The Nigeria Data Protection Act 2023 (NDPA) marks a significant shift in how personal data is regulated in Nigeria. Unlike its predecessor, the Nigeria Data Protection Regulation 2019 (NDPR), the NDPA is a full Act of the National Assembly with binding force, a dedicated regulatory body, and a clearer enforcement framework. Every business that processes personal data in Nigeria needs to understand what this law requires and how to respond.
What the NDPA Covers
The NDPA regulates the collection, storage, processing, and transfer of personal data belonging to Nigerian citizens and residents. It applies to both private and public sector organisations. Crucially, it has extraterritorial reach: if you process personal data of Nigerians from outside Nigeria, the Act applies to you.
Personal data is broadly defined to include any information that identifies or can identify a living individual. This covers names, phone numbers, email addresses, biometric records, financial data, and location data, among others.
The Nigeria Data Protection Commission
The NDPA created the Nigeria Data Protection Commission (NDPC) as the sector regulator. The Commission has the power to investigate complaints, issue enforcement notices, impose administrative fines, and accredit data protection compliance organisations (DPCOs). The NDPC inherited the supervisory role previously exercised by the National Information Technology Development Agency (NITDA) under the NDPR.
Lawful Basis for Processing
The NDPA requires that every act of data processing must rest on a lawful basis. The recognised lawful bases are: consent of the data subject, performance of a contract, compliance with a legal obligation, protection of vital interests, performance of a task in the public interest, and legitimate interests of the controller.
Data Subject Rights
The NDPA grants individuals a comprehensive set of rights: the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, and the right to object to processing.
Data Breach Notification
Organisations must notify the NDPC of a personal data breach within 72 hours&ü of becoming aware of it.
Administrative Fines
The NDPC can impose fines of up to 2% of annual gross revenue or 10 million naira, whichever is higher.
Practical Steps
Conduct a data mapping exercise, review privacy notices, establish lawful bases, implement data subject request procedures, appoint a DPO if required, update vendor contracts, and implement a breach response plan.
This article is for general information only. Contact Marturion Legal for specific NDPA compliance guidance.