand up to scrutiny. Get in touch to discuss where your business stands.
The Trust Argument
Regulatory compliance and customer trust are not separate conversations. They are the same one.
The businesses building genuine data governance frameworks are not doing it only to avoid fines. They are doing it because the Nigerian market is maturing, customers are becoming more aware of their rights, and the organisations that handle data responsibly are building a reputational advantage that competitors will not quickly replicate.
The question for any Nigerian business that processes personal data is not just whether it has ticked the compliance boxes. It is whether the people whose data they hold can trust them to do the right thing with it.
