On 12th June 2023, Nigeria enacted the Nigeria Data Protection Act, 2023 (NDPA). This comprehensive legislation aims to safeguard the fundamental rights of data subjects and sets requirements for businesses, especially those processing personal data of Nigerian citizens.

The Nigeria Data Protection Act (NDPA) replaces NDPR and aims to safeguard the fundamental rights and freedoms of individuals in Nigeria. It creates a dedicated supervisory authority and establishes a robust framework for personal data protection in Nigeria.

This guide breaks down the key elements of Nigeria’s data privacy law, user rights, business obligations, and compliance steps under Nigeria’s data protection framework.

What is the Nigeria Data Protection Act, 2023 (NDPA)?

The Nigeria Data Protection Act, 2023 (NDPA) is the country’s first comprehensive data protection law that protects the personal data of individuals in Nigeria and regulates the collection, use, storage, and processing of personal data by public and private entities.

The legislation gives individuals greater control over their Personal Information and establishes a clear compliance framework for organizations handling personal data.

Effective date: June 12, 2023.

Before the NDPA, Nigeria relied on the Nigerian Data Protection Regulations, 2019 (NDPR), which lacked clarity.

The Nigeria Data Protection Act (NDPA) replaces NDPR and establishes a robust framework for personal data protection in Nigeria. It provides clear definitions, rights, and obligations for businesses, finally aligning Nigeria’s data privacy legislation with global data protection standards.

The NDPA also creates a dedicated supervisory authority, the Nigeria Data Protection Commission (NDPC), that oversees compliance and enforcement.

Why the NDPA Matters?

There was a practical need for this law: both for businesses and individuals. Digital services are booming across Nigeria. Banks, fintech platforms, e-commerce stores, and government portals collect and process personal data at a massive scale.

Individuals are concerned about their privacy and how their Personal Information is used. Without comprehensive legislation, trust fades fast, and individuals don’t want to share their data. Before the law took effect, it was safety issues for individuals, as well as missed opportunities for businesses due to the decrease in user trust and lack of consented data. The NDPA changes that.

The Nigeria Data Protection Act 2023 has the following benefits:

• It protects the personal data of individuals in Nigeria.
• It forces organizations to handle information responsibly.
• It promotes best data processing practices that safeguard the security of personal data and the privacy of data subjects.
• It helps Nigeria achieve a competitive advantage globally, especially when dealing with companies that require strong privacy safeguards before sharing data.

Scope of the NDPA: Who Must Comply with the NDPA?

The Nigeria Data Protection Act, 2023, applies to any entity that:

• Is based or operating in Nigeria;
• Performs data processing in Nigeria. or
• Processes personal data of data subjects in Nigeria.

Note that the NDPA has extraterritorial reach and applies to your business even if it is based in any country outside Nigeria but collects or processes personal data of Nigerians, the law applies to you.

In particular, the legislation applies to:

• Banks and fintech companies
• Telecommunication operators
• Government agencies
• NGOs and schools
• Healthcare providers
• Online platforms serving Nigerian users
• Startups and SMEs handling customer data.

The law has some exemptions, including data collection for personal use or for national security.

Core Principles of Data Processing Under the NDPA

Data controllers and processors are responsible for adhering to the core principles of data processing under the Act, including:

• Lawfulness, fairness, and transparency
  Data processing must be fair, lawful, and transparent. Dark patterns, forced consent, or other hidden activities are not allowed.
• Purpose limitation
  Organizations must collect data only for specific, explicit, and legitimate purposes. Don’t use personal data for purposes other than specified at the time of collection.
• Data minimization
  Data controllers must collect only the minimum adequate and relevant information necessary for stated purposes needed to deliver the product or service.
• Storage limitation
  Data controllers must not retain personal data longer than necessary for its intended purpose.
• Accuracy
  Data must be accurate, complete, non-misleading, and updated when necessary.
• Security
  Data controllers must protect data with appropriate technical and organizational measures against unauthorized access, destruction, or breaches. Implement robust organizational and technical means to ensure data availability, confidentiality, and integrity.
• Accountability
  Data controllers must prove compliance, not just claim it.

Use these core principles for responsible data handling and compliance with the law.

Data Subjects Rights in Nigeria

Individuals in Nigeria have legally protected rights over their personal data, including:

• Right to information about data processing
  Businesses must inform data subjects about their data processing before processing any data, including the purpose of collection or processing, recipients, third parties to whom the data is shared, and other relevant details.
  
• Right to access
  Individuals have the right to access their personal data. Businesses must provide a copy in a commonly used electronic format.
  
• Right to rectification
  Individuals have the right to request the rectification of inaccurate or outdated data.
  
• Right to deletion
  Data subjects have the right to request deletion of data when it is no longer needed or if consent is withdrawn. Businesses must delete data without undue delay.
  
• Right to restrict processing
  Individuals have the right to oppose processing in certain situations, especially when it’s based on legitimate interest. Individuals have the right to oppose processing of sensitive data or processing used for direct marketing.
  
• Rights related to automated decision-making
  Individuals are protected against decisions based solely on automated processing, especially when such decisions significantly impact their rights or freedoms.
  
• Right to data portability
  Individuals have the right to transfer their data to another service provider.
  
• Right to withdraw consent
  Individuals may withdraw consent at any time and as easily as it was given.
  

Duties and Obligations of Data Controllers and Processors

Data controllers and processors have the following responsibilities under the NDPA:

1. Follow the data protection principles
   Data controllers must adhere to the key principles of data processing under the law. They must be fair, lawful, and transparent in data processing, collect data only for specific, legitimate business needs, limit data collection to the minimum necessary for fulfilling the purpose of collection, don’t retain personal data longer than necessary, and comply with other principles.
2. Choose a legal basis for data processing
   Data controllers must have a valid legal basis before handling personal data. Beyond consent, there also are other legal basis- follow the rules tied to each one. Don’t forget to document the legal basis.
3. Obtain and record valid consent
   If you process data based on consent (the most common case), obtain consent lawfully and meet all legal requirements for valid consent. Keep consent logs for proof of compliance.
4. Provide up-to-date privacy policies
   Data controllers must create transparent privacy policies and regularly update them. The Privacy Policy must be easily accessible to data subjects. Maintain up-to-date privacy notices.
5. Implement security safeguards
   Data controllers must adopt adequate technical and organizational measures to secure personal data from data loss, damage, or breach.
6. Report data breaches to the NDPC
   In the event of a data breach, data controllers must notify the national authority in accordance with established procedures.
7. Conduct Data Protection Impact Assessments (DPIAs)
   Conduct DPIAs when processing sensitive personal data, children’s data, and other high-risk processing.
8. Keep detailed records of data processing activities
   Complying with the Act is not enough. Data controllers must be able to demonstrate that they meet the requirements of the NDPA.
9. Respect data subject rights
   Recognize data subject rights, provide convenient methods to exercise data subject privacy rights, and fulfil data subject requests within the time specified by the law.
10. Enter into a contractual relationship
    Ensure that you have written contracts (Data Processing Agreements) with data processors. Make sure contracts include proper data protection safeguards.
11. Process sensitive data lawfully
    Obtain explicit consent or specific grounds to handle sensitive data and use strict safeguards to protect it from misuse, loss, or breach.
12. Protect children’s data
    Obtain parental/guardian consent for children under 18 years of age and treat is with special care, with the same safety standards as sensitive data. To handle children’s data lawfully, data controllers need to implement measures for age verification purposes.
13. Appoint a Data Protection Officer (DPO)
    In some instances, especially for large-scale or sensitive data processing, appoint a DPO.
14. Respect rules for cross-border data transfers
    Transfers of personal data outside the country are strictly regulated. Transfer personal data abroad only if the receiving country ensures an adequate level of data protection. Controllers must demonstrate that the receiving country ensures adequate data protection or obtain special authorization where required.
15. Register if you’re a controller/processor of major importance
    If you meet NDPC’s thresholds or fall into designated sectors, you must register as a controller or processor of major importance. NDPA sets additional requirements for a controller/processor of major importance, such as a mandatory DPO, and you must pay the applicable fees.

Scan your website for free to see all your website cookies in use:

Controller/processor of major importance under NDPA

An organization is classified as a controller or processor of major importance if it reaches any of the following thresholds:

• Processes personal data of more than 200 data subjects in 6 months;
• Carries out ICT services;
• Belongs to sectors like finance, communications, health, oil and gas, etc.; or
• Is under a fiduciary relationship with the data subject and is expected to maintain confidentiality.

Read more about the NDPC guidance on organizations of major importance. 

Appointment of Data Protection Officers (DPOs)

Unlike other data protection laws, the appointment of Data Protection Officers (DPOs) is not mandatory for all businesses processing personal data of individuals in Nigeria. Only data controllers of major importance must appoint a DPO.

The DPO may be an employee of the data controller or engaged by a service contract.

Among the functions of the DPO are advising data controllers or processors, and their employees, monitoring compliance with the Act and other related policies, and acting as a contact point for the Commission on issues relating to data processing.

The Data Protection Officer in Nigeria has the following rights and obligations:

• DPOs should advise the data controller or the data processor about the data processing requirements and security safeguards.
• DPOs shall monitor compliance with the NDPA and the data controller's or data processor's related policies.
• DPOs should act as the contact point for the Commission on issues relating to data processing.

Legal Basis for Data Processing Under the NDPA

Like the GDPR, the NDPA requires businesses to have a valid legal basis for processing personal data.

Personal data could be processed only if the processing is carried out based on any of the following legal bases:

• Consent
  Businesses can process personal data legally if data subjects have given specific consent for the said processing activities. When individuals withdraw consent, businesses must stop data processing immediately.
• Performance of a contract
  Businesses can process personal data legally if they need to process data for fulfilling a contract with the data subject or to implement pre-contractual steps requested by data subjects.
• Legal obligation
  Businesses can process personal data legally if is necessary to comply with a legal obligation imposed on the controller or processor.
• Vital interests
  Businesses can process personal data legally if data processing is crucial to protect the vital interests of the data subject or another individual (e.g., medical emergencies).
• Public interest
  Businesses can process personal data legally if data processing serves the public interest or is essential to exercise the task from the official authority.
• Legitimate interests
  Businesses can process personal data legally if data processing is for the legitimate interests pursued by the controller, processor, or a third party, unless these interests are overridden by the data subject's fundamental rights, freedoms, and interests, are incompatible with other lawful bases, or are outside the data subject's reasonable expectation of processing.

Choosing the right basis isn’t optional- it’s a regulated legal requirement. Businesses must document legal basis and follow the rules tied to each one.

Consent Requirements under the NDPA

Nigeria Data Protection Act, 2023 requires data controllers to obtain explicit data subjects’ consent before processing any personal data.

Consent must be explicit, freely given, specific, informed, and unambiguous.

• Explicit: Data subjects should indicate affirmative action or provide a written or spoken statement allowing the data processing. If the individual does not interact with the Cookie Banner, continues scrolling, or takes no action, it does not mean that they give consent to collect their data.
• Freely given: Data subjects should provide consent freely, without any pressure or coercion. Don’t use text on a cookie notice that encourages giving consent.
• Specific: Data controllers could process personal data only for specified purposes during the process of obtaining consent. Data processing beyond those agreed upon purposes is not allowed.
• Informed: Data controllers must request consent in clear and simple language and in an accessible format. Using dark patterns or other misleading behavior to obtain consent is not allowed. Consent is not valid if obtained without proper information.
• Unambiguous: Data subjects should provide either a statement or a clear affirmative act to allow processing of their data.

When the legal basis for data processing is solely based on consent, the data subject must be informed of their right to withdraw consent before consent is granted. However, withdrawing consent will not affect data processing conducted prior to the withdrawal.

Consent requirements for children and people lacking legal capacity

Data controllers must obtain consent from parents or legal guardians when processing personal data of children under 18 years of age or individuals lacking legal capacity. To do this, businesses must implement appropriate age and consent-verification mechanisms using appropriate technologies.

When consent is obtained from children or individuals lacking legal capacity, data controllers must treat their personal data with special care, with the same safety standards as sensitive data.

However, parental/guardian consent is not required when data processing is vital for safeguarding the individual's interests, necessary for providing social services, healthcare, or education under professional confidentiality, while maintaining anonymity. Consent is also not required for court proceedings involving children or individuals lacking legal capacity.

There are specific guidelines for handling the personal data of children aged 13 and above who request online services or information.

Cross-Border Data Transfers: What the NDPA Allows and Restricts

Digital services are growing rapidly across Nigeria. There are many international banks, fintech companies, e-commerce stores, and other digital businesses based in Nigeria that collect personal data and need to send it abroad. Thus, cross-border data flow is inevitable.

What are the requirements for international data transfers in Nigeria?

The Nigeria Data Protection Act 2023 allows transferring personal data of Nigerian individuals abroad if:

• The destination country provides adequate data protection.
• The organization uses appropriate safeguards, such as standard contractual clauses.
• The data subjects provided explicit consent for cross-border data transfers.
• Cross-border data transfers are needed to safeguard vital interests of data subjects.

Cross-border data transfer practices align with international best practices and help ensure Nigerian individuals data safety in the country and abroad.

Enforcement of the NDPA: Role of the Nigeria Data Protection Commission

The Nigeria Data Protection Commission (NDPC) is the enforcement authority of the Act.

The NDPC has the following powers and responsibilities:

• The NDPC enforces compliance by issuing warnings and corrective orders.
• The NDPC issues regulations, guidelines, and decisions.
• The NDPC investigates complaints and performs audits.
• The NDPC can impose administrative fines.
• The NDPC approves cross-border transfer mechanisms.
• The NDPC can suspend processing activities of data controllers.
• The NDPC informs the public about the NDPA and its updates.

Penalties for non-compliance under the Nigeria Data Protection Act 2023

There are two main levels of fines, based on the size and importance of the data controller.

1. Data controllers or processors of major importance 
   Fines may reach up to ₦10 million (~€6,000) or 2% of businesses’ annual gross revenue (whichever is higher).
2. Other organizations
   Fines may reach up to ₦2 million (~€600) or 2% of businesses’ annual gross revenue (whichever is higher).

Failure to comply with NDPC orders may also lead to imprisonment of up to one year.

Individuals can also claim civil damages for harm caused by violations and ask for compensation.

Organizations can also face vicarious liability for employees or agents.

Data Breach Notification Requirements

The Nigeria Data Protection Act 2023 sets responsibilities for both data controllers and processors in the event of a personal data breach.

Controller’s Obligations

Once aware of a data breach, the data controller must notify the Nigerian Data Protection Commission within 72 hours.

The breach notification notice must include:

• The nature of the breach.
• The categories and number of affected data subjects.
• The approximate number of personal data records involved.

Processor’s Obligations

If a data processor becomes aware of a breach involving the processing or storage of personal data, it must promptly notify the data controller.

The breach notification notice must include:

• The nature of the breach.
• The categories of data subjects affected.
• The approximate number of personal data records involved.

Notifying Data Subjects

If the breach poses a high risk to the rights and freedoms of individuals, the data controller must immediately inform the affected data subjects. When notifying, controllers must use plain and clear language and include advice on measures individuals can take to reduce possible harm.

Where direct notification would require disproportionate effort, is overly expensive, or is otherwise not feasible, the controller may issue a public notice through widely used media channels.

Breach Notification Message

Every breach notification should include:

• Contact details of the person responsible for issues related to data breach, designated by the controller.
• The likely consequences of the breach.
• Actions taken to mitigate the breach impact.

Record Keeping of Data Breaches

Both controllers and processors must maintain a record of all breaches. They must document:

• How did the incident happen?
• What were the effects of the data breach?
• The remedial measures taken.
• Who was informed?

GDPR vs Nigeria NDPA

The Nigerian law shares many GDPR-inspired principles, such as safeguards of data, sensitive personal data and children’s data protection, lawful basis of processing, consent requirements, breach reporting timeline (72 hours in both cases), and similar data subject rights.

However, NDPA also has some differences. The main differences include:

1. Regulatory maturity & influence
   GDPR is a global benchmark for data protection, that entered into force on May 25, 2018.
   NDPA is a younger law (effective date: June 12, 2023), designed to modernize Nigeria’s digital economy.
2. Structure of supervisory authority
   Under the GDPR, each EU member state has a Data Protection Authority (DPA), while the European Data Protection Board (EDPB) ensures consistency across the EU.
   The NDPA is centralized under a single regulator: the Nigeria Data Protection Commission (NDPC).
3. Penalties
   Fines for non-compliance are much heavier under the GDPR and could reach up to €20 million or 4% of global annual turnover, whichever is higher.
   Fines for non-compliance with the NDPA are also significant but generally lower and are scaled based on the severity of the violation and the size and type of the organization.
4. Cross-border data transfers
   GDPR requires adequacy decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules (BCRs), and is very strict on third-country transfers.
   NDPA allows cross-border transfers if the destination country offers adequate data protection, businesses implement safeguards (similar to SCCs), or under specific exceptions (e.g., explicit consent). Nigeria has no published adequacy list yet, so organizations rely more heavily on contractual safeguards.
5. Data Protection Officer (DPO)
   GDPR requires the appointment of a DPO by public authorities, during large-scale monitoring, or large-scale processing of sensitive data.
   NDPA also mandates DPOs, but the NDPC has more flexibility in interpreting when a DPO is required. Many Nigerian organizations appoint a DPO to ensure compliance, even when it is  not strictly mandatory.

Compliance Requirements for Nigerian and International Businesses

For businesses operating in or targeting Nigerian individuals, NDPA compliance isn’t a recommendation. It’s a strict legal requirement. Non-compliance with the NDPA could lead to severe penalties.

Every business should consider these practical steps to achieve NDPA compliance in 2025 and beyond:

1. Map your data
   Identify what data you collect, process, and store, and why.
2. Ensure data accuracy and relevance
   All data must be accurate and relevant for the purposes collected.
3. Provide a clear Privacy Policy
   Publish and regularly update a clear Privacy Policy.
4. Identify your legal bases
   Data processing needs legal bases. Get one before any processing.
5. Obtain and document consent
   Obtain explicit, informed consent from data subjects. Be transparent about the purpose of data collection and respect data subject rights. Record consent logs for proof of compliance.
6. Appointing a DPO when required
7. Conduct DPIAs for high-risk data processing.
8. Implement security measures
   Implement robust technical (encryption, access controls), organizational (policies, training), and procedural (incident response) security measures to protect data.
9. Train employees
   Train employees in data subject rights, data protection practices, and internal processes for requests and data breaches.
10. Prepare for data breaches
    Prepare a breach-response plan how to notify the NDPC and consumers, how to communicate and remediate data breaches.
11. Maintain a data processing register
    Keep records of all data processing activities and reasons for them.
12. Review third-party vendors
    Ensure you have contracts with contracts third-party vendors, describing the data handling practices required by the NDPA.
13. Conduct annual data security audits
    Conduct internal audits of compliance, documentation of decisions, and regular risk assessments.
14. Register if you’re a controller/processor of major importance
    If you meet NDPC’s thresholds or fall into designated sectors, you must register as a controller or processor of major importance. 
15. Implement a CMP
    A Consent Management Platform (CMP) is used to deliver cookie notices and inform individuals about their data collection, obtain and store Cookie Consent, create a Privacy Policy, and respect user consent choices.

In Spring 2025, CookieScript received its fourth consecutive G2 badge as the Best Consent Management Platform. 

The platform is also recognized as a Google-certified CMP in the Gold tier, highlighting its compliance with privacy and the latest consent management requirements.

CookieScript CMP has the following features:

• Integrations with CMS platforms like WooCommerce, WordPress, Shopify, Joomla, etc.
• Cookie banner customization
• Google Consent Mode v2 integration
• IAB TCF v2.2 integration
• Google Tag Manager integration
• Certification by Google
• CookieScript API
• Cookie Scanner
• Consent recordings
• Third-party cookie blocking
• Geo-targeting 
• Local storage and session storage scanning
• Self-hosted code 
• Cookie banner sharing 
• Cross-domain cookie consent sharing 

CookieScript CMP delivers the right balance of compliance, affordability, and ease of use. You’ll get a fully compliant consent management tool for as little as €8 per month/ per domain for basic features or for €19 per month/ per domain for full compliance. 

Frequently Asked Questions

Does Nigeria have a data protection law?

Yes. The Nigeria Data Protection Act 2023 (effective date: June 12, 2023) regulates the collection, use, storage, and processing of personal data by public and private entities. The Act provides individuals with data subject rights and sets data protection principles, transparency, and consent requirements for businesses. Use CookieScript CMP to comply with the NDPA.

What are penalties for non-compliance under the Nigeria Data Protection Act 2023?

There are two main levels of fines, based on the size and importance of the data controller. Data controllers or processors of major importance may be fined up to ₦10 million (~€6,000) or 2% of businesses’ annual gross revenue (whichever is higher). Other organizations may receive fines up to ₦2 million (~€600) or 2% of their annual gross revenue (whichever is higher). Use CookieScript CMP to comply with the NDPA and avoid penalties.

What are the Cookie Consent requirements under Nigeria’s Data Protection Act 2023?

Nigeria Data Protection Act, 2023 requires data controllers to obtain explicit data subjects’ consent before processing any personal data. Consent must be explicit, freely given, specific, informed, and unambiguous. Use CookieScript CMP to deliver a Cookie Banner, obtain valid consent, and comply with the NDPA.

Does Nigeria’s NDPA require appointing Data Protection Officer?

NDPA mandates DPOs for data controllers or processors of major importance, but the Nigerian authority, NDPC, has more flexibility in interpreting when a DPO is required. Many Nigerian organizations appoint a DPO to ensure compliance, even when it is not strictly mandatory.

What are the requirements for international data transfers in Nigeria?

The Nigeria Data Protection Act 2023 allows the transfer of personal data of Nigerian individuals abroad if the destination country provides adequate data protection, the organization uses appropriate safeguards, the data subjects provided explicit consent for cross-border data transfers, or cross-border data transfers are needed to safeguard vital interests of data subjects. Use CookieScript CMP to deliver a Cookie Banner, obtain valid consent, and comply with the NDPA.

What is the controller or processor of major importance under Nigeria’s NDPA?

An organization is classified as a controller or processor of major importance if it reaches any of the following thresholds: processes personal data of more than 200 data subjects in 6 months, carries out ICT services, belongs to sectors like finance, communications, health, oil and gas, etc. or is under a fiduciary relationship with data subject and is expected to maintain confidentiality. Read more about the NDPC guidance on organizations of major importance. 

How to comply with the Nigeria Data Protection Act, 2023?

To ensure NDPA compliance, follow these practical steps: map your data, provide a clear privacy policy, identify your legal bases, obtain and document consent, conduct DPIAs, implement security measures, train employees, and implement a Consent Management Platform (CMP) like CMP to deliver cookie banners, create cookie notices, obtain and store Cookie Consent.