Nigeria Data Protection Framework

Nigeria's data protection journey has evolved from the NDPR (2019), through the NDPB (2022), to the establishment of the NDPC under the NDPA (2023). Below is a breakdown of the key milestones and provisions.

Nigeria Data Protection Regulation (NDPR) - 2019

The Nigeria Data Protection Regulation (NDPR) was issued by the National Information Technology Development Agency (NITDA) on 25th January 2019. It is the pioneer comprehensive regulation on data protection in Nigeria, aimed at safeguarding the rights of natural persons relating to data privacy and regulating the processing of personal data in Nigeria.

The NDPR is strongly influenced by the GDPR, with several articles containing very similar or identical phrasing. It applies to all residents of Nigeria and Nigerian citizens abroad, as well as organizations that process personal data of these individuals.

From NDPR to NDPC

  • 2019: NDPR issued by NITDA – Nigeria’s first major data protection regulation.
  • February 2022: Creation of the Nigeria Data Protection Bureau (NDPB) to implement the NDPR.
  • June 12, 2023: Signing of the Nigeria Data Protection Act (NDPA) into law by President Bola Tinubu.
  • This Act officially transformed the NDPB into the Nigeria Data Protection Commission (NDPC).

Nigeria Data Protection Commission (NDPC) - Established 2023

The Nigeria Data Protection Commission (NDPC) is the statutory body established under the Nigeria Data Protection Act (NDPA) 2023. It succeeded the NDPB and now serves as the central authority regulating data protection and privacy in Nigeria.

Mandate
  • Regulate data processing activities across Nigeria.
  • Safeguard the fundamental rights of Nigerians to data privacy.
  • Ensure compliance with global standards in data protection.
  • Oversee data controllers, processors, and Data Protection Officers (DPOs).
Key Features of the NDPA 2023
  • Legal establishment of the NDPC with enforcement powers.
  • Stronger penalties for non-compliance, including criminal sanctions.
  • Recognition of data subjects’ rights, including right to access, rectification, erasure, and portability.
  • Provisions for international data transfers, ensuring adequate safeguards.
  • Establishment of lawful bases for data processing (consent, contract, legal obligation, vital interest, public interest, legitimate interest).

NDPR (2019) vs NDPA/NDPC (2023)

Aspect NDPR (2019) NDPA / NDPC (2023)
Legal Basis Issued by NITDA as a regulation. Established by an Act of the National Assembly (NDPA 2023).
Regulatory Body NITDA supervised enforcement via NDPR. NDPC created as an independent commission with full powers.
Scope Applied to all Nigerians and residents, including citizens abroad. Same scope, but with broader international recognition and enforcement mechanisms.
Data Subject Rights Basic rights recognized (consent, access, correction, deletion). Expanded rights: portability, objection to processing, restriction of processing, complaint to NDPC.
Compliance Obligations DPO appointment, audits, breach reporting within 72 hours. Retains NDPR duties + stronger accountability, lawful bases for processing, and higher international standards.
Penalties Up to 2% of annual gross revenue or damages. Administrative fines + civil and criminal liability, broader enforcement powers for NDPC.
International Transfers Guidance but limited enforcement power. Clear framework requiring adequate safeguards, aligned with GDPR standards.
Enforcement NITDA oversight, limited sanctions. NDPC empowered with investigations, administrative sanctions, civil remedies, and criminal prosecution.

Key Provisions of NDPR

Data Protection Officer (DPO)

Every data controller is required to appoint a DPO to ensure adherence to the NDPR.

Data Protection Audit

Organizations processing large volumes of data must conduct audits and submit reports to NITDA (now NDPC).

Data Breach Notification

Controllers must notify within 72 hours of becoming aware of a breach.

Consent Requirements

Consent must be explicit, informed, and unambiguous.

Penalties for Non-Compliance

Organizations that fail to comply with NDPR/NDPA provisions may face:

  • Fines up to 2% of annual gross revenue (NDPR standard; NDPA expands enforcement).
  • Administrative sanctions from NDPC.
  • Temporary or permanent suspension of data processing.
  • Civil liability and damages for affected data subjects.
  • Criminal liability for severe violations under NDPA 2023.
Assess Your Compliance Learn About GDPR