Nigeria Data Protection Act (NDPA)

    Overview

    The Nigeria Data Protection Act (NDPA)  enacted on 12 June 2023, establishes a legal framework for the protection of personal data and creates the Nigeria Data Protection Commission (NDPC) to regulate data processing activities. The Act ensures fair, lawful, and accountable processing of personal data, strengthens data subject rights, and enforces compliance measures.

     

    Regulation Summary

    Timeline
    • 12 June 2023 – Law enacted and signed by the President.
    • 1 July 2023 – Law published in the Federal Republic of Nigeria Official Gazette.
    What Businesses Are Affected
    • Any organization operating in Nigeria that processes personal data.
    • International companies processing the personal data of individuals in Nigeria.
    • Data controllers and data processors that collect, store, or analyze personal information.
    • Organizations of major importance handling large-scale or sensitive personal data.
    Exemptions
    • Personal or household use of data.
    • Government agencies handling criminal investigations, national security, or public health emergencies.
    • Journalistic, educational, artistic, or literary purposes, provided that fundamental rights are not violated.
    Responsibilities for Businesses
    • Obtain explicit consent before processing personal data.
    • Ensure transparency by informing data subjects of processing purposes.
    • Implement security measures to protect data from breaches.
    • Limit data processing to specific, lawful purposes.
    • Appoint a Data Protection Officer (DPO) if classified as an organization of major importance.
    • Maintain records of processing activities for compliance audits.
    Specific Responsibilities for Website Owners
    • Cookie Consent: Obtain explicit user consent for non-essential cookies.
    • Privacy Policy: Publish a notice covering:
      • Types of data collected
      • Processing purposes and retention periods
      • Third-party data sharing practices
      • User rights and how to exercise them
    • Data Security: Encrypt transmitted user data (e.g., contact forms, payments).
    • Right to Deletion: Provide an option for users to request deletion of their data.
    Additional Requirements
    • Cross-Border Data Transfers: Allowed only if the recipient country has adequate data protection laws.
    • Data Breach Notification: Must be reported to the NDPC within 72 hours.
    • Compliance Audits: Organizations must undergo regular audits to verify compliance.
    • Sensitive Data Protection: Stricter measures for processing biometric, health, and financial data.
    Data Subject Rights
    • Access: Individuals can request a copy of their personal data.
    • Correction: Users can request rectification of inaccurate data.
    • Deletion: Data subjects may request deletion under certain conditions.
    • Objection: Users can refuse data processing for specific reasons.
    • Portability: Data subjects may request their data in a portable format.
    • Automated Decision-Making: Users can object to automated profiling that significantly affects them.
    Enforcement
    • Regulatory Authority:
      • Nigeria Data Protection Commission (NDPC) oversees compliance.
    • Penalties:
      • Failure to comply with orders – Fine up to NGN 10,000,000 (≈ USD 12,200) or 2% of annual gross revenue.
      • Unauthorized data processing – Fine up to NGN 2,000,000 (≈ USD 2,440) or 2% of annual gross revenue.
      • Failure to report a data breach – Fine up to NGN 5,000,000 (≈ USD 6,100).
    • Severe violations – Higher penalties and potential imprisonment for up to one year.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596