The regulation of personal data processing in Nigeria lies with the Nigeria Data Protection Commission (NDPC), which was established in 2023 under the Nigeria Data Protection Act, 2023 (NDPA)[1]. Prior to this development, data protection obligations were primarily governed by the Nigeria Data Protection Regulation 2019 (NDPR), a subsidiary instrument issued by the National Information Technology Development Agency (NITDA). The NDPA establishes a comprehensive legal framework regulating how organizations collect, use, store, and share personal data of individuals in Nigeria. It applies to businesses operating within Nigeria as well as foreign entities processing data of Nigerian residents[2].

In March 2025, the NDPA General Application and Implementation Directive (GAID) was released by the NDPC pursuant to its powers under Sections 1(a), 6(c), 61 & 62 of the NDPA to resolve many of the often-grey provisions of the NDPA as well as provide guidance, clarity, and offer complementary provisions. Under the NDPA and GAID, data controllers and processors have a number of compliance obligations to meet, including ensuring compliance with core data protection principles and processing personal data lawfully, fairly, and transparently.

It is against this backdrop that this article aims to examine some of the practical steps for businesses in Nigeria to be data protection compliant, especially in the face of NDPC regulatory overlordship and sanctions.

COMPLIANCE OBLIGATIONS UNDER THE NDPA & GAID

Certain compliance obligations are mandated for businesses under the NDPA. A data controller or processor who fails to comply risks administrative fines, sanctions, lawsuits, loss of customer trust, etc. Some of the compliance obligations for businesses are;

a.    FILING OF COMPLIANCE AUDIT RETURNS (CAR)

Businesses that are Data Controllers or Processors of Major Importance (DCPMI) must file their Compliance Audit Returns (CAR) with the NDPC annually. For DCPMIs that were established before the 12^th of June, 2023, the CAR shall be filed no later than the 31^st of March every year. However, DCPMIs established after 12^th of June, 2023, must file their CAR[3] within 15 months of establishment and then annually for subsequent years[4].

In practice, most businesses believe that data protection compliance ends once they file their CAR. However, this is not correct; there are several other compliance obligations expected of businesses under the GAID, failing which could expose the business to regulatory fines, sanctions, penalties, and even lawsuits.

b.    APPOINTMENT OF A DATA PROTECTION OFFICER (DPO)

DCPMIs are mandated to designate a DPO with expert knowledge of data protection law and practices and the ability to carry out the tasks prescribed by the NDPA and GAID.[5] The DPO may be a staff of the data controller or processor or may be engaged by a service contract.

Some of the duties of a DPO to the business includes to:

i.               Monitor compliance with the extant data protection legislations

ii.             Advise on best practices in carrying out processing activities

iii.           Act as a contact point for the NDPC on data processing issues

iv.           Prepare and submit a semi-data protection report to management[6]

Furthermore, a data controller or processor is mandated to:

i.               Provide the DPO with the necessary resources to carry out his tasks.

ii.             Ensure the DPO has access to personal data processing activities and processing operations;

iii.           Make adequate provision for continuous training for the DPO;

iv.           Ensure that the DPO does not carry out his or her task under duress, coercion, covert or overt influence;

v.             Not dismiss or penalise the DPO for performing his or her tasks;

vi.           Ensure any tasks and duties carried out by the DPO do not result in a conflict of interest[7].

c.    REGISTRATION AS A DATA CONTROLLER & PROCESSOR OF MAJOR IMPORTANCE (DCPMI)

A DCPMI is a data controller or data processor that is domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria, as the Commission may prescribe, or such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society or security of Nigeria as the Commission may designate[8].

All DCPMIs are to be registered with the NDPC. DCPMIs are categorised into three categories based on the number of data they process, the sensitivity of the data, and other factors. These categories are;

i.               Ultra-High Level (UHL)

ii.             Extra-High Level (EHL)

iii.           Ordinary-High Level (OHL)[9]

These DCPMIs are to be registered based on the category they fall under. DCPMIs in the UHL and EHL categories are to register once with the NDPC and file their CAR annually. DCPMIs in the OHL category are to renew their registration annually, but are not to file a CAR once they renew annually.[10]

d.   ESTABLISHMENT OF LAWFUL BASIS FOR PROCESSING

A data controller or processor must establish a lawful basis for processing personal data. Under the NDPA and GAID[11], a data controller must process personal data in line with the following lawful basis:

i.               Consent

ii.             Contractual Obligation 

iii.           Legal Obligation

iv.           Vital Interest

v.             Public Interest

vi.           Legitimate Interest.

e.    DATA PRIVACY IMPACT ASSESSMENT

A data controller is mandated to carry out a Data Privacy Impact Assessment (DPIA), prior to processing of personal data where such processing may result in high risk to the rights and freedoms of data subjects by virtue of its nature, scope, context, and purpose[12].

Upon conclusion of a DPIA[13], it shall be vetted by a DPO duly accredited by the NDPC. Also, the outcome of the DPIA is to be filed as part of the accompanying documents in filing the CAR by the entity concerned. Furthermore, a DPIA is expected to be carried out prior to the commencement of processing. However, where data processing has commenced prior to issuance of the GAID, the same shall be carried out within 6 months[14].

f.     OTHER COMPLIANCE OBLIGATIONS

While the above does not present an exhaustive list of compliance obligations expected of businesses that operate as data controllers or processors, other compliance obligations under the NDPA and GAID are:

i.               Identifying all compliance obligations and preparing schedules of compliance;

ii.             Preparing and keeping semi-annual data protection reports[15]

iii.           Preparing and following Schedules on Monitoring, Evaluation, and Maintenance of Data Security System in order to guarantee data confidentiality, integrity, and availability;

iv.           Preparing and following schedules on organisation-wide, internal sensitisation and training on data privacy and protection in order to foster a culture of compliance;

v.             Developing or reviewing its organisational privacy policies to be in tandem with the NDPA;

vi.           Publishing its organisational privacy policies on its platforms with a view to sensitising data subjects on data processing activities as well as their rights and duties;

vii.          Providing privacy and cookie notices at the homepage of its website[16].

viii.        Notifying the NDPC of personal data breaches within seventy-two (72) hours of becoming aware of the breach;

ix.           Notifying a data subject immediately after becoming aware of a personal data breach that may pose a high risk to his or her privacy;

x.             Updating agreements with third-party processors to ensure compliance with the NDPA;

xi.           Designing systems and processes to make data requests and access seamless for data subjects.

xii.         Designing systems and processes to enable data subjects to easily correct or update their personal data;

xiii.        Designing systems and processes to enable data subjects easily transfer data to another platform or person (natural or artificial);

xiv.        Training its personnel on data protection law and practices.

CONCLUSION

Data protection compliance in Nigeria is now a core governance requirement, not merely a legal formality. Businesses that adopt structured privacy programs such as data mapping, lawful processing, security controls, governance mechanisms, and accountability will not only avoid penalties but also build customer trust and competitive advantage.

---

[1] See Section 4 of the Nigeria Data Protection Act, 2023 (NDPA)

[2] Section 2(2) of the NDPA

[3] CAR must be filed in line with Schedule 2 of the GAID

[4] See Article 10 (7) & (8) of the GAID

[5] Section 32 of the NDPA

[6] See generally Articles 11 and 12 of GAID

[7] See Article 12 of the GAID

[8] See Section 65 of the NDPA

[9] See Article 8(4) of the GAID

[10] See generally Article 9 of the GAID.

[11] See Section 25 of the NDPA and Article 16 of the GAID

[12] Section 28 of the NDPA

[13] The DPIA shall be in line with Schedule 4 of the GAID

[14] See Article 28 of GAID

[15] This report usually contains a detailed analysis of data processing within 6 (Six) months

[16] The cookie notice should give a data subject the opportunity to decline or accept the notice; A cookie notice must be displayed in such a way that it significantly obstructs the middle, the left, or the right side of the home page of a website. Displaying a cookie notice at the bottom of a webpage where it may be ignored or unnoticed by a data subject is tantamount to a lack of transparency in data processing.

Written by Muhiz Adisa  for The Trusted Advisors

Email us: info@trustedadvisorslaw.com

Telephone Number: +234 810 159 9159