The Nigeria Data Protection Commission: Powers, Enforcement, and What It Means for Your Business
Nigeria’s data protection landscape changed fundamentally in 2023. The Nigeria Data Protection Act created not just a new law but a dedicated regulatory body with real enforcement authority: the Nigeria Data Protection Commission. For Nigerian businesses, that shift matters. The NDPC is not an advisory body. It can audit your operations, investigate complaints, issue binding orders, and impose fines linked to your annual revenue.
NDPC compliance in Nigeria is now an operational reality for every organisation that collects or processes personal data. This guide covers what the Commission can do and what effective engagement with it looks like.
This article is part of PlanetWeb’s NDPA compliance series. For the broader legal framework, see our NDPA Compliance Guide for Nigerian Businesses. For a practical guide to employee data obligations under the NDPA, see our Employee Data Protection guide.
What the NDPC Is and Where Its Authority Comes From
The Nigeria Data Protection Commission was established under the Nigeria Data Protection Act 2023, which replaced the Nigeria Data Protection Regulation 2019. The NDPR was a regulatory instrument: useful guidance, but without a dedicated body to enforce it. The NDPC changes that entirely. For a full breakdown of what the Act introduced, see our NDPA Key Features guide.
The Commission operates with institutional independence from sector regulators like the CBN, NITDA, and NCC. That independence matters. The NDPC is not subordinate to any ministry or industry body. It sets Nigeria’s national data protection policy and enforces the law across every sector simultaneously.
Who Must Comply
The NDPC’s jurisdiction is broad by design. Any organisation that collects, stores, uses, transfers, or otherwise processes personal data in Nigeria falls under the Act. There is no minimum size threshold and no sector exemption.
This covers Nigerian-registered organisations of every type: private companies, NGOs, government agencies, and sole traders. It also covers foreign organisations that process personal data about Nigerian residents, even if those organisations have no physical presence in the country. If you offer services to people in Nigeria and handle their data, the NDPC has authority over that processing. Businesses navigating both the NDPA and GDPR obligations can find a direct comparison in our NDPA vs GDPR guide.
Registration obligations apply to data controllers and processors above defined thresholds, generally those processing personal data at scale or handling sensitive categories such as health records, biometrics, or financial data. Smaller organisations may not need to register directly, but they remain subject to the Act’s substantive requirements.
The NDPC’s Enforcement Powers
This is what makes the NDPC different from its predecessor. The Commission has a full suite of enforcement tools and has begun using them.
Investigations and Audits
The NDPC can initiate an investigation on its own motion without waiting for a complaint. Sector-wide audits across entire industries are within its authority. Individual audits can be triggered by a breach notification, a data subject complaint, or a referral from another regulator. Once underway, the organisation must cooperate fully. Obstruction or delay does not improve an organisation’s position.
Enforcement Notices
Where an investigation identifies a breach of the Act, the NDPC can issue a binding enforcement notice requiring the organisation to change or stop specific processing activities. Enforcement notices can mandate remediation steps within defined timeframes. Failure to comply with an enforcement notice is itself a breach that can attract further penalties. The NDPC may consider cooperation and documented remediation efforts when determining the proportionality of sanctions.
Administrative Fines
Under Section 65 of the NDPA, major data controllers and processors can be fined up to 2% of their annual gross revenue, or the statutory fixed penalty, depending on the category under the Act. For smaller organisations below that threshold, a separate penalty scale applies. The revenue-linked structure means the financial exposure for a large Nigerian business is not trivial. The NDPC has publicly announced compliance actions involving federal agencies and private companies since becoming operational.
Processing Restrictions
Beyond fines, the NDPC can suspend or prohibit data processing activities pending investigation or remediation. For a business whose operations depend on processing customer data (a fintech, a logistics platform, or an e-commerce business), a processing restriction can be more damaging than a monetary penalty.
Public Naming
Non-compliant organisations can be publicly identified by the NDPC. The reputational consequence sits separately from any financial penalty and carries real commercial weight in Nigeria’s connected business environment.
What Triggers NDPC Attention
Knowing your enforcement risk means knowing what draws the Commission’s attention in the first place.
Data breach notifications. Organisations must self-report notifiable breaches within 72 hours. A failure to report is itself a violation, and a report revealing inadequate security measures tends to attract a wider investigation.
Data subject complaints. Any individual can file a complaint directly with the NDPC. Former employees, customers, and business partners are all potential complainants, and there is no cost to filing.
Sector sweeps. The NDPC has indicated priority attention on fintech, healthcare, financial services, and any sector handling sensitive personal data at scale. Businesses in these sectors should assume periodic scrutiny rather than wait for a specific trigger.
Referrals from other regulators. The CBN, NITDA, and NCC can refer matters to the NDPC where data protection issues arise. Multi-regulator exposure is a real risk for financial services and telecoms operators.
Registration failures. Organisations required to register that have not done so are non-compliant before any substantive issue arises. The NDPC’s register is publicly accessible.
DPCO Registration: What It Is and Whether You Need It
A Data Protection Compliance Organisation is a private body accredited by the NDPC to help organisations meet their compliance obligations. DPCOs are not optional intermediaries. They are a formal part of the NDPC’s regulatory architecture.
For many Nigerian organisations, working with a DPCO is the practical route to NDPC registration. A DPCO can conduct compliance audits, file registration documents on an organisation’s behalf, provide a Data Protection Officer as a service, and represent the organisation in dealings with the Commission.
Whether your organisation needs to register directly with the NDPC or can work primarily through a DPCO depends on your size, the nature of your processing and the data categories you handle. Organisations with significant sensitive data processing, including healthcare providers, fintechs, and HR-intensive businesses, should be engaging with a DPCO if they are not already.
DPCOs vary in quality and cost. The NDPC maintains an accredited list on its official website. Due diligence before appointing one is worthwhile. An accredited DPCO without practical experience adds cost without reducing risk.
For the full list of accredited DPCOs, see the NDPC official website.
The 72-Hour Breach Notification Obligation
Section 37(2) of the NDPA requires organisations to notify the NDPC within 72 hours of becoming aware of a personal data breach that poses a risk to the rights and freedoms of data subjects. This is one of the most operationally demanding requirements in the Act, and among the most commonly misunderstood.
The 72-hour clock starts when the organisation becomes aware of the breach, not when it has completed its investigation. Organisations that delay while conducting internal reviews are already in breach of the requirement by the time they file.
A notifiable breach notification must include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address it.
Where a breach is likely to result in high risk to the affected individuals, such as identity theft, financial loss, or safety risk, those individuals must also be notified directly and without undue delay.
Missing the 72-hour window does not prevent you from notifying. Late notification with a clear explanation of the reasons for the delay is better than no notification. But the window itself is a hard legal requirement, and a pattern of late notifications signals inadequate breach response infrastructure.
The practical implication is clear: you need a documented breach-response procedure in place before a breach occurs. Who assesses the incident, who makes the notification decision, and where the NDPC portal is cannot be improvised at 3am when a security event is unfolding.
Report a data breach to the NDPC
How to Engage with the NDPC Proactively
Enforcement is not the only dynamic here. Organisations that engage proactively with their NDPC obligations consistently achieve better outcomes: reduced enforcement risk, and more proportionate treatment when issues do arise.
Appoint a Data Protection Officer
A DPO is mandatory for organisations processing large-scale personal data or handling sensitive personal data categories. Even where it is not strictly required, appointing a DPO creates a clear internal accountability point and a designated contact for the NDPC.
The role can be filled internally or outsourced to a DPCO. What matters is genuine authority to advise and direct access to senior management.
Maintain a Record of Processing Activities
The NDPC expects organisations to be able to produce a ROPA on demand. A ROPA is a documented inventory of every processing activity: what data is collected, why, on what lawful basis, where it is stored, who has access, and how long it is kept. Beyond the compliance requirement, a well-maintained ROPA reveals gaps in lawful basis, retention weaknesses, and which activities carry the highest risk. Our Data Protection Compliance Strategies guide covers how to build a ROPA that reflects your actual processing and holds up under scrutiny.
Conduct Data Protection Impact Assessments
A DPIA is required before initiating processing activities that are likely to result in high risk to individuals, including new technology deployments, large-scale profiling, systematic monitoring, or processing of sensitive personal data categories. It is a documented assessment of the risk the processing creates and the measures taken to mitigate it.
DPIAs are not bureaucratic exercises. An organisation that can demonstrate it identified and addressed risks before deployment is in a fundamentally different position under investigation than one that has no documented assessment.
Respond to Investigations Cooperatively
When the NDPC initiates contact, whether through a routine audit, a breach investigation, or a complaint, the organisation’s response shapes the outcome. Organisations that cooperate fully, produce records promptly, and demonstrate genuine remediation steps consistently receive more proportionate outcomes than those that resist, delay, or provide incomplete responses.
This does not mean accepting findings you disagree with. It means engaging professionally, meeting deadlines, and treating the Commission as a regulator doing its job.
Common Compliance Gaps the NDPC Looks For
Most enforcement action does not stem from deliberate misuse of data. It comes from gaps in NDPC compliance in Nigeria that organisations never addressed because they never built the infrastructure the law requires.
No formal registration or DPCO engagement, despite processing personal data at a scale that triggers the obligation. The NDPC’s register makes this gap visible.
No ROPA, or a ROPA that was created once for a compliance exercise and has not been updated to reflect current processing. A ROPA that bears no resemblance to the organisation’s activities is worse than no ROPA at all. It raises questions about what else is not being managed properly.
No privacy notice on the organisation’s website or customer-facing systems. A privacy notice is a baseline legal requirement, not an optional transparency gesture. Its absence is visible to any regulator who visits the site.
No documented breach response procedure. Organisations that discover a breach and have no process for assessing, containing, and notifying it will miss the 72-hour window almost by default.
Consent used as a blanket lawful basis for all data processing, including processing where consent is not appropriate. Our Data Subject Rights guide covers what happens when an organisation’s lawful basis fails to hold up, and the enforcement consequences that follow.
Conclusion
The NDPC is the institutional expression of a decision Nigeria has made: that a digital economy requires a data protection framework with real teeth. For businesses, that means operating in an environment where the rules are enforceable and the regulator has the tools to apply them.
That is not a bad thing for well-run organisations. A clear regulatory framework creates predictability. Businesses that invest in genuine NDPC compliance are not just reducing their enforcement risk. They are building operational discipline that holds up under scrutiny from clients, investors, and regulators.
NDPC compliance in Nigeria requires ongoing commitment, not a one-time exercise. Organisations that treat it that way will find the Commission manageable. Those that don’t will eventually find out why it matters. The NDPC enforces documented accountability, not verbal assurances.
If your business needs help building a compliance framework that satisfies the NDPC’s requirements, from ROPA development to DPIA processes to breach response planning, get in touch with PlanetWeb. We work with Nigerian businesses across sectors to build data protection infrastructure that is practical, proportionate, and defensible.
