<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=5678177&amp;fmt=gif">

Nigeria Data Protection Act (NDPA)

Nigeria’s data protection act on personal data protection

Book a Demo

What is NDPA?

Nigeria Data Protection Act, or NDPA, is Nigeria’s data privacy regulation that was signed into law on June 12, 2023 when it also became effective, which sets out to protect the processing of personal data of the citizens of Nigeria. 

Its initial forms include the NDPR (Nigeria Data Protection Regulation) issued in January of 2019 and the Data Protection Bill 2022, both of which were replaced by the new law once it became effective. 


What is Personal Information and what are other key definitions?

The Nigeria Data Protection Act (NDPA) follows the pattern of other privacy regulations by defining concepts such as biometric data, personal information, sensitive personal information or data controller and data processor. 

According to the text of the law, ‘personal data’ means “any information relating to an individual who can be identified or is identifiable, directly or indirectly by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social or economic identity of that individual,” and ‘biometric data’ refers to “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of an individual, which allow or confirm the unique identification of that individual, including without limitation by physical measurements, facial images, blood typing, fingerprinting, retinal scanning, voice recognition and deoxyribonucleic acid (DNA) analysis.”

In the case of ‘sensitive personal data’ the law defined this as “personal data relating to an individual’s “genetic and biometric data, for the purpose of uniquely identifying a natural person; race or ethnic origin; religious or similar beliefs, such as those reflecting conscience or philosophy; health status; sex life; political opinions or affiliations; trade union memberships; or any other personal data prescribed by the Commission as sensitive personal data.” 

When speaking of ‘consent’ the NDPA means to say “any freely given, specific, informed, and unambiguous indication, whether by a written or oral statement or an affirmative action, of an individual’s agreement to the processing of personal data relating to him or to another individual on whose behalf he has the Commission to provide such consent.” 

There is also little difference in the way this law defines ‘data controller,’ namely “an individual, private entity, public Commission or agency or any other body who or which, alone or jointly with others, determines the purposes and means of the processing of personal data,” or ‘data processor’ which is defined as “ an individual, private entity, public authority or agency or any other body who or which processes personal data on behalf of or at the direction of a data controller or another data processor.”

However, one difference between this law and others is that it categories data controllers and processors into a general category and one it calls ‘data controllers or data processors of major importance’ referring to those data controllers or data processors that are “domiciled, ordinarily resident, or ordinarily operating in Nigeria and process or intend to process personal data of more than such number of data subjects who are within Nigeria as the Commission may prescribe, or such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society or security of Nigeria as the Commission may designate.”


Who has to comply with the Nigeria Data Protection Act (NDPA)?

According to the text of the law, you have to comply if you are a data processor, “whether by automated means or not,” and if the following conditions apply: 

  • You are either domiciled or usually resident or operating in Nigeria;
  • The data processing takes place in Nigeria;
  • You process personal data of Nigerian data subjects. 

Who is excluded from Nigeria Data Protection Regulation compliance? 

The NDPA does not apply to “the processing of personal data to the extent it is carried out by one or more individuals solely for personal or household purposes” and in the following situations where personal data processing is

  • “carried out by competent authorities for the purposes of the prevention, investigation, detection, prosecution or adjudication of criminal offenses or the execution of criminal penalties in accordance with any applicable law;
  • carried out by competent authorities for the purposes of prevention or control of a national public health emergency;
  • carried out by competent authorities as necessary for national security;
  • in respect of publication in the public interest for journalism, educational, academic, artistic and literary purposes to the extent that such obligations and rights would be incompatible with such purposes; or
  • necessary for the establishment, exercise or defense of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.”

How can I keep my organization NDPA compliant? 

Similar to other data privacy laws across the world, the NDPA sets out principles for personal data processing as follows: 

  • personal data has to be processed “fairly, lawfully and in a transparent manner”;
  • it has to be “collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes”;
  • personal data has to be “adequate, relevant and limited to the minimum necessary for the purposes for which the personal data was collected or further processed”;
  • it can be “retained for no longer than is necessary to achieve the lawful bases” for which it was collected or further processed;
  • personal data must be “accurate, complete, not misleading and, where necessary, kept up to date having regard to the purposes for which the personal data was collected or is further processed”;
  • personal data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and access against loss, destruction or damage and the data controller and data processor shall use appropriate technical and organizational measures to ensure the confidentiality, integrity and availability of the personal data.”

The lawful basis for processing of personal data is the consent of the data subject as well as the application of one of the following situations where processing is necessary:

  • for the performance of a contract;
  • for compliance with a legal obligation;
  • for the purpose of protecting the vital interests of the data subject;
  • for the performance of tasks in service of public interest or for the exercise of official authority;
  • for purposes of legitimate interest of the data controller or data processor, unless exceptions to this apply.

It is your responsibility to prove that consent was obtained prior to data processing, and in the case of children, consent may be relied upon when provided by a child aged 13 years or more. 

Although this draft bill does not specifically mention the requirement of a privacy policy, unlike the 2019 version of the law, Article 28 sets out a series of details that your organization has to provide to the data subject before you collect personal data directly from them. These are as follows: 

  • the name and address of your organization;
  • the specific lawful basis for processing;
  • the purposes of processing;
  • if applicable, the details of any third party that would receive their personal data;
  • the data subjects access rights available to them according to the law;
  • the right to submit a complaint to the regulatory authorities;
  • the existence of automated decision-making, i.e. profiling, the potential consequences of this, and the right to object to this type of processing.

According to Article 29, you are required to conduct a DPIA “where processing appears likely to result in high risk to the rights and freedoms of data subjects by virtue of its nature, scope, context and purposes”

Article 33 mandates that “data controllers of major importance shall designate a data protection officer with expert knowledge of data protection law and practices” but it does not impose this obligation on all other data controllers and processors, while according to Article 40, you are required to “implement appropriate technical and organizational measures to ensure the security, integrity and confidentiality of personal data in its possession or under its control, including protections against accidental or unlawful destruction, loss, misuse or alteration, unauthorized disclosure or access.” These measures may include pseudonymization, encryption, regular testing and regular updating of the security in place. In addition to this, if you are a data controller or a data processor “of major importance,” you are required to register with the Nigeria Data Protection Commission (NDPC) within 6 months of the enforcement of this law or of becoming one such data controller or processor. 

Last but not least, according to Article 41, data breaches referring to data being stored or processed by a data processor on behalf of another data processor or data controller have to be reported no later than 72 hours to the NDPC when this is likely to result in a risk to the individuals. If the data breach refers to data that was stored or processed by a data processor directly then these must be notified to any other data controllers or processors that may have come into contact with the data, as they might have to meet compliance requirements as well. 


What data access rights does the Nigeria Data Protection Act grant? 

Same as other data privacy regulations, the NDPA grants individuals the following rights: 

  • Right to be informed
  • Right to access data 
  • Right to correct inaccurate data 
  • Right to delete personal data 
  • Right to restrict processing 
  • Right to object to processing 
  • Right to object to automated processing
  • Right to the portability of data 

Nigeria NDPA compliant website with Clym

Book a Demo

How to address data subject access requests under NDPA?

Unlike its preceding law, the NDPA is more vague when it comes to the deadline for answering a data subject request, determining that you must do so “without constraint or unreasonable delay.”

The personal data has to be provided to the data subject “in a commonly used electronic format except to the extent that providing such data would impose unreasonable costs on the data controller, in which case the data subject may be required by the data controller to bear some or all of such costs.”

While a data subject request is pending resolution, an objection has been raised by the data subject, or the establishment, exercise or defense of legal claims is pending a resolution, data processing is restricted.


Enforcement and penalties for Nigeria Data Protection Act

The regulating authority is the Nigeria Data Protection Commission (NDPC), which handles complaints submitted against a data controller or processor, including those submitted by a data subject. 

The NDPC can also initiate an investigation on its own where it has reason to believe that your organization is violating the law and may, for the purpose of the investigation, it can ask an individual to attend a meeting a specific time and place in order to be questioned regarding a complaint, to produce documentation required in the investigation - unless doing so would break any other written law - and to make a statement under oath “setting out all information which may be required under the order.” Other actions it may perform include issuing compliance orders to data controllers and processors that have either violated or are likely to violate the regulations, it may issue an enforcement order or impose a sanction. 

Penalties are split between data controllers and processors of major importance, and all other data controllers and processors as follows:

  • in the case of a data controller or data processor of major importance, the higher maximum amount, meaning ₦10,000,000 (approx. $21,700) or “two percent of its annual gross revenue derived from Nigeria in the preceding financial year,” whichever is greater.
  • in the case of a data controller or data processor other than a data controller or data processor of major importance, the standard maximum amount, meaning ₦2,000,000 (approx. $4,500) or “two percent of its annual gross revenue derived from Nigeria in the preceding financial year,” whichever is greater.

For criminal offenses, meaning failure to comply with the enforcement orders issued by the NDPC, the penalty may consist of the above fines for each type of data controller and processor, or imprisonment for up to 1 year, or both a fine and imprisonment.

Data Subject Rights - GDPR vs. NDPA 


How can Clym help?

Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:

  • All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
  • Seamless integration into your website;
  • Adaptability to your users’ location and applicable regulation;
  • Customizable branding;
  • ReadyCompliance™: Covering 30+ data privacy regulations;
  • Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.

You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.

illustration of means of contact


If you would like to learn more, our compliance experts are happy to support you.

Leave us a Message
+1 980 446 8535 +1 866 275 2596