Nigeria Data Privacy Laws: NDPA Compliance Guide (2026)

What Is the Nigeria Data Protection Act (NDPA)?

The Nigeria Data Protection Act (NDPA) is the federal law that governs how personal data is collected, stored, processed, and shared in Nigeria. President Bola Tinubu signed it into law on June 12, 2023. It replaced the Nigeria Data Protection Regulation (NDPR) of 2019, which had served as an interim framework under the National Information Technology Development Agency (NITDA).

The NDPA applies to every organization, whether public or private, that processes personal data of individuals located in Nigeria. This includes foreign companies that target Nigerian data subjects or offer goods and services to people in Nigeria, even if those companies have no physical presence in the country.

The Act established the Nigeria Data Protection Commission (NDPC) as the independent regulatory body responsible for enforcement, guidance, and oversight. The NDPC replaced the earlier Nigeria Data Protection Bureau (NDPB), which had been created by executive order in February 2022 as a transitional body.

History of Data Protection in Nigeria: From NDPR to NDPA

Nigeria's formal data protection framework began on January 25, 2019, when NITDA issued the Nigeria Data Protection Regulation (NDPR) under its authority in the NITDA Act 2007. The NDPR was a secondary regulation, not a law passed by the National Assembly, which limited its enforcement power.

NITDA followed the NDPR with an Implementation Framework in July 2019 that introduced Data Protection Compliance Organizations (DPCOs), annual audit requirements, and breach notification obligations. These structures laid the groundwork for the more comprehensive legislation that followed.

In February 2022, President Muhammadu Buhari established the Nigeria Data Protection Bureau (NDPB) to take over data protection governance from NITDA and begin drafting primary legislation. The NDPB operated as a transitional body until the NDPA was enacted.

The NDPA, signed on June 12, 2023, elevated data protection from a regulation to a full Act of the National Assembly. On March 20, 2025, the NDPC issued the General Application and Implementation Directive (GAID) 2025, a 52-article directive with 10 schedules that provides detailed implementation guidance. The GAID became effective on September 19, 2025, and formally retired the NDPR 2019 as a legal instrument.

Who Must Comply With the NDPA?

The NDPA applies broadly. Any entity, whether a Nigerian business, a government agency, or a foreign corporation, must comply if it processes the personal data of individuals in Nigeria.

The law uses the standard controller-processor distinction. A data controller determines the purposes and means of processing personal data. A data processor processes data on behalf of the controller. Both carry compliance obligations.

Data Controllers and Processors of Major Importance

The NDPA and the GAID 2025 create a special category called Data Controllers or Processors of Major Importance (DCPMIs). An organization qualifies as a DCPMI if it meets any of these criteria:

• Processes personal data of more than 200 data subjects within any six-month period
• Provides commercial ICT services on digital devices that store personal data belonging to other individuals
• Operates in a designated sector: aviation, communication, education, electric power, export/import, financial services, health, hospitality, insurance, oil and gas, tourism, e-commerce, or public service

DCPMIs must register with the NDPC within six months of qualifying. Registration fees range from NGN 100,000 to NGN 1 million depending on organization size and processing scope.

The GAID classifies DCPMIs into three tiers based on processing volume:

• Ultra-High Level (UHL): Largest-scale processors
• Extra-High Level (EHL): Mid-range large processors
• Ordinary-High Level (OHL): Entry-level major processors

UHL and EHL organizations must file annual Compliance Audit Returns (CAR) with the NDPC by March 31 each year, conducted by a licensed DPCO.

Lawful Bases for Processing Personal Data

Section 25 of the NDPA establishes six lawful bases for processing personal data. At least one must apply before any processing begins:

1. Consent: The data subject has given explicit, freely given, specific, informed, and unambiguous consent for the stated purpose.
2. Contract: Processing is necessary to perform a contract with the data subject or to take pre-contractual steps at their request.
3. Legal obligation: Processing is required to comply with a legal obligation the controller is subject to.
4. Vital interests: Processing is necessary to protect the life or physical safety of the data subject or another person.
5. Public interest: Processing is necessary for a task carried out in the public interest or in the exercise of official authority.
6. Legitimate interests: Processing is necessary for the legitimate interests of the controller or a third party, provided those interests do not override the data subject's fundamental rights.

The GAID 2025 adds important specifics. Consent is mandatory (not optional among the six bases) for these activities:

• Direct marketing
• Processing sensitive personal data
• Further processing that deviates from the original stated purpose
• Processing children's personal data
• Cross-border transfers to countries without an NDPC adequacy decision
• Automated decision-making

When relying on legitimate interests, controllers must conduct a Legitimate Interest Assessment using the template provided by the NDPC in the GAID schedules.

Data Subject Rights Under the NDPA

The NDPA grants individuals in Nigeria a comprehensive set of rights over their personal data. Controllers must respond to data subject requests without undue delay.

Right to Information

Before processing any personal data, controllers must inform data subjects about the purpose of collection, the categories of data involved, the recipients or categories of recipients, retention periods, and the data subject's rights. This applies whether data is collected directly from the individual or from a third party.

Right of Access

Data subjects may request a copy of all personal data a controller holds about them. The controller must provide the data in a commonly used electronic format.

Right to Rectification

Individuals can request that inaccurate or outdated personal data be corrected. Controllers must process rectification requests without undue delay.

Right to Deletion (Erasure)

Data subjects may request deletion of their personal data when:

• The data is no longer necessary for its original purpose
• The data subject withdraws consent
• The data subject objects to processing and no overriding legitimate grounds exist
• The data was processed unlawfully

Controllers must carry out deletion without undue delay.

Right to Withdraw Consent

Data subjects may withdraw consent at any time. The NDPA specifically requires that withdrawing consent must be as easy as giving it. Controllers cannot make the withdrawal process more burdensome than the consent process.

Right to Object

Data subjects may object to the processing of their personal data. When an objection is made, the controller must stop processing unless it can demonstrate compelling legitimate grounds that override the data subject's rights, freedoms, and interests.

Right to Data Portability

Where processing is based on consent or a contract and carried out by automated means, data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.

Sensitive Personal Data and Children's Data

The NDPA defines sensitive personal data as data relating to genetic information, biometric data used for unique identification, health data, religious or philosophical beliefs, political opinions, trade union membership, sex life, sexual orientation, racial or ethnic origin, and criminal records. The NDPC may designate additional categories.

Processing sensitive personal data is prohibited unless the data subject has given explicit consent or the processing is necessary for substantial public interest on the basis of law.

The NDPA sets the age of a child at under 18 years, aligning with Nigeria's Child Rights Act. Processing a child's data requires explicit consent from a parent or legal guardian. Controllers must implement consent verification mechanisms to confirm parental authorization.

Once children's data is collected with proper consent, controllers must treat it with the same heightened protections as sensitive personal data.

Data Breach Notification Requirements

The NDPA imposes strict breach notification timelines that apply to all data controllers.

Notification to the NDPC

Controllers must report a personal data breach to the NDPC within 72 hours of becoming aware of the breach. The notification must include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.

Notification to Data Subjects

When a breach is likely to result in a high risk to the rights and freedoms of data subjects, the controller must notify affected individuals immediately. The notification must use clear, plain language and explain what happened, what data was involved, and what steps the individual should take to protect themselves.

Processor Obligations

Data processors who become aware of a breach must notify the data controller without undue delay, enabling the controller to meet the 72-hour reporting window.

Data Protection Officers (DPOs)

All DCPMIs must appoint a Data Protection Officer. The DPO must have expert knowledge of Nigerian data protection laws and practices.

A DPO may be an employee of the organization or engaged through a service contract. The GAID 2025 strengthens the DPO role significantly:

• The DPO must report directly to senior management
• The organization must provide adequate resources for the DPO to fulfill their duties
• The DPO must have access to all data processing activities
• The organization must facilitate continuous training for the DPO
• The DPO's independence must be guaranteed; they cannot be dismissed or penalized for performing their duties

The DPO serves as the primary contact point for both data subjects and the NDPC on all data processing and privacy matters.

Data Protection Impact Assessments (DPIAs)

Controllers must conduct a DPIA before beginning any processing activity that is likely to result in a high risk to the rights and freedoms of data subjects. High-risk processing includes systematic evaluation of personal aspects through automated processing, large-scale processing of sensitive data, and systematic monitoring of public areas.

If the DPIA indicates that the proposed processing would result in a high risk that the controller cannot mitigate through appropriate measures, the controller must consult the NDPC before proceeding.

Cross-Border Data Transfers

The NDPA permits the transfer of personal data outside Nigeria under specific conditions:

• Adequacy decision: The destination country provides an adequate level of data protection as determined by the NDPC. Nigeria has not yet published a formal adequacy list.
• Appropriate safeguards: The organization uses binding corporate rules or standard contractual clauses approved by the NDPC.
• Explicit consent: The data subject has given explicit, informed consent to the transfer after being made aware of the risks.
• Vital interests: The transfer is necessary to protect the vital interests of the data subject.
• Contract performance: The transfer is necessary for the performance of a contract between the data subject and the controller.

Because Nigeria has not yet published an adequacy list, most organizations rely on contractual safeguards. Controllers and processors using binding corporate rules or standard contractual clauses must obtain NDPC approval before initiating transfers.

Penalties for Non-Compliance

The NDPA establishes a tiered penalty structure based on organization classification.

For Data Controllers/Processors of Major Importance

Fines of up to NGN 10 million or 2% of annual gross revenue, whichever is higher. Given that some Nigerian and multinational corporations operating in Nigeria generate billions in annual revenue, the 2% threshold can result in substantial penalties.

For Other Organizations

Fines of up to NGN 2 million or 2% of annual gross revenue, whichever is higher.

Criminal Penalties

Failure to comply with NDPC orders may lead to imprisonment of up to one year. This provision gives the NDPC enforcement power that extends beyond financial penalties.

The NDPC's Administrative Powers

Beyond fines, the NDPC can issue enforcement notices, order organizations to cease specific processing activities, require remediation measures, and conduct audits and investigations.

NDPC Enforcement Actions: A Growing Track Record

The NDPC has demonstrated increasing willingness to take enforcement action against both domestic and international organizations.

Meta/WhatsApp: $220 Million Fine

In the most significant enforcement action to date, the FCCPC and NDPC jointly fined Meta Platforms and WhatsApp $220 million in July 2024 following a 38-month investigation. The investigation found that Meta engaged in discriminatory and exploitative data practices against Nigerian users, sharing WhatsApp user data with Facebook without explicit consent and treating Nigerian users less favorably than users in other regions.

Meta appealed, but Nigeria's Competition and Consumer Protection Tribunal upheld the fine in April 2025 and ordered payment within 60 days. The tribunal also directed Meta to revert to its 2016 data-sharing policy and stop sharing Nigerian users' information with Facebook and other third parties without consent.

Multichoice Nigeria: NGN 766.2 Million Fine

In July 2025, Multichoice Nigeria received a NGN 766.2 million fine for data privacy violations and unauthorized cross-border data transfers.

Sector-Wide Compliance Investigations (2025)

In August 2025, the NDPC issued compliance notices to 1,368 organizations across multiple sectors, including 795 financial institutions, 392 insurance brokers, 136 gaming companies, 35 insurance companies, and 10 pension companies. Each organization was given 21 days to provide evidence of DPO appointment, technical and organizational data protection measures, and DCPMI registration.

In 2024, the NDPC investigated over 213 reports of privacy violations, unauthorized data sharing, and non-compliance.

Cookie and Privacy Notice Requirements

The GAID 2025 introduced specific requirements for websites and digital services. All cookies require active consent from the data subject. Pre-checked boxes or implied consent through continued browsing do not satisfy this requirement.

Data controllers must display both a privacy notice and a cookie notice on the homepage of their websites. The cookie notice must give data subjects a clear opportunity to decline or accept, and it must be displayed prominently, significantly obstructing the middle, left, or right side of the homepage.

Standard Notice to Address Grievance (SNAG)

The GAID 2025 introduced the Standard Notice to Address Grievance (SNAG) system. A SNAG is a standardized template that data subjects can use to formally demand internal remediation from an organization they believe has violated their privacy rights.

Issuing a SNAG is not a prerequisite for filing a complaint with the NDPC or for bringing a court action. It serves as an additional mechanism for resolving disputes directly with the organization before escalating to the regulator or the courts.

Compliance Checklist for Organizations Operating in Nigeria

Organizations subject to the NDPA should take these practical steps:

• Determine whether the organization qualifies as a DCPMI and register with the NDPC if required
• Appoint a qualified Data Protection Officer
• Identify and document the lawful basis for each processing activity
• Implement consent mechanisms that meet NDPA standards (explicit, freely given, specific, informed)
• Conduct Data Protection Impact Assessments for high-risk processing
• Establish breach notification procedures to meet the 72-hour reporting deadline
• Review cross-border data transfer arrangements and obtain NDPC approval where needed
• Update privacy notices and cookie consent mechanisms to comply with the GAID 2025
• Prepare for annual Compliance Audit Returns if classified as UHL or EHL