Skip to main content

Nigeria Data Protection Act 2023

Nigeria's Data Protection Act 2023 is the country's first primary data protection statute, establishing the NDPC as regulator and granting GDPR-style rights. It requires lawful bases, security measures, breach notification, and DPOs for major entities.

Jurisdiction
Nigeria

The Nigeria Data Protection Act 2023 (NDPA) is Nigeria's first primary legislation dedicated to data protection. It was signed into law on June 12, 2023, replacing the earlier Nigeria Data Protection Regulation 2019, which was a subsidiary instrument. The Act establishes the Nigeria Data Protection Commission (NDPC) as the regulator, giving statutory footing to data protection in Africa's most populous country. The NDPA draws on the GDPR and other modern frameworks.

The Act regulates the processing of personal data by data controllers and data processors and provides individuals, called data subjects, with enforceable rights.

Who It Applies To

The NDPA applies to data controllers and processors domiciled, resident, or operating in Nigeria, and to those outside Nigeria that process the personal data of data subjects in Nigeria. It covers processing by automated and certain non-automated means. The Act exempts processing carried out solely for personal or household purposes and certain activities related to national security, subject to safeguards.

Key Requirements

Processing must rely on a lawful basis such as consent, contract, legal obligation, vital interests, public interest, or legitimate interests, and must follow principles of fairness, lawfulness, transparency, purpose limitation, data minimization, accuracy, storage limitation, and security. Data subjects have rights to be informed, to access, to rectification, to erasure, to restrict or object to processing, to data portability, and to not be subject to certain automated decisions. Controllers and processors must implement appropriate technical and organizational security measures and report personal data breaches to the NDPC within 72 hours where feasible, and to affected data subjects where there is high risk. Data controllers and processors of major importance must register with the NDPC and appoint a Data Protection Officer. Cross-border transfers require an adequate level of protection or other lawful grounds.

Penalties for Non-Compliance

The NDPC can investigate and impose remedies. For a data controller or processor of major importance, penalties can reach the greater of NGN 10 million or 2 percent of annual gross revenue in the preceding year. For others, the maximum is the greater of NGN 2 million or 2 percent of annual gross revenue. The Commission can also order compensation and corrective measures.

How to Comply

Identify a lawful basis for each processing activity and follow the data protection principles. Publish privacy notices and build processes for the full set of data subject rights. Implement appropriate security measures and a 72-hour breach notification process. If you are a controller or processor of major importance, register with the NDPC and appoint a Data Protection Officer. Review cross-border transfers and rely on adequacy or another lawful ground.