The Nigeria Data Protection Act: Imperatives for Businesses

Data has become the lifeblood of businesses, from fintech startups to multinational corporations. This is a necessary result of the emergent era of rapid digital transformation across Africa’s largest economy, Nigeria.  However, this growth has also heightened vulnerability to data breaches and regulatory scrutiny. To address this, the Nigeria Data Protection Act (NDPA), 2023, was introduced. This Act replaced the earlier Nigeria Data Protection Regulation (NDPR) of 2019. Complementing this landmark shift is the General Application and Implementation Directive (GAID).

The GAID, which was issued by the Nigeria Data Protection Commission (NDPC) on March 20, 2025 provides operational clarity for the NDPA. This makes for compliance, ensuring businesses adhere to the new regulatory framework. The recent NDPC’s aggressive enforcement, exemplified by an exhaustive probe into over 1,300 organizations, underscores the urgency for businesses to align with these regulatory frameworks. This article delves into the NDPA and GAID. It examines their key provisions and implications for businesses.

Background: From NDPR to NDPA and the Dawn of GAID

Nigeria’s data protection journey commenced in 2019 with the issuance of the National Data Protection Regulation (NDPR) by the National Information Technology Development Agency (NITDA) under the NITDA Act, 2007. The NDPR imposed obligations on data controllers and processors handling personal data of over 1,000 individuals annually. These obligations focussed on consent, security, and breach notifications, with fines ranging from ₦10 million to 1% of annual turnover. However, as Nigeria’s digital economy experienced rapid growth, the NDPR’s limitations became apparent. Notably, the regulation struggled to address cross-border data flows and enforcement gaps effectively.

President Bola Ahmed Tinubu enacted the NDPA on June 12, 2023. This Act elevated the previous data protection rules into a primary legislation. It also established the NDPC as an independent regulator. The NDPC now supersedes NITDA’s former role. The NDPA aligns with global standards, such as the EU’s GDPR. It emphasizes key principles including data minimization, purpose limitation, and accountability. The Act applies to any entity that processes the personal data of Nigerian residents. This applies regardless of the entity’s location, which broadens its extraterritorial scope. The GAID later reinforced this provision.

The GAID, effective from March 20, 2025, operationalizes the NDPA by clarifying implementation mechanisms, such as data protection impact assessments (DPIAs) and the role of Data Protection Officers (DPOs). Issued amid rising cyber threats (Nigeria recorded over 2,500 data breaches in 2024 alone) the GAID mandates proactive compliance. This includes mandatory registration for “major” data processors and enhanced breach reporting within 72 hours. This directive comes at a pivotal time, as Nigeria’s digital economy is projected to generate revenue of up to N18.3 Billion by 2026, per the Dr. Bosun Tijani, the Minister of Communications, Innovation and Digital Economy.

Key Provisions of the NDPA: Core Obligations for Data Handlers

The NDPA defines “personal data” broadly as any information relating to an identified or identifiable individual, including biometric, genetic, and location data. It imposes seven principles: lawfulness, fairness, transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.

• Data Subject Rights: Individuals (data subjects) enjoy rights to access, rectification, erasure (“right to be forgotten”), restriction of processing, data portability, and objection to automated decision-making. Businesses must respond to such requests within one month, free of charge unless manifestly unfounded.
• Controller and Processor Responsibilities: Data controllers (entities determining processing purposes) must conduct DPIAs for high-risk activities, appoint a DPO for oversight, and ensure processors (e.g., cloud providers) comply via contracts. Cross-border transfers require adequacy decisions, standard contractual clauses, or binding corporate rules.
• Breach Notification and Enforcement: Controllers must notify the NDPC of breaches posing risks to rights and freedoms within 72 hours, and affected subjects without undue delay. The NDPC can issue enforcement notices, conduct audits, and impose administrative fines up to ₦10 million or 2% of global annual turnover (whichever is greater) for serious violations. There are also criminal sanctions which include up to three years’ imprisonment.

The Act also prohibits processing sensitive data (e.g., health, religion) without explicit consent or legal basis. It further mandates children’s data protections with parental consent for those under 18.

The GAID: Practical Guidance and Expanded Scope

Building on the NDPA, the GAID, serves as a roadmap for compliance, addressing ambiguities in the Act. Key highlights include:

• Extraterritorial Reach: Any processing affecting Nigerian data subjects, even abroad, falls under NDPA jurisdiction. This expands to Nigerian citizens overseas, impacting global firms like social media platforms.
• DPO and Compliance Audits: Organizations processing data of over 200 individuals must appoint a DPO, who reports directly to the leadership of the organization. Annual compliance audits by licensed Data Protection Compliance Organizations (DPCOs) are mandatory, with summaries submitted to the NDPC.
• Registration and Safeguards: “Major” processors (e.g., those handling sensitive data or serving over 5,000 subjects) must register with the NDPC and implement safeguards like encryption and pseudonymization. The GAID emphasizes DPIAs for AI-driven processing, aligning with Nigeria’s National AI Strategy 2024.
• Sector-Specific Guidance: It tailors requirements for high-risk sectors like finance and telecoms, mandating risk assessments and vendor due diligence.

The GAID’s enforcement teeth are evident in its alignment with the NDPC’s 2025 Compliance Framework, which prioritizes proactive audits over reactive penalties.

Implications for Businesses: Risks, Costs, and Strategic Opportunities

For Nigerian businesses, NDPA and GAID compliance is no longer optional. There is the risk of  risks reputational damage, operational disruptions, and hefty fines for non-adherence. In 2025, with Nigeria’s fintech sector alone valued at $1.2 billion, data-heavy industries face amplified scrutiny.

• Operational Overhaul: Companies must map data flows, update privacy policies, and train their staff. Processors like cloud services must renegotiate contracts to include NDPA clauses.
• Financial and Legal Risks: The NDPC’s powers include data processing bans. Also, there is the additional possibility of litigation from data subjects for breaches.
• Opportunities: Compliance fosters trust, enabling GDPR adequacy for EU data flows and attracting foreign investment. Businesses can leverage DPCOs for audits, turning obligations into competitive edges.

The Nigerian Data Protection Commission’s 2025 Enforcement Surge

On August 25, 2025, the NDPC launched a sector-wide probe into 1,369 organizations across banking (795 firms), insurance (35 companies, 392 brokers), pensions (10 firms), and gaming (136 companies), giving them until September 15, 2025 (21 days) to submit proof of compliance, including 2024 audit returns, DPO appointments, and summaries of steps they have taken so far to safeguard data. Non-compliant organizations risks fines, enforcement orders, or prosecutions, as the NDPC targets violations like inadequate consent mechanisms and poor breach reporting. This probe, the largest to date, follows a 300% rise in reported breaches in 2025.

Earlier, on July 6, 2025, the NDPC imposed Africa’s largest data privacy fine to date: ₦766 million (US$508,208) on Multichoice Nigeria for unauthorized subscriber data processing and inadequate security, violating NDPA Sections 24 and 40. This landmark penalty highlights global repercussions, as Multichoice’s parent company faced EU scrutiny under GDPR adequacy talks.

Other probes include March 2025 investigations into TikTok and Truecaller for alleged breaches involving millions of Nigerian users’ phone data without consent. In May, the NDPC probed the Joint Admissions and Matriculation Board (JAMB) over a technical glitch in the 2025 Unified Tertiary Matriculation Examination (UTME), exposing candidates’ data. These cases underscore the NDPC’s focus on tech giants and public institutions, with ongoing audits in telecoms following a September 2025 cyberattack on the Nigerian Bar Association that deleted member records. At the Gulf Information Technology Exhibition (GITEX) Nigeria 2025 in July, NDPC’s Executive Vice-Chairman, Dr. Vincent Olatunji, advocated for privacy-enhancing technologies like homomorphic encryption, hinting of future tech-integrated enforcement drives.

Steps for Businesses to Achieve NDPA and GAID Compliance

To mitigate risks, it is essential for businesses to:

1. Conduct a Data Audit: Map processing activities and identify gaps using GAID templates; engage DPCOs for independent reviews.
2. Appoint a DPO and Register: Ensure the DPO is qualified (e.g., certified under NDPC guidelines) and register as a major processor via the NDPC portal by Q4 2025.
3. Implement Safeguards: Adopt DPIAs, encryption, and consent management tools; update vendor contracts with NDPA clauses.
4. Prepare for Breaches: Develop a 72-hour notification protocol and train staff via NDPC-approved programs.
5. Monitor Enforcement: With the September 15 deadline looming, prioritize submissions; for global firms, align with GDPR for dual compliance.

The NDPA and GAID mark Nigeria’s maturation as a data protection leader, but the 2025’s enforcement wave, from the Multichoice fine to the mass probe, signals that ignorance of the law is no defense. Businesses ignoring these frameworks risk not just penalties but erosion of consumer trust in a market where 70% of users cite privacy as a top concern. By embracing compliance, companies can safeguard data, foster innovation, and contribute to Nigeria’s vision of a secure digital ecosystem.

As the NDPC’s probes unfold, proactive action is essential. For tailored advice on how to stay compliant, please consult your lawyers.

Subscribe, follow, share!

Has this article been of help? Why not consider subscribing to our mailing list us for more.

Do not forget to share, Follow our pages on Facebook and Instagram and also subscribe to our WhatsApp Channel