What the Nigeria Data Protection Act 2023 Means for Your Organization

Sameer Ahirrao -

On 12th June 2023, Nigeria took a significant step toward strengthening digital rights and responsible data use by enacting the Nigeria Data Protection Act (NDPA), 2023. This legislation marks a significant moment for businesses, especially those processing personal data of Nigerian citizens.

But what does the NDPA really mean for your organization, and how should you respond?

Understanding the Nigeria Data Protection Act, 2023

The NDPA 2023 builds on the previous Nigeria Data Protection Regulation (NDPR) of 2019 and officially establishes a legal framework for data protection in the country. Importantly, it also creates a dedicated supervisory authority, the Nigeria Data Protection Commission (NDPC), to oversee compliance and enforcement.

Key Objectives of the NDPA:

  • Safeguard the fundamental rights and freedoms, and the interests of data subjects, as guaranteed under the Constitution of the Federal Republic of Nigeria, 1999.
  • Promote data processing practices that safeguard the security of personal data and privacy of data subjects.
  • Provide a regulation for processing personal data and ensure that personal data is processed in a fair, lawful and accountable manner.
  • Protect data subjects’ rights, and provide means of recourse and remedies, in the event of the breach of the data subject’s rights.
  • Ensure that data controllers and data processors fulfil their obligations to data subjects.
  • Establish an impartial, independent, and effective regulatory Commission to superintend over data protection and privacy issues, and supervise data controllers and data processors.
  • Strengthen the legal foundations of the national digital economy and guarantee the participation of Nigeria in the regional and global economies through the beneficial and trusted use of personal data.

Why the NDPA 2023 Matters

The NDPA 2023 strengthens Nigeria’s personal data protection regime by enhancing accountability, enforcement, and governance structures for data controllers and processors under the oversight of the Nigeria Data Protection Commission (NDPC).

This Act is not limited to Nigerian companies; it also affects foreign organizations that process personal data of Nigerian residents, making compliance a cross-border concern.

Applicability of the Nigeria Data Protection Act, 2023

1) Applies to entities within Nigeria: Covers Data Controllers and Data Processors that are:

  • Domiciled in Nigeria,
  • Ordinarily resident in Nigeria, or
  • Ordinarily operating in Nigeria.

2) Applies to foreign entities processing Nigerian data:

  • Also applies to Data Controllers or Processors not based in Nigeria, if they process the personal data of data subjects located in Nigeria.

3) Exemptions provided:

This Act shall not apply to the processing of personal data by any individual solely for personal or household purposes, provided that such processing does not infringe upon the fundamental right to privacy of the data subject.

This Act does not apply to a data controller or data processor where the processing of personal data is:

  • Undertaken by a competent authority for the prevention, investigation, detection, prosecution, or adjudication of criminal offences or criminal penalties;
  • Conducted by a competent authority for the prevention or control of a national public health emergency as necessary for national security;
  • In relation to publication in the public interest for journalistic, educational, artistic, or literary purposes; or
  • Necessary for the establishment, exercise, or defence of legal claims, whether in court, in administrative proceedings, or in out-of-court procedures.

Appointment of Data Protection Officers (DPOs) and Licensing of Data Protection Compliance Services

Data Protection Officers: Unlike other data protection laws, the appointment of Data Protection Officers (DPOs) is limited to data controllers of major importance. The DPO may be an employee of the data controller or engaged by a service contract. Among the functions of the DPO is advising data controllers or processors, and their employees, monitoring compliance with the Act and other related policies; and acting as a contact point for the Commission on issues relating to data processing.

The Data Protection Officer shall

  • Advise the data controller or the data processor, and their employees, who carry out processing made under this Act ;
  • Monitor compliance with this Act and related policies of the data controller or data processor ; and
  • Act as the contact point for the Commission on issues relating to data processing.

Principles and Lawful Basis for Processing Personal Data

Nigeria’s DPA outlines the principles and lawful basis for processing personal data. The Act outlines six principles of personal data processing, requiring data controllers and processors to ensure that personal data is;

  • Processed in a fair, lawful and transparent manner;
  • Collected for a specified, explicit and legitimate purpose and not further processed in a way incompatible with those purposes;
  • Adequate, relevant and limited to the minimum necessary for the purpose of collection and further processing;
  • Retained for no longer than necessary to achieve the lawful bases for collection or further processing;
  • Accurate, complete and not misleading having regard to the purpose of collection or further processing; and
  • Processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, access, loss, destruction, damage, or any form of data breach.

In addition, data controllers or processors are required to use appropriate technical and organizational measures to ensure confidentiality, integrity and availability of personal data. For compliance purposes, compatibility of further processing is determined by assessing the relationship between the original purpose and that of the intended further processing as well as nature of the personal data involved and how it was collected, the consequences of further processing, and the existence of appropriate safeguards.

The Act also specifies the lawful basis for processing personal data. Under the law, processing is lawful under the following instances;

  • On the basis of consent by the data subject, which must be freely and intentionally given by affirmative confirmation, either in writing, orally or through electronic means;
  • For the performance of a contract to which the data subject is a party;
  • For compliance with a legal obligation to which the data controller or data processor is subject;
  • To protect the vital interest of the data subject or another person;
  • For the performance of a task carried out in the public interest or in the exercise of official authority;
  • For the purpose of legitimate interests pursued by the data controller or data processor or another third party.

Data Privacy Impact Assessment (DPIA)

If a Data Protection Impact Assessment (DPIA) reveals that data processing is likely to pose a high risk to the rights and freedoms of data subjects, even after applying relevant safeguards, the Act requires the Data Controller to consult the Commission before proceeding with the processing.

Data Subject Rights under the NDPA, 2023

Under the Nigeria Data Protection Act, 2023, individuals (data subjects) have the following rights concerning their personal data:

  • Data subjects have the right to obtain: Without any constraint information about the collection and use of their data including the purpose, legal basis, recipients, and storage duration, the data subject can request access, corrections, deletion and restriction of processing. It also gives data subjects the right to lodge a complaint to NDPC.
  • Right to Object to Processing: Data subjects have the right to object to the processing of their personal data on grounds relating to their particular situation, including for direct marketing.
  • Right to Data Portability: Data subjects can request their personal data in a structured, commonly used, and machine-readable format, and may have it transferred to another data controller.
  • Right to Withdraw Consent: Where processing is based on consent, data subjects can withdraw their consent at any time without affecting the lawfulness of prior processing.
  • Right Not to Be Subject to Automated Decision-Making: Data subjects have the right not to be subjected to decisions based solely on automated processing (including profiling) that significantly affects them, unless specific safeguards are in place.

Obligations of the data controller and data processor

When a Data Controller or Data Processor engages another processor, they must ensure that the engaged processor:

  • Complies with all relevant principles and obligations under the Act.
  • Assists in fulfilling data subject rights (e.g., access, erasure, correction).
  • Implements technical and organisational measures to protect the integrity and confidentiality of personal data.
  • Provides information necessary to demonstrate compliance with the Act.
  • Notifies the engaging party before appointing another sub-processor.

These obligations must be documented in a written agreement between the parties.

Children Rights

The NDPA Implementation Framework established that a child shall be any person below the age of thirteen (13) years. It mandates Data Controllers or Processors whose processing activity targets children to ensure their privacy policies are made in a child-friendly form with the aim of giving children and their guardians a clear understanding of the nature of data processing activities before granting consent. On matters relating to Children’s Rights, Section 31 of the Act states that where a data subject is a child or a person lacking the legal capacity to consent, a data controller shall obtain the consent of the parent or legal guardian, as applicable. The Act also mandates Data Controllers to apply appropriate mechanisms to verify the age and consent as the case may be.

Cross-Border Transfer of Personal Data

Under the Nigeria Data Protection Act (NDPA) 2023, moving personal data outside Nigeria is tightly regulated to ensure that individuals’ information remains secure, regardless of where it is processed.

A data controller or processor may only transfer personal data to another country if that destination offers an adequate level of protection. Adequacy can be achieved through:

  • A data protection law in the receiving country that mirrors the NDPA’s standards,
  • Binding corporate rules,
  • Contractual clauses,
  • Approved codes of conduct, or
  • Recognized certification mechanisms.

How Adequacy Is Determined

The NDPA considers protection “adequate” when it aligns closely with the principles of personal data processing under the Act. Factors assessed include:

  • The presence of enforceable data subject rights and mechanisms for administrative or judicial redress,
  • Agreements between the Nigeria Data Protection Commission (NDPC) and a competent authority in the destination country,
  • Safeguards around public authority access to data,
  • An effective and enforceable data protection law,
  • An independent supervisory authority with sufficient powers, and
  • The country’s participation in relevant international commitments or regional organizations.

Obligations on Data Controllers and Processors

Organizations must document the legal basis for any cross-border transfer and confirm the adequacy of protection in the recipient country. The NDPC can issue regulations to impose additional restrictions for certain categories of personal data, especially where the nature of the data or associated risks require heightened safeguards.

NDPC’s Role in Cross-Border Transfers

The Commission may:

  • Declare specific countries, regions, or sectors as having adequate protection,
  • Approve standard contractual clauses, binding corporate rules, codes of conduct, or certification mechanisms, provided they meet the required standards.

When Adequacy Is Not Met

If the destination country does not provide adequate protection, transfers are only permitted when:

  • The data subject has given informed consent after being told about the risks,
  • The transfer is necessary for a contract with the data subject,
  • The transfer benefits the data subject directly,
  • It is required for the public interest or legal claims, or
  • It is needed to protect the data subject’s vital interests.

Data Breach Notification Requirements

Under the Nigeria Data Protection Act (NDPA) 2023, both data controllers and processors have defined responsibilities when a personal data breach occurs.

Processor’s Obligation

If a data processor becomes aware of a breach involving the processing or storage of personal data, it must promptly notify the data controller (or the processor that engaged its services). This notice should describe:

  • The nature of the breach,
  • The categories of data subjects affected, and
  • The approximate number of personal data records involved.

Controller’s Obligation

Once aware of a breach, the data controller must notify the Nigeria Data Protection Commission (NDPC) within 72 hours. The notification should detail:

  • The nature of the breach,
  • The categories and number of affected data subjects, and
  • The number of personal data records involved.

Notifying Data Subjects

If the breach poses a high risk to the rights and freedoms of individuals, the controller must immediately inform the affected data subjects in plain, clear language, including advice on measures they can take to reduce possible harm.

Where direct notification would require disproportionate effort, is overly expensive, or is otherwise not feasible, the controller may issue a public notice through widely used media channels.

Content of Breach Notifications

Every breach notification from the controller should include:

  • Contact details of the controller’s designated point of contact,
  • The likely consequences of the breach, and
  • Actions taken or proposed to address the breach and mitigate its impact.

Record-Keeping

Both controllers and processors must maintain a record of all breaches, documenting:

  • The facts surrounding the incident,
  • Its effects, and
  • The remedial measures taken.

Enforcement:

Once the Commission completes an investigation (either triggered by a complaint or initiated on its own under Section 46), and it is satisfied that a data controller or processor has violated the law, it has the authority to take enforcement action.

What the Commission Can Do

The Commission may:

  • Issue an enforcement order — legally binding instructions to correct the violation.
  • Impose sanctions — financial or non-financial penalties to deter and remedy non-compliance.

It must also notify:

  • The data controller or processor involved, and
  • The data subject (if a complaint was filed) about the outcome of the investigation.

Offenses and Penalties for Non-Compliance:

1) For major data controllers/processors:

  • Whichever is higher - ₦10 million or 2% of annual revenue.

2) Any data controller or data processor who fails to comply with orders issued under Section 47 of this Act commits an offence and, upon conviction, is liable to:

a) a fine of up to:

  • the higher maximum amount, if classified as a data controller or processor of major importance; or
  • the standard maximum amount, if not classified as such; or

b) imprisonment for a term not exceeding one year, or both fine and imprisonment.

How Ardent Privacy Helps

Ardent Privacy offers end-to-end solutions that help organizations comply to Nigeria Data Protection Act 2023. With Ardent’s TurtleShield platform, businesses can perform automated Data Protection Impact Assessments (DPIAs), manage consent intelligently, and monitor cross-border data to ensure compliance. Ardent also provides real-time risk visibility and audit trails, enabling organizations to detect unlawful processing, validate consent mechanisms, and securely handle sensitive data such as biometrics, all in one centralized platform.