The primary legislation that regulates data protection and privacy matters in Nigeria is the Nigeria Data Protection Act 2023 (“NDPA”), which, amongst other things, established the Nigeria Data Protection Commission (“NDPC”) as the data protection authority in Nigeria.  The NDPA saved and did not repeal the Nigeria Data Protection Regulation 2019 (“NDPR”) and the NDPR Implementation Framework 2020 (“Implementation Framework”), which, thereafter, became the subsidiary regulations of the NDPA. 

On 20th March 2025, the NDPC issued the NDPA General Application and Implementation Directive, 2025 (“GAID”) to guide the interpretation and enforcement of the NDPA. Article 3(3) of the GAID states that, upon its issuance, the NDPR and its 2020 Implementation Framework would no longer be applied by the NDPC. The GAID, which became effective on 19th September 2025, has now replaced the NDPR and the Implementation Framework.

There has been a remarkable increase in the enforcement of the provisions of the NDPA and the subsidiary legislation that relate to data protection governance in Nigeria recently.  Notable enforcement actions in the Nigerian data protection and data privacy space include the N555.8 million fine imposed on Fidelity Bank Plc, a US$32.8 million remediation fee imposed on Meta Platforms / WhatsApp LLC, and a N250 million fine on Nairtime Nigeria Limited by the NDPC. Presently, we are aware that the NDPC is investigating TikTok LLC and TrueCaller for alleged data privacy violations, amongst others.

Additionally, we should mention that in recent times, the Nigerian courts have made judicial pronouncements on privacy matters brought before them by data subjects to enforce their privacy rights. For instance, in 2024, in Olatokun v Polaris (Suit No. LD/17392MFHR/2024), the court awarded the sum of N1,000,000.00 (One Million Naira) against Polaris Bank Limited as damages for refusing the right of objection of the plaintiff.  On 18th February 2025, the Federal High Court, Abuja, in Chukwunwuike Akosa Araka v Ecart Internet Services Nigeria Limited and Anor (Suit No. FHC/ABJ/CS/195/2024), awarded N3,000,000.00 (Three Million Naira) against the defendants for sending unsolicited messages to the Appellant, among other violations.
 

Personal Data: 

The NDPA defines personal data as any information relating to an individual, who
can be identified or is identifiable, directly or indirectly, by reference to an identifier such as a name, identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social, or economic identity of that individual.

Sensitive personal data: 

Sensitive personal data is defined as: any personal data relating to an individual’s: 

a.    genetic and biometric data, to uniquely identify a natural person,
b.    race or ethnic origin,
c.    religious or similar beliefs, such as those reflecting conscience or philosophy,
d.    health status,
e.    sex life,
f.    political opinions or affiliations,
g.    trade union memberships, or

To protect personal data, the NDPA requires data controllers and processors to implement appropriate technical and organisational measures. These measures are itemised below as follows:

a.    pseudonymisation or other methods of de-identification of personal data; 
b.    encryption of personal data; 
c.    processes to ensure security, integrity, confidentiality, availability, and resilience of processing systems and services; 
d.    processes to restore availability of and access to personal data in a timely manner, in the event of a physical or technical incident; 
e.    periodic assessments of risks to processing systems and services, including where the processing involves the transmission of data over an electronic communications network; 
f.    regular testing, assessing, and evaluation of the effectiveness of the measures implemented against current and evolving risks identified; and 
g.    regular updating of the measures and introduction of new measures to address shortcomings in effectiveness and accommodate evolving risks. 

In addition, the NDPA requires every organisation that collects and processes the personal data of residents of Nigeria to carry out a yearly data protection audit of its privacy and data protection practices. Paragraph 2(d) of Schedule 2 of the GAID requires data controllers and data processors to indicate in the audit compliance return questionnaire if they are compliant with these security standards:

a.    ISO 27000 series
b.    National Institute of Standards and Technology Special Publications (NIST SP) 800- series
c.    NIST Cyber Security Framework CSF.
d.    Center for Internet Security (CIS) Critical Security Controls
e.    COBIT
f.    Health Information Trust Alliance (HITRUST) Common Security Framework (CSF)
g.    The organisation is also on the National Data Protection Adequacy Programme Whitelist.

By virtue of section 2 of the NDPA, the privacy obligations set out in the NDPA will apply to: 

a.    a data controller or data processor domiciled in, resident in, or operating in Nigeria;
b.    a data controller or data processor not domiciled in, resident in, or operating in Nigeria, but is processing data of data subjects in Nigeria: or
c.    the data processing that does not relate to (a) and (b) above, but such processing activity occurs within Nigeria. 

This means that any data controller and processor who processes personal data in Nigeria or personal data of any person in Nigeria, whether in Nigeria or outside Nigeria, will be required to comply with the provisions of the NDPA and the subsidiary legislation.

Processing:

Data Processing is defined under the NDPA as “any operation or set of operations which is
performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction and does not include the mere transit of data originating outside
Nigeria”.

The NDPA stipulates the principles of personal data processing. It provides that data controllers or data processors shall ensure that personal data is:
 
a.    processed in a fair, lawful and transparent manner;
b.    collected for specified, explicit, and legitimate purposes, and not to be further processed in a way incompatible with these purposes; 
c.    adequate, relevant, and limited to the minimum necessary for the purposes for which the personal data was collected or further processed; 
d.    retained for no longer than is necessary to achieve the lawful bases for which the personal data was collected or further processed; 
e.    accurate, complete, not misleading, and, where necessary, kept up to date having regard to the purposes for which the personal data is collected or is further processed; and 
f.    processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing, access, loss, destruction, damage, or any form of data breach.

The GAID reiterates the data protection principles in the NDPA and, in its explanatory notes (Schedule 1 of the GAID), underscores that these principles serve as the foundational safeguards of privacy. It emphasises that a data controller’s or processor’s respect for data subjects is evidenced by the technical and organisational measures adopted to implement these principles, particularly through a “privacy by design and by default” approach focused on minimising data risks and maximising control. 

The NDPC regulates the processing of personal data by mandating data controllers and data processors to comply with the principles of data protection stated above.  The NDPC has established various mechanisms to ensure that there is an effective oversight of the processing activities of data controllers and data processors. These measures include:

Data Protection Audits: The NDPA requires every organisation that collects and processes the personal data of residents of Nigeria to carry out a yearly data protection audit of its privacy and data protection practices. The audit should be carried out by a licensed data protection compliance officer (“DPCO”).  The DPCO must also prepare a Compliance Audit Report (“CAR”) based on its findings during the audit.  Every MDP-UHL and MDP-EHL is required to file a CAR with the NDPC, through the DPCO, on or before 31 March of the following year. 

Registration as Data Controllers and Data Processors of Major Importance (DCPMI): The NDPA requires every DCPMI to register with the NDPC as either a Major Data Processing-Ultra High Level (MDP-UHL) or Major Data Processing-Extra High Level (MDP-EHL) or Major Data Processing-Ordinary High Level (MDP-OHL). 

The NDPC defined these classes of DCPMIs as follows:

(i)      MDP UHL: Entities that process the personal data of more than 5,000 data subjects within a six-month period. This includes, regardless of sector, commercial banks, telecommunication companies, insurance companies, multinational companies, electricity distribution companies, oil and gas companies, public social media application developers and proprietors, public email application developers and proprietors, communication device manufacturers, and payment gateway service providers.

(ii)     MDP EHL: Entities that process the personal data of more than 1,000 data subjects within a six-month period. This includes ministries, departments, government agencies, microfinance banks, higher institutions such as universities, polytechnics, colleges of education, hospitals providing tertiary or secondary medical services, and mortgage banks.

(iii)     MDP OHL: Entities that process the personal data of more than 200 data subjects within a six-month period. This includes primary and secondary schools, primary health centres, agents, contractors, and vendors who engage with data subjects as third-party data processors on behalf of other organisations or entities.

Notification of personal data breach: Where a personal data breach has occurred with respect to personal data being processed, and such breach is likely to result in a risk to the rights and freedoms of individuals, a data controller is required to notify the NDPC within 72 hours of becoming aware of its occurrence. Where possible, the notification should describe the nature of the personal data breach, including the categories and approximate numbers of data subjects and personal data records concerned. This obligation is imposed on data controllers by virtue of Section 40 of the NDPA.

Filing of a data protection impact assessment with the NDPC:  the NDPA requires a data controller to carry out a Data Privacy Impact Assessment (“DPIA”) where the processing of personal data may likely result in a high risk to the rights and freedoms of a data subject by its nature, scope, context, and purposes. A data controller must file the report of the DPIA with the NDPC before the processing the personal data. A DPIA comprises:

•    a systematic description of the envisaged processing and its purpose, including the legitimate interest pursued by the data controller, data processor, or third party

•    an assessment of the necessity and proportionality of the processing in relation to the purposes for which the personal data would be processed ;

•    an assessment of the risks to the rights and freedoms of a data subject ; and

•    the measures envisaged to address the risks, safeguards, security measures and mechanisms to ensure the protection of personal data, taking into account the rights and legitimate interests of a data subject and other persons concerned. 

Furthermore, a DPIA shall be required to be filed with the NDPC in circumstances that involve  a proposed cross-border transfer of personal data, the deployment of automated decision-making processes, or processing activities connected to certain sectors such as health, e-commerce, or hospitality. A detailed analysis of the DPIA requirements is provided in our response to Question 20 below.

Appointment of a data protection officer: Section 32 of the NDPA requires every DCPMI to appoint a data protection officer (“DPO”) with expert knowledge of data protection law and practices to advise the data controller, data processor, and their employees on their responsibilities under the NDPA and subsidiary legislations. 

The NDPA does not stipulate any specific retention period for storing personal data.  Data controllers and data processors are expected to retain or store personal data for as long as is necessary to fulfil the purpose for which it was collected.  However, Article 49(3) of the GAID provides that in circumstances where personal data is to be kept for a defined period and no limitation period is provided by law, the processing must end not later than six (6) calendar months after the original purpose of the processing was completed.

The NDPA recognises several enforceable rights of data subjects whose personal data is collected or processed by data controllers or processors. These rights are central to ensuring data processing, transparency, accountability, and fairness. These rights include:

a.    Right to Access 
A data subject has the right to confirm whether their personal data is being processed and obtain information about it. The information to be obtained includes the purpose of processing, categories of data involved, recipients of the data, and the applicable retention period, among other things.

b.    Right to Rectification 
Data subjects can request that inaccurate or incomplete personal data be corrected or updated without undue delay.

c.    Right to Erasure 
In certain circumstances, individuals may request the deletion of their personal data, particularly where the data is no longer necessary or required, consent is withdrawn, the processing is unlawful, or personal data is being processed for direct marketing, among other reasons.

d.    Right to Restrict Processing 
Data subjects may request that the processing of their personal data be restricted pending the resolution of a request or objection raised under the NDPA, or to establish, exercise, or defend legal claims.

e.    Right to Data Portability 
Data subjects are entitled to receive their personal data in a structured, commonly used, and machine-readable format and may request that such data be transferred to another data controller, where technically feasible.

f.    Right to Object to Processing 
Individuals have the right to object to the processing of their personal data at any time unless the data controller demonstrates public interest or other legitimate grounds that override the data subject's fundamental rights, freedoms, and the interests of the data subject.  The right to object to direct marketing is absolute.

g.    Right Not to Be Subject to Automated Decision-Making 
A data subject has the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects, unless certain conditions are met.

h.    Right to Lodge a Complaint
Data subjects may lodge complaints with the NDPC if they believe their rights under the NDPA have been infringed upon.

Section 65 of the NDPA defines consent as any freely given, specific, informed, and unambiguous indication, whether by a written or oral statement or an affirmative action, of an individual’s agreement to the processing of personal data relating to him or to another individual on whose behalf he has the permission to provide such consent.  For consent to be valid,

a.    It must be freely given, 
b.    It must be informed, 
c.    It must be specific, and 
d.    It must be unambiguous. 

A data controller has the obligation to prove that a data subject's consent was obtained (section 26(1) NDPA).  In determining whether consent was freely or intentionally given, account shall be taken of whether the performance of the contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.  Silence or inactivity of the data subject does not constitute consent. In addition, a request for consent must be made in clear and straightforward language and in an accessible format.   

One of the principles of processing personal data is that personal data must be processed lawfully. Personal data can only be lawfully processed if the data controller processes the personal data relying on any one of the following lawful bases:

a.    the data subject has given and not withdrawn consent for the specific purpose or purposes for which personal data is to be processed.

b.    the processing is necessary- 

i.    for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject before entering into a contract, 
ii.    for compliance with a legal obligation to which the data controller or data processor is subject, 
iii.    to protect the vital interest of the data subject or another person, 
iv.    for the performance of a task carried out in the public interest or the exercise of official authority vested in the data controller or data processor; or
v.    for a legitimate interest pursued by the data controller or data processor or by a third party to whom the data is disclosed.

Furthermore, the personal data processed based on any of the lawful bases should be processed only for the purpose for which such lawful authorisation was obtained. Where the personal data is to be processed for another purpose that is not compatible with the original purpose, the data controller must seek fresh authorisation from the data subject.

Sections 41 and 43 of the NDPA govern the cross-border transfer of personal data from Nigeria to other countries.  Section 41 of the NDPA specifically provides that an entity shall not transfer or permit personal data to be transferred from Nigeria to another country unless: 

a.    the recipient of the personal data is subject to a law, binding corporate rules (“BCR”), standard contractual clauses (“SCC”), code of conduct (“CC”), or certification mechanisms (“CM”) (collectively referred to as Cross Border Data Transfer Instrument (“CBDT”) that afford an adequate level of protection as the NDPA; or 
b.    one of the conditions set out in section 43 of the NDPA applies (“Other Lawful Bases of Transfer”) 

Section 43 of the NDPA (titled Other Lawful Bases of Transfer) further provides that an organisation may transfer personal data outside Nigeria to a jurisdiction that does not have adequate data protection as required under section 41 of the NDPA, where the:   

a.    individual has provided and not withdrawn their consent to such transfer after having been informed of the possible risks of such transfers for the individual due to the absence of adequate data protection; 
b.    transfer is necessary for the performance of a contract to which the individual is a party or to take steps at the request of the individual before entering into a contract;  
c.    transfer is for the sole benefit of an individual and: (i) it is not reasonably practicable to obtain the consent of the individual to that transfer; and (ii) if it were reasonably practicable to obtain such consent, the individual would likely provide it; 
d.    transfer is necessary for important reasons of public interest;  
e.    transfer is necessary for the exercise or defence of legal claims; or  
f.    transfer is necessary to protect the vital interests of the data subject or other persons whose data subject is physically or legally incapable of giving consent. 
  
Paragraphs 1 to 6 of Schedule 5 of the GAID clarify that unless the NDPC has designated the country of the recipient as having adequate data protection laws, the entity making the transfer should adopt any of the CBDT measures, depending on the processing activities.  Specifically, paragraph 6 of Schedule 5 of the GAID provides that an entity may only rely on Other Lawful Bases of Transfer set out in section 43 if jural or fiduciary obligations cover the circumstances.  A transfer is jural when founded on the data controller or processor's compelling legal right or duty.  The GAID states that a compelling legal right differs from a business interest.  
  
As of the date of this publication, the NDPC has yet to designate any country as having adequate data protection. 
   
In addition, section 41(2)(3) of the NDPA mandates that data controllers or data processors undertaking cross-border transfer should conduct an adequacy assessment of the recipient country and notify the NDPC about the result of the assessment before undertaking cross-border data transfer (“Adequacy Data Protection Assessment”). Section 42 of the NDPA and Article 45 (2) provide factors to be considered when conducting an Adequacy Protection Assessment.  The factors are summarised below: 
 
a.    availability of enforceable data subject rights, the ability of a data subject to enforce such rights through administrative or judicial redress, and the rule of law;  
b.    existence of any appropriate instrument between the NDPC and a competent authority in the recipient jurisdiction that ensures adequate data protection;  
c.    access of a public authority to personal data;  
d.    existence of an effective data protection law;  
e.    existence and functioning of an independent, competent data protection, or similar supervisory authority with adequate enforcement powers; and 
f.    international commitments and conventions binding on the relevant country and its membership of any multilateral or regional organisations. 
 
Schedule 5 of the GAID also lays out more elaborate factors to consider when conducting an Adequate Data Protection Assessment. 
 
We should mention that the combined provisions of sections 41(3) of the NDPA and Schedule 5(b) of the GAID require data controllers and data processors to seek NDPC approval before adopting any of the CBDT.  The NDPC has not issued any CBDT template or model that data controllers and data processors transferring personal data outside Nigeria could use.  From our experience, data controllers and data processors often draft a template SCC or BCR and submit it to the NDPC for review and approval.  

The NDPA does not expressly define “incidents”. It, however, defines a “personal data breach” as a breach of security of a data controller or data processor that leads to or is likely to lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Yes, under Section 40 of the NDPA, where a personal data breach has occurred with respect to personal data being processed by the data processor, the data processor, upon becoming aware of the breach, is required, to notify the data controller and respond to all the information requests from the data controller or data processor that engaged it, as they may need to comply with their obligations under the NDPA.  On the other hand, a data controller is obligated to notify the NDPC within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of individuals. Where possible, the notification should describe the nature of the personal data breach, including the categories and approximate numbers of data subjects and personal data records concerned.

Also, under Section 40(3) of the NDPA, where the personal data breach is likely to result in a high risk to the rights and freedoms of a data subject, the data controller shall immediately communicate the personal data breach to the data subject in plain and unambiguous language, including advice about the measures the data subject could take to mitigate effectively the possible adverse effects of the data breach.  Where direct communication to the data subject involves disproportionate effort or expense or is otherwise not feasible, in that case, the data controller may instead communicate publicly in one or more widely used media sources so that the data subject is likely to be informed. 

The content of the data breach notification to the NDPC shall contain the following:

(a)    a description of the circumstances of the loss or unauthorised access or disclosure; 
(b)    the date or period during which the loss or unauthorised access or disclosure occurred; 
(c)    a description of the personal information involved in the loss or unauthorised access or disclosure; 
(d)    an assessment of the risk of harm to individuals as a result of the loss or unauthorised access or disclosure; 
(e)    an estimate of the number of individuals to whom there is a real risk of significant harm as a result of the loss or unauthorised access, or disclosure; 
(f)    a description of steps the organisation has taken to reduce the risk of harm to individuals; 
(g)    a description of any steps the organisation has taken to notify individuals of the loss or unauthorised access or disclosure; and 
(h)    the name and contact information of a person who can answer on behalf of the organisation, the NDPC’s questions regarding the loss of unauthorised access or disclosure of personal data.

The NDPC is the principal data privacy regulator in Nigeria.  Where the data privacy issue has consumer protection and competition implications, the Federal Competition and Consumer Protection Commission (FCCPC) has been involved in investigations of data controllers.  This recently resulted in a fine imposed on Meta by the FCCPC in July 2024, in the sum of US$220million on account of violation of data protection and privacy requirements particularly in relation to Meta’s WhatsApp data-sharing modalities in relation to Nigerian users. 

Depending on the relevant sector within which the data processor operates, other regulators such as the Nigerian Communications Commission and the Central Bank of Nigeria may also issue guidelines that have an impact on data privacy regulation.

A data breach could result in a fine, increased compliance obligations, reputation damage, and data subjects' enforcement of rights. Regarding penalty, where a data controller or processor contravenes the provisions of the NDPA, the NDPC has the power to issue compliance orders against such data processors or data controllers that violate or are likely to violate the provisions of the NDPA under section 47 of the NDPA. Such compliance orders include: 

a.    warnings that certain acts are likely to be a violation of one or more provisions of the NDPA; 
b.    a requirement that the data controller or data processor comply with the NDPA (including complying with the requests of a data subject); and 
c.    cease and desist orders requiring the data controller or data processor to stop or refrain from doing an act, which is in violation of the NDPA. 

Section 48 of the NDPA provides that if the NDPC, after completing an investigation, is satisfied that a data controller or data processor has violated any provision of the NDPA or subsidiary regulations, the NDPC may make any appropriate enforcement orders, including orders: 

a.    requiring the data controller or data processor to remedy the violation; 
b.    ordering the data controller or data processor to pay compensation; 
c.    ordering the data controller or data processor to account for the profits it realises from the violation of the NDPA; and 
d.    ordering the data controller or data processor to pay a penalty or remedial fee. 

In addition, the NDPC may issue a monetary penalty stipulated under the NDPA depending on whether the data controller or processor in breach of the provisions of the NDPA is deemed to be a DCPMI or not. If the data controller or data processor is deemed to be a DCPMI, it may be subject to the payment of a fine of up to N10,000,000 (ten million Naira) or 2% of its annual gross revenue from the preceding financial year, whichever is greater between the two penalties. Where the data controller or processor is not deemed to be a DCPMI, it may be subject to a fine of N2,000,000 (two million Naira) or 2% of its annual gross revenue from the preceding financial year, whichever is greater between the two penalties. 

A data controller or data processor who fails to comply with the orders commits an offence and is liable, on conviction, to a fine of up to the maximum amount for a data controller or data processor of major importance (DCPMI) or the standard maximum amount for the data controller or processor, not DCPMI. The data controller or data processor may also be imprisoned for a term not more than 1 year or both fine and imprisonment.

The NDPA regulates direct marketing activities in Nigeria using any available means. Section 36(3) of the NDPA provides that where personal data is processed for direct marketing purposes, including profiling related to such marketing, the data subject has the right to object at any time to such processing. This means that while data controllers may engage in direct marketing, they are legally required to cease all related activities once an objection is raised. The right to object to direct marketing is absolute, and must be respected without conditions, delay, or the need for justification by the data subject.

Yes, several sectors in Nigeria are subject to industry-specific privacy requirements.

In the banking and financial sector, the CBN, through several regulations such as its Consumer Protection Framework, 2019 and the CBN Risk-Based Cybersecurity Framework and Guidelines for Deposit Money Banks and Payment Service Banks, 2024, the CBN Risk-Based Cybersecurity Framework and Guidelines for Other Financial Institutions, 2022, impose obligations on financial institutions to safeguard customer data and implement strict information security controls.
In the telecommunications sector, the Nigerian Communications Commission (NCC) Consumer Code of Practice Regulations, 2007, and other relevant provisions require telecom operators to protect the confidentiality of subscriber information and ensure data is not disclosed without consent or lawful authority.

In the healthcare sector, the National Health Act, 2014, mandates the confidentiality of personal health information and restricts disclosure except where authorised by law or patient consent. These sectoral frameworks operate alongside the NDPA and may impose additional or more specific data protection obligations based on the sensitivity of the data handled.

The NDPA did not provide any specific requirement except that the DPO must have expert knowledge in data protection law.  Section 32 of the NDPA requires DCPMI to appoint a DPO with expert knowledge of data protection law and practices to advise the data controller, data processor, and their employees on their responsibilities under the NDPA and subsidiary legislation.  For effective oversight of data protection regulation, the GAID under Article 11 requires data controllers and data processors to publish their DPO's contact details and communicate them to the NDPC.  

Section 14 of the GAID requires the NDPC to create a database of certified DPOs and conduct Annual Credential Assessment (“ACA”) of the DPOs to ensure that each DPO maintains a high level of professionalism required to carry out his or her responsibilities towards safeguarding the rights and interests of data subjects as required under the NDPA, relevant case laws and any regulatory instruments issued by the NDPC. The metrics for DPO assessment include:

a.    Confirmation that the issuing body is an educational body approved or accredited by a competent regulator of educational services
b.    Confirmation that the training leading to the award of the certificate is up to 40 hours
c.    Confirmation that an examination was conducted as a condition precedent to the award of the certificate.
d.    Confirmation that the DPO is enrolled in the database of the NDPC
e.    Cumulative Score for Continuous Professional Development (CPD) Yearly (At least active participation in 4 different progammes recognised by the NDPC).  

Section 24 (3) of the NDPA requires the data controllers and processors to “demonstrate accountability” for the principles of data protection contained in the NDPA. One way they can demonstrate accountability is by documenting their processing activities. This means they are required to document their compliance with the principles of data protection as contained in the NDPA at all times.  More specifically, data controllers and data processors are required to do the following:

a.    To maintain a record of processing activities
b.    To maintain a record of data breaches
c.    To keep a record of consent obtained
d.    To maintain a record of data protection audits conducted and filed
e.    To keep a record of data protection impact assessments carried out and filed
f.    To maintain a record of internal semi-annual data protection reports
g.    To schedule training on privacy and monitor the data security system

Where the processing of personal data may likely result in a high risk to the rights and freedoms of a data subject by its nature, scope, context, and purposes, a data controller shall, prior to the processing, carry out a DPIA.  A data controller should consult the NDPC prior to the processing of personal data if, notwithstanding the measures envisaged, the DPIA indicates that the processing of the data would result in a high risk to the rights and freedoms of a data subject.  While the NDPA, does not require DPIA to be filed with the NDPC, the GAID requires a DPIA to be vetted by a certified DPO duly accredited by the NDPC and the outcome filed with the NDPC as part of CAR.  Instances where NDPA and subsidiary legislations require DPIA to be conducted are listed below:

a.    Evaluation or scoring (profiling);
b.    Automated decision-making with legal or similar significant effect;
c.    Systematic monitoring;
d.    When sensitive or highly personal data is involved;
e.    When personal data processing relates to vulnerable or disabled data subject;
f.    When considering the deployment of innovative processes or the application of new technological or organisational solutions;
g.    Evaluation or scoring (profiling); 
h.    Automated decision-making with legal or similar significant effects; 
i.    Systematic monitoring; 
j.    When sensitive or highly personal data is involved; 
k.    When personal data processing relates to vulnerable data subjects; 
l.    When considering the deployment of innovative processes or applications, of new technological or organisational solutions which may pose a significant risk to the privacy of data subjects; 
m.    Development of software for the purposes of enabling communication with data subjects; 
n.    Financial services involving the processing of personal data through digital devices; 
o.    Health care services; 
p.    E-commerce services; 
q.    Deployment of emerging technologies such as artificial intelligence
r.    Deployment of surveillance cameras in places that may be accessed by members of the public; 
s.    Development and implementation of any legal instrument or policy that requires the processing of personal data of members of the general public; 
t.    Educational services involving the processing of various records relating to students or pupils; 
u.    Hospitality services; 
v.    Cross-border data transfer; and
w.    Introduction of new technologies, new processing techniques, or directives mandating the processing of personal data on a large scale.
 
In addition to the above, the NDPA can direct a data controller or processor to carry out a DPIA for any proposed data processing activity.

Section 29 of the NDPA requires a data controller and a data processor to enter into a data processing agreement (DPA) where the services of a third-party data processor or sub-processor are engaged.  In this regard, the NDPA further requires the data controller to ensure that the data processor that it has engaged: 

a.    complies with the principles and obligations set out in the NDPA as applicable to the data controller; 

b.    assists the data controller or data processor, by the use of appropriate technical and organisational measures, in the fulfilment of the data controller’s obligations to respect the rights of data subjects; 

c.    implements appropriate technical and organisational measures to ensure the security, integrity, and confidentiality of personal data as required under the NDPA;

d.    provides the data controller or engaging data processor, where applicable, with information reasonably required to comply and demonstrate compliance with the NDPA; 

e.    notifies the data controller or engaging data processor, where applicable, when a new data processor is engaged; and 

f.    ensure that the measures stated in (a) - (d) above are included in a written agreement between the data controller and the data processor.

Furthermore, Article 34 (2) of the GAID sets out the minimum provisions that must be included in a DPA:

a.    Obligations of the data controller and data processor under Section 29 of the NDPA;
b.    name of parties;
c.    addresses of parties;
d.    recitals containing reference to any principal agreement or service level agreement;
e.    purpose of data processing;
f.    location of data processing (taking into account the provisions of the NDPA on cross-border data transfer);
g.    scope of the processing;
h.    lawful bases of data processing;
i.    responsibilities of parties under the DPA;
j.    technical and organisational measures for data protection (if highly technical or scientific, it should be expressly outlined in a schedule to the DPA);
k.    the outcome of a DPIA where relevant;
l.    potential risks;
m.    NDPA compliance (evidence of registration with the NDPC should be ascertained);
n.    confidentiality terms;
o.    tenure;
p.    specific restrictions;
q.    indemnity;
r.    insurance;
s.    force majeure; and
t.    dispute resolution

In addition, section 29(1)(d) of the NDPA requires the data processor (third party) to provide the data controller with information reasonably required to comply and demonstrate compliance with the NDPA.  Also, Article 34 of the GAID provides that a party to any data processing agreement, other than an individual data subject, shall take reasonable measures to ensure that the other party complies with the NDPA.

This means that a data controller must conduct vendor diligence to ensure that the data processor complies with the provisions of the NDPA before contracting with such a third party.

Please see our response in Question (15) above.

The NDPA requires every organisation that collects and processes the personal data of residents of Nigeria to carry out a yearly data protection audit of its privacy and data protection practices. The audit should be carried out by a licensed DPCO.  The DPCO is also required to prepare a CAR based on its findings during the audit.  Every MDP-UHL and MDP-EHL is required to file their CAR with the NDPC on or before 31 March each year, also through their DPCO.

Yes. As we mentioned above, the NDPC issued the GAID on 20th March 2025 to implement the provisions of the NDPA. The GAID, in its Article 3(3), states that from the effective date of the GAID on 19 September 2025, the NDPC will stop applying the NDPR and the Implementation Framework 2020 as legal instruments for regulating data privacy and data protection in Nigeria.