Nigeria Data Protection Act (NDPA) 2023: Guide for Businesses in 2025

The Nigeria Data Protection Act (NDPA) 2023 is Nigeria’s main data privacy law. It tells any organisation that handles personal data, like names, emails, phone numbers, device IDs, etc, how to collect, use, share, and protect them. The law has been in force since June 12, 2023, and it’s enforced by the Nigeria Data Protection Commission (NDPC). This guide explains the essentials in simple terms:

• To whom does the law apply
• What counts as personal data, consent and privacy notice
• What the core obligations, people’s rights, and penalties are; and
• How NDPA compares with GDPR.

The NDPA is Nigeria’s comprehensive data protection law, repealing the Nigeria Data Protection Regulation and its implementation framework.

Instead, the NDPC has issued the General Application and Implementation Directive (GAID) 2025 to guide organisations on how to comply with the new law. 

The Nigeria Data Protection Act protects individuals’ personal data, sets rules for how organisations process that data, and creates the Nigeria Data Protection Commission (NDPC) to enforce the law. 

It also distinguishes sensitive data and prescribes measures to protect it. Similar to major global privacy laws like GDPR, Nigeria’s privacy law also defines the breach notification period, regulates cross-border data transfers, and prescribes fines for data breaches.

At a high level, the Act’s goals are to safeguard privacy rights, require fair and lawful processing, ensure data security and accountability, and enable Nigeria’s digital economy to thrive through trusted data use. 

The Nigeria Data Protection Act, 2023, applies to any processing of personal data, automated or not, if:

• Your organisation is domiciled, resident, or operating in Nigeria;
  
• Data processing occurs in Nigeria. or
  
• Your organisation is outside Nigeria but processes personal data of data subjects in Nigeria.

The Nigeria privacy law also carves out limited exemptions, for example, purely household activities and national security.

• Map what you collect, why, where it flows, and who you share it with.
• Pick the lawful basis depending on the purpose of data collection
• Provide an accessible and easy-to-understand privacy policy.
• Comply with the consent requirements: Informed, specific, freely given, and unambiguous.
• Have a data processing agreement with data processors.
• Run Impact assessments for high‑risk processing; consult NDPC if risk remains.
• Tighten security controls with appropriate measures.
• Report data breaches with 72 hours
• Honour data subject rights
• Comply with cross border transfers by ensuring adequate protection
• Appoint a DPO where required.

​​Under the NDPA 2023, personal data refers to any information that can identify an individual, either directly or indirectly.

This includes details that clearly identify a person or, when combined with other data, make them identifiable. 

Examples include name or identification number, location data, online identifiers like IP address, etc.

Sensitive personal data

Nigeria’s NDPA also creates a special category of personal data called sensitive personal data. Processing these kinds of data requires stricter grounds.

It includes the following personal data:

• Biometric and genetic data
• Race/ethnic origin
• Religious/philosophical beliefs
• Health status
• Sex life
• Political opinions/affiliations
• Trade union membership; 
• Other categories the NDPC may prescribe. 

Similar to GDPR, consent is one of the six lawful bases of processing personal data in Nigeria. Users may give it in written, oral, or electronic form.

Organisations relying on consent must be able to prove that it fulfils all the requirements of a valid consent under the law. 

According to NDPA, consent must be:

• freely given
• Specific for each purpose
• Informed 
• Unambiguous; and 
• affirmative 

The request for consent should be in clear and simple language.

For example, a website seeking consent for using cookies should provide a concise and easy-to-understand cookie banner. Here is an example:

Dark patterns like pre-checked boxes, silence or inactivity are not consent. 

You must also inform individuals that they can withdraw consent anytime, and that the withdrawal shouldn’t affect past lawful processing. 

For children’s data, organisations must obtain parental consent or the consent of their guardian, unless any exemptions apply.

Before collecting personal data, NDPA requires organisations to inform individuals about its usage.

This can be achieved by providing an accessible privacy policy, containing the following information:

• Name, address and contact details of the organisation
• Lawful basis of data processing
• Purposes of data collection
• Recipients of data
• Data‑subject rights
• Retention period
• Right to complain to the NDPC
• Any automated decision‑making (including profiling) and how to object/challenge it.

Your privacy policy must be clear, concise, transparent, intelligible, and easily accessible. 

#1 Follow the data protection principles

Any personal data processing activities must be carried out in compliance with the following principles:

• Be fair, lawful, and transparent in data processing
  
• Collect data only for specific, legitimate business reasons and do not reuse it for unrelated purposes (Purpose limitation).
  
• Limit data collection to the minimum necessary for fulfilling the purpose of collection (Data minimisation)
  
• Make sure the information is correct and updated (Accuracy)
  
• Store personal data only as long as it’s needed, then delete or anonymise it (Storage retention).
  
• Use strong technical and organisational safeguards against data leaks, loss, or misuse (Security).
  
• You owe customers a duty of care. Keep records, policies, and proof that you follow these principles (Accountability).

#2 Choose a lawful basis and document it

Before starting to process personal data, have a legal basis for processing.

Beyond consent, you may rely on contract, legal obligation, vital interests, public interest/official authority, or legitimate interests (when appropriate).Furthermore, document your reasoning.

#3 Obtain and record valid consent

If you process data based on consent, ensure it’s obtained lawfully and meets all legal requirements for valid consent.

You should also document your compliance by maintaining records such as consent logs.

#4 Provide a compliant privacy policy

Ensure your privacy policy covers all key information, in plain language and accessible formats.

#5 Data subject rights

Provide convenient methods for data subjects to exercise either privacy rights and fulfil such requests without unnecessary delay.

#6 Conduct Data Privacy Impact Assessments (DPIAs) for high‑risk processing

Run an impact assessment before carrying out data processing activities that may involve high risk to the rights and freedoms of individuals.

Consult NDPC if high risk remains.

#7 Manage processors with contracts and oversight

Ensure that you have enter into written contracts (Data Processing Agreements) while engaging data processors.

The agreement should legally bind them to comply with the law, support data‑subject rights, implement security, provide information for compliance, and notify you before engaging sub‑processors.

#8 Handle sensitive data lawfully

Process sensitive personal data only with explicit consent or specific grounds such as employment/social security, vital interests, non‑profit context with safeguards, legal claims, substantial public interest by law, medical care, public health, or research under strict safeguards.

#9 Protect children’s data

Obtain parental/guardian consent for children under 18 years of age or those persons incapable of giving consent.

For this, you also need to implement measures for age verification purposes.

#10 Appoint a Data Protection Officer (DPO)

Data controllers of major importance must designate a DPO with expert knowledge to advise, monitor compliance, and connect with NDPC for matters relating to data processing.

#11 Secure personal data

Implement appropriate technical and organisational measures. This includes encryption, resilience, backups, testing, risk assessments, etc, that are proportionate to the sensitivity and scale of the data you handle.

#12 Breach notifications

Notify NDPC within 72 hours of being informed of any breach that is likely to pose a high risk to individuals’ rights. Moreover, notify the affected individuals immediately if there is a high risk present, along with clear instructions on what to do.

Furthermore, keep a breach register containing information regarding the data breach, causes, and remedies.

#13 Cross‑border transfers

You can only transfer personal data outside Nigeria if the destination country or the organisation receiving the data provides an adequate level of protection. It must be similar to what the NDPA guarantees inside Nigeria. 

Adequate protection can be demonstrated through:

• A national data protection law in the recipient country,
  
• Binding corporate rules for multinational companies,
  
• Standard contractual clauses or codes of conduct, or
  
• An approved certification mechanism ensuring NDPA-level safeguards.

If the receiving country doesn’t meet NDPA standards, the law still allows data transfers in specific cases, such as:

• The individual gives explicit consent, after being informed of the possible risks;
  
• The transfer is necessary to perform or prepare a contract with the individual.
  
• It’s in the public interest, vital interest, or needed for legal claims; or
  
• It directly benefits the data subject when obtaining consent isn’t practical.
  

#14 Register if you’re a controller/processor of major importance

If you meet NDPC’s thresholds or fall into designated sectors, you must register and pay the applicable fees.

Data subjects have the right to:

• Be informed about data processing
  
• Access their data and get a copy in a commonly used electronic format.
  
• Rectification of inaccurate or outdated data.
  
• Erasure without undue delay where no longer needed or no lawful basis exists.
  
• Restriction of processing in specified situations.
  
• Withdraw consent at any time, as easily as it was given.
  
• Object to processing, including a strong right to object to direct marketing.
  
• Protection from decisions based solely on automated processing, with rights to human review, express a view, and contest decisions.
  
• Data portability to be established by NDPC regulations; conceptually includes receiving data in a structured, machine‑readable format and transmitting it to another controller.
  

NDPC can issue compliance and enforcement orders, require remediation, pay compensation to individuals, disgorge profits, and impose penalties.

The law sets two main levels of fines, depending on how big or important the organisation is:

• Data controllers or processors of major importance:
  
  • Fine: up to ₦10 million or 2% of their annual gross revenue (whichever is higher).
    
• Other organisations
  
  • Fine: up to ₦2 million or 2% of their annual gross revenue (whichever is higher).

Failure to comply with NDPC orders may also attract imprisonment of up to one year. The NDPC FAQs reiterate these thresholds for quick reference. 

Individuals can also claim civil damages for harm suffered due to violations. Organisations can face vicarious liability for employees/agents.