Responding to Data Breaches in Nigeria Under the NDPA
Every Nigerian organisation that processes personal data will face a security incident at some point. A misconfigured cloud system, a compromised vendor, an employee clicking a phishing link and similar incidents are not exceptional events. They are routine features of operating with digital data.
What the NDPA 2023 adds is a formal framework of obligations: timelines, notification requirements, documentation standards, and regulatory oversight. The question is no longer whether you have a breach response plan. It is whether your plan holds up when the NDPC looks at it.
This guide covers what a personal data breach is under Nigerian law, what triggers notification obligations, what the NDPC expects from a response, and what preparation looks like in practice. It is the practical companion to our Data Protection Compliance Strategies guide: that article covers building a compliance program; this one covers what happens when something goes wrong inside it.
This article is part of PlanetWeb’s NDPA compliance series. For the foundational framework, see our NDPA Compliance Guide for Nigerian Businesses and Key Features of the NDPA 2023. For the regulator structure, see our Nigeria Data Regulators Guide.
What Counts as a Data Breach Under the NDPA
Security Incident vs. Notifiable Breach
A security incident is any event that affects the confidentiality, integrity, or availability of personal data. A failed phishing attempt, a misdirected email, and a lost unencrypted laptop are all security incidents. Most will not require NDPC notification.
A notifiable breach is a subset: one that is reasonably likely to result in harm to the individuals whose data is affected. The NDPA is concerned with harm to data subjects, not just with unauthorised access. Not every incident crosses that threshold, and treating them all as if they do diverts resources from genuine response.
What the NDPA Covers
The NDPA defines a personal data breach as a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. That covers ransomware attacks, salary spreadsheets emailed to the wrong person, misconfigured cloud storage buckets, and vendor systems compromised while holding your customer data.
Sensitive personal data, including health records, financial data, biometric identifiers, and data about minors, carries a lower harm threshold than general personal data. A breach affecting fifty medical records may require notification, whereas a breach affecting fifty names and email addresses may not.
What Triggers the 72-Hour Notification Requirement
Two separate notification obligations exist under the NDPA, and they operate independently.
Notifying the NDPC
The NDPA requires notification to the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of a breach that is likely to result in a high risk to the rights and freedoms of data subjects. The operative phrase is “becoming aware”: the clock starts when someone with decision-making responsibility knows a breach has occurred, not when it is fully understood.
Organisations often delay notification while waiting for a complete forensic picture. That is legally precarious. If a breach is discovered Monday morning and the investigation is still running Thursday, the window has closed. The NDPA anticipates this: an initial notification is acceptable when the full scope is not yet known, and organisations can provide supplementary information in phases.
The 72-hour window runs continuously, including weekends and public holidays. A breach discovered Friday afternoon cannot wait until Monday.
Factors the NDPC considers in assessing high risk: the volume of records affected, the sensitivity of the data, whether the data was encrypted, the probable intent behind the breach, whether harm has already materialised, such as fraudulent transactions, and the vulnerability of the affected individuals.
When NDPC Notification Is Not Required
Not every breach requires NDPC notification, and documenting the reasoning for not notifying is as important as the notification itself. An NDPC auditor will expect to see a documented assessment for every incident, including those that did not meet the threshold.
Notification may not be required if the data was encrypted and the key remains secure, if the breach is contained before any data is accessed, or if the incident involves only internal operational data with no third-party personal data. The standard is not whether a breach occurred in a technical sense, but whether it poses a real risk of harm to identifiable individuals.
Notifying Affected Individuals
Individual notification is a separate and higher obligation. It is required when the breach is likely to result in a high risk to the rights and freedoms of the individuals concerned: harm, financial loss, identity theft, or significant disruption to their lives must be genuinely probable.
Not every NDPC-notifiable breach requires individual notification. When it is required, it must be direct and in plain language. A general notice on your website does not satisfy the obligation. The notification must tell individuals what happened, what data was affected, what the organisation has done in response, what steps they should take, and provide a direct contact point for follow-up.
The Breach Register: The Obligation Most Organizations Miss
The NDPA requires every organisation to maintain an internal record of all personal data breaches, regardless of whether they triggered NDPC notification. This is one of the most consistently overlooked obligations in Nigerian compliance programs.
The register should document when the breach was discovered, the nature of the breach and data involved, the number of individuals affected, the likely cause, the harm risk assessment, actions taken, whether NDPC notification was made and when, and the outcome.
An organisation that has never notified the NDPC but has no register at all is in a weaker position than one that can demonstrate years of documented incident assessments, even where none met the notification threshold. The absence of a register signals that the compliance program is not functioning, regardless of breach history.
The register starts now. Not when the next incident occurs.
Before a Breach Happens: What Preparation Requires
Your Incident Response Plan
An IRP needs to be specific enough to use under pressure. A document that lists “notify relevant stakeholders” as a step is not a plan.
The IRP should identify named individuals, not just job titles, for each response role. Pre-approved NDPC notification templates that can be completed rather than written from scratch under pressure are essential. It should set out escalation authority: who authorises NDPC notification, who briefs the board, who engages legal counsel, and who speaks externally. It should include pre-vetted contacts for forensic firms and legal advisors, and a decision log template so every judgment call during a response is recorded as it is made.
Who Needs to Be in the Room from the Start
Legal counsel should be engaged the moment a potential breach is identified. Engaging forensic investigators through legal counsel protects investigation findings from disclosure under privilege, which matters if the breach leads to litigation or a regulatory investigation.
The DPO or compliance lead should be the primary interface with the NDPC, not IT or communications. Designate a single spokesperson for external communication before a breach occurs. Conflicting statements from different parts of the organisation during an active incident are common and damaging.
Test It
Run a tabletop exercise at least once a year. One scenario worth running specifically: a vendor breach where your customer data is affected, but no data processing agreement was in place. That is the scenario most likely to generate compounded liability, and the one most Nigerian businesses are least prepared for. The NIST Computer Security Incident Handling Guide (SP 800-61) provides a widely referenced framework for structuring incident response exercises.
Staff communication protocols are also part of preparation, not just incident response. Employees who fill information gaps with speculation during an active breach, whether to clients, contacts, or on social media, can undermine both the legal position and the regulatory relationship. Staff should know before an incident occurs that there is a designated spokesperson, that the incident is being handled, and that external communication is not their call to make.
The First 72 Hours
Contain Without Destroying Evidence
Isolate affected systems, disable compromised accounts, change credentials, and block suspicious access. Do not wipe or reimage systems before forensic investigators have cleared them. Preserve logs and enable write-blocking where possible. Evidence destroyed during containment can make it impossible to establish what happened, and it reflects poorly on regulators.
Assess Scope: Accept That Early Estimates Are Usually Wrong
Initial assessments consistently undercount affected records and individuals. A seemingly contained incident often expands when log analysis reveals lateral movement. Formally review scope estimates before finalising any external communication.
Start the Notification Workstream Immediately
If there is any reasonable possibility that the breach meets the high-risk threshold, begin preparing the NDPC notification before the forensic assessment is complete. Submit an initial notification acknowledging the breach and providing what is known, with a commitment to follow up as the investigation progresses. Waiting for certainty is the most common reason organisations miss the 72-hour window.
Vendor Breach Scenarios
When a vendor is breached, and your customer data is affected, the obligations fall on you. You are the data controller. The NDPA does not transfer accountability to the vendor. The NDPC will ask whether a data processing agreement was in place. Its absence does not reduce your notification obligations. It compounds your liability.
Notifying the NDPC and Other Regulators
What the NDPC Notification Must Contain
A complete notification should cover the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed. If full information is not available within 72 hours, include what is known and provide a realistic timeline for supplementary details. The NDPC provides guidance on its notification requirements at ndpc.gov.ng.
Managing Simultaneous Notifications in Regulated Sectors
For regulated organisations, notification obligations stack. A fintech may need to notify both the NDPC and the CBN, with different information requirements and potentially different timelines. Healthcare organisations may have additional NDPC sector-specific obligations. Prepare notifications for each regulator separately, document the timing of each independently, and do not assume notifying one satisfies obligations to another. Criminal breaches should also be reported to the Economic and Financial Crimes Commission (EFCC).
What Happens After You Notify
The NDPC may close the matter, request further information, or open an investigation. An organisation that notifies promptly, demonstrates a credible response, and can show a functioning compliance program prior to the breach is in a materially better position than one that notifies late and cannot produce a breach register. Documented good faith is a legitimate mitigating factor.
In due diligence contexts, breach history is increasingly reviewed. Investors and acquirers now ask for breach registers, NDPC correspondence, and remediation documentation. An organisation that handled incidents transparently and improved its controls is viewed very differently from one that concealed or failed to document them.
Notifying Affected Individuals
When the individual notification threshold is met, the communication must be direct, plain, and actionable: what happened, what data was involved, what the organisation has done, what the individual should do, and who to contact. Corporate language that obscures accountability satisfies neither the legal obligation nor the individuals reading it.
When financial data is involved, consider offering practical remedies such as account monitoring guidance, a dedicated contact line, or fraud protection assistance.
Cyber Insurance: What It Covers and What Voids a Claim
A well-structured cyber liability policy typically covers forensic investigation costs, legal fees from regulatory investigations or third-party claims, individual notification costs, and business interruption losses during recovery. According to the IBM Cost of a Data Breach Report, organisations with an incident response plan and team in place consistently incur lower breach costs than those without one — a finding that reinforces the case for preparation over reaction.
Several factors can void or reduce a claim: delayed notification to the insurer, no documented IRP at the time of the breach, failure to patch known vulnerabilities cited in the policy application, and missing DPAs with vendors handling insured data.
The compliance work that protects against NDPC liability, including documented IRP, vendor DPAs, a breach register, and staff training records, also makes an insurance claim defensible. Policy wording varies, and organisations should review notification and cooperation clauses carefully before an incident occurs. Notify your cyber insurer as soon as a breach is confirmed or suspected, if the policy’s notification requirements are broad. Do not wait until the response is complete.
After the Breach: Learning and Remediation
A formal post-incident review should produce a root cause analysis, an updated IRP, a revised training plan for any staff failures identified, and a board briefing for material incidents. The NDPC may request evidence of remediation following a notified breach. An organisation that can demonstrate documented improvements is in a stronger position for any follow-up regulatory engagement than one that closed the incident without review.
Next Steps
The breach register starts today. The IRP is reviewed and tested before it is needed. Vendor DPAs are in place before a third-party incident makes their absence a problem.
Breach response under the NDPA is an extension of the compliance program you are building, not a separate exercise. If your business needs help building or testing a breach response function, get in touch with PlanetWeb.
For the broader compliance context, see our Data Protection Compliance Strategies guide, our Data Subject Rights article, and our Key Features of the NDPA 2023.
