Nigeria NDPA
Nigeria Data Protection Act, 2023
The Nigeria Data Protection Act 2023 (NDPA) is Nigeria's primary data protection statute, signed into law on 12 June 2023 and replacing the prior NDPR 2019 framework. It establishes the Nigeria Data Protection Commission (NDPC) and sets out principles, lawful bases, data subject rights, and obligations for controllers and processors.
Who it applies to
Data controllers and processors domiciled or operating in Nigeria, and those outside Nigeria that process the personal data of data subjects in Nigeria, with certain exemptions such as purely personal or household processing.
Identity requirements
- Process personal data on a valid lawful basis such as consent, contract, legal obligation, or legitimate interest, and demonstrate compliance
- Honor data subject rights including access, rectification, erasure, restriction, portability, and objection
- Register with the NDPC as a data controller or processor of major importance where applicable
- Implement appropriate technical and organizational measures to ensure the security, integrity, and confidentiality of personal data
- Notify the NDPC of a personal data breach within 72 hours and notify affected data subjects where there is high risk
- Designate a Data Protection Officer and apply lawful mechanisms for cross-border transfers of personal data
How it impacts identity systems
| Identity area | Impact |
|---|---|
| Customer identity & consent (CIAM) | Valid lawful bases and explicit consent requirements shape how customer identity and consent are captured and managed. |
| Breach notification | Controllers must report personal data breaches to the NDPC within 72 hours and inform high-risk data subjects. |
| Data residency & cross-border transfer | Transfers of personal data outside Nigeria require an adequate-protection basis or other lawful safeguards. |
| Identity governance (IGA) | Registration of data controllers of major importance and DPO appointment require structured governance over identity data processing. |
| Audit, logging & accountability | Accountability and demonstrable-compliance duties drive recordkeeping and oversight of processing activities. |
Penalties
Sanctions for data controllers or processors of major importance can reach the greater of 10 million naira or 2 percent of annual gross revenue, while other entities face the greater of 2 million naira or 2 percent of annual gross revenue.
Nigeria NDPA: frequently asked questions
- When did the Nigeria Data Protection Act take effect?
- The NDPA was signed into law on 12 June 2023, replacing the earlier Nigeria Data Protection Regulation (NDPR) 2019.
- Who enforces the NDPA?
- The Nigeria Data Protection Commission (NDPC), established by the Act, is the national regulator that supervises and enforces data protection in Nigeria.
- How quickly must a data breach be reported under the NDPA?
- Data controllers must notify the NDPC of a personal data breach within 72 hours and inform affected data subjects where the breach poses a high risk.