Back to Journal Privacy & Data Protection

Nigeria Data Protection Act (NDPA) 2023 - What Organisations Need to Know

A complete guide to Nigeria's Data Protection Act 2023 — how it evolves from NDPR, the new NDPC regulator, enhanced data subject rights, and what organisations must do to transition their compliance programs.

Savadub GRC Team ·
Nigeria Data Protection Act (NDPA) 2023 - What Organisations Need to Know

Nigeria Data Protection Act 2023: Nigeria's Landmark Privacy Legislation

Nigeria's Data Protection Act (NDPA) 2023, signed into law in June 2023, represents a significant evolution of Nigeria's data protection landscape. Replacing the administrative NDPR (which was issued as a regulation by NITDA), the NDPA is primary legislation — a formal Act of the National Assembly — that establishes a standalone Nigeria Data Protection Commission (NDPC) with independent regulatory authority and significantly strengthened enforcement powers.

How NDPA Differs from NDPR

Legislative authority: NDPA is primary legislation with the full force of an Act of the National Assembly. NDPR was administrative regulation issued by NITDA. This gives NDPA significantly stronger legal authority and clearer regulatory standing.

New regulator — NDPC: NDPA establishes the Nigeria Data Protection Commission (NDPC) as an independent data protection authority. The NDPC has its own governance structure, funding mechanism, and enforcement powers independent of NITDA.

Enhanced enforcement powers: NDPA gives the NDPC significantly stronger enforcement tools including higher administrative fines (up to 2% of annual gross revenue or ₦10 million, whichever is higher, for violations), the ability to carry out investigation and enforcement actions independently, and powers to seek court orders for compliance.

Expanded data subject rights: NDPA expands and clarifies the rights of data subjects, bringing them closer to GDPR in scope and clarity.

Broader extraterritorial scope: NDPA explicitly applies to processing of personal data of Nigerian data subjects by organisations outside Nigeria where processing is related to offering goods or services to Nigerian residents or monitoring behaviour of Nigerian residents — mirroring GDPR's extraterritorial reach.

NDPA Compliance Requirements

Registration: Data controllers and processors of major importance (those processing large volumes or high-risk categories of data) must register with the NDPC and pay annual fees.

Data Protection Officer: Data controllers of major importance must designate a DPO responsible for ensuring compliance with NDPA requirements.

Records of Processing Activities: Maintaining comprehensive ROPA documenting all processing activities, lawful bases, categories of data, retention periods, and transfer mechanisms.

Data Protection Impact Assessments: Mandatory DPIAs for high-risk processing activities — now with clearer criteria and more explicit requirements than under NDPR.

Cross-border transfer controls: Transfers of personal data outside Nigeria require adequate protection in the receiving country or approved safeguards (contractual clauses, binding corporate rules, adequacy determination by NDPC).

Breach notification: 72-hour notification to NDPC for breaches likely to result in harm to data subjects.

Annual compliance audit: Maintaining the annual audit requirement from NDPR, now formalised under NDPA with the NDPC as the receiving authority.

Transitioning from NDPR to NDPA

Organisations that achieved NDPR compliance have a strong foundation for NDPA compliance but must review and update their programs:

Gap assessment: Review all NDPR-era documentation against NDPA requirements, identifying specific provisions that require updating (particularly enhanced rights procedures, transfer mechanisms, and DPO appointment obligations).

NDPC registration: Determine whether the organisation meets the 'data controller of major importance' threshold and complete NDPC registration as required.

DPO appointment: If not already done, appoint and formally designate a Data Protection Officer meeting NDPA's qualification and independence requirements.

Updated privacy notices: Review all privacy notices against NDPA's transparency requirements, which may be more specific than existing NDPR-era notices.

Enforcement preparedness: With significantly higher fines under NDPA, organisations should assess their compliance risk and prioritise closing any material gaps before NDPC enforcement activity intensifies.

Why Organisations Choose Savadub

Deep GRC Expertise

Our team holds practitioner-level expertise across every major compliance framework — not just theoretical knowledge, but hands-on implementation experience across multiple industries and organisation sizes.

Engineers, Not Just Consultants

We implement controls, not just recommend them. Our GRC engineers configure the systems, write the integrations, and build the monitoring pipelines that make compliance operational.

Global and African Regulatory Coverage

We understand both the global frameworks and the African regulatory environment — NDPR, NDPA, CBN directives, NITDA guidelines, and regional data protection laws — making us uniquely positioned for organisations operating across Africa and internationally.

Internal and External Audit Capability

We provide both embedded internal audit functions and independent third-party audit support, including CPA-accredited audit coordination for SOC examinations.

End-to-End Engagement

From initial gap assessment through certification, continuous monitoring, and ongoing compliance management — we are your long-term GRC partner, not a one-time consultant.

Industries We Serve

Financial Services · Healthcare · Technology & SaaS · Manufacturing · Logistics & Trade · Government & Public Sector · Energy & Critical Infrastructure · Education & EdTech · Media & Broadcasting · Retail & E-Commerce · Professional Services · Food & Beverage

Deliverables You Receive

Working with Savadub, every engagement delivers a concrete set of outputs:

  • Gap Assessment Report — prioritised findings with effort estimates and risk ratings
  • Compliance Roadmap — milestone-based plan from current state to certification or attestation
  • Risk Register — organisational risk register with treatment plans
  • Policy Pack — all required policies authored, reviewed, and approved
  • Technical Control Implementation Evidence — configurations, screenshots, and audit trails
  • Internal Audit Report — independent assessment of control effectiveness
  • Audit Evidence Repository — organised, auditor-ready evidence collection
  • Executive Summary Presentation — board and leadership-ready compliance status
  • Remediation Tracker — structured tracking of open findings and closure evidence
  • Continuous Monitoring Setup — ongoing CCM pipeline for post-certification compliance

Get Started with Savadub

Savadub's GRC practice combines deep compliance expertise with technical engineering capability. We don't just advise — we build, implement, and operate your compliance program from the ground up.

Book a free GRC consultation with our team. We will review your current posture, identify your most critical gaps, and give you a clear, costed roadmap to compliance.

Contact us:

  • Email: grc@savadub.com
  • Phone: +234 816 734 2201
  • WhatsApp: +234 903 234 8435
  • Website: www.savadub.com

Share this story
Keep Reading

You Might Also Like