What Is NDPR and Who Must Comply
The Nigeria Data Protection Regulation is the primary data protection law in Nigeria. It was issued by NITDA in 2019 and has been significantly strengthened since then. The regulation governs how personal data of Nigerian citizens is collected, processed, stored, and transferred.
Who Must Comply With NDPR
Any organisation that processes the personal data of Nigerian citizens must comply with NDPR. This includes Nigerian companies, foreign companies serving Nigerian customers, government agencies, non-profits, and sole proprietors. There is no exemption for small businesses, though the compliance requirements are scaled by the volume and sensitivity of data processed.
Key Definitions Under NDPR
Personal data means any information relating to an identified or identifiable natural person. This includes names, phone numbers, email addresses, bank details, IP addresses, device IDs, and location data. Sensitive personal data includes health information, biometric data, genetic data, religious beliefs, and criminal records. Sensitive data requires higher levels of protection and explicit consent.
Data Subject Rights Under NDPR
Nigerian data subjects have specific rights under NDPR including the right to be informed about data collection, the right to access their data, the right to correction of inaccurate data, the right to deletion, the right to restrict processing, the right to data portability, and the right to object to processing. Your tech product must provide mechanisms for users to exercise each of these rights.
NDPR Compliance Requirements for Tech Companies
For Nigerian tech companies, NDPR compliance involves specific requirements that affect product design, data handling, and organisational policies.
Privacy by Design and Default
Your software product must incorporate data protection principles from the design stage. This means minimising data collection to what is necessary, implementing appropriate security measures by default, and building user consent mechanisms into the product flow. Privacy by design is not optional under NDPR.
Data Protection Impact Assessment
Tech companies processing sensitive data or engaging in systematic monitoring of data subjects must conduct a Data Protection Impact Assessment before processing begins. The DPIA documents what data you collect, why you collect it, the risks to data subjects, and the measures in place to mitigate those risks.
Data Processing Agreements
If your tech company engages third-party service providers that process personal data on your behalf, you must have a signed Data Processing Agreement with each provider. The DPA must specify the scope of processing, the obligations of the processor, security measures, and data breach notification procedures.
NDPR Registration Via DPCO
Any organisation processing the personal data of more than 1,000 data subjects in a year must register with NITDA through a licensed Data Protection Compliance Organisation. The DPCO conducts an audit, issues a compliance certificate, and files annual returns with NITDA on your behalf.
Data Breach Response Obligations
A data breach is any security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Nigerian tech companies must have a breach response plan in place before a breach occurs.
Breach Notification to NITDA
Under NDPR, you must notify NITDA within 7 days of becoming aware of a data breach. The notification must include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences of the breach, and the measures taken to address it. Delayed notification increases the penalty severity.
Notification to Affected Individuals
If the breach poses a high risk to the rights and freedoms of data subjects, you must also notify each affected individual directly. The notification must describe the breach in clear language, explain the potential consequences, and outline the steps the individual can take to protect themselves.
Breach Documentation
You must document every data breach regardless of whether it requires notification. The documentation should include the facts surrounding the breach, its effects, and the remedial actions taken. NITDA may request this documentation during an audit or investigation.
| Action | Deadline | Required Information |
|---|---|---|
| Notify NITDA | Within 7 days | Nature of breach, categories affected, consequences, remedial measures |
| Notify affected individuals | Without undue delay | Clear description, potential impact, protective steps |
| Internal documentation | Immediately | Facts, effects, remedial actions taken |
Cost of NDPR Compliance in Nigeria
NDPR compliance costs vary based on the size of your organisation, the volume of data you process, and whether you need to engage a DPCO for the first time or for annual renewal.
Initial Compliance Costs
First-time NDPR compliance for a Nigerian tech company typically costs N250,000 to N1,500,000 depending on the complexity of your data processing activities. This covers DPCO audit and registration, development of privacy policies, data processing agreements, consent mechanisms, and staff training.
Annual Compliance Costs
Annual DPCO audit fees range from N100,000 to N500,000. The cost of maintaining a Data Protection Officer varies. Larger companies may employ a full-time DPO at N300,000 to N800,000 per month. Smaller companies can designate an existing staff member and provide NDPR training.
Cost of Non-Compliance
Non-compliance costs significantly more than compliance. Fines of up to 2 percent of annual gross revenue can run into millions of naira. Beyond fines, non-compliance damages customer trust, triggers regulatory investigations, and can prevent your company from winning contracts that require NDPR compliance certification.
Common Misconceptions About NDPR Compliance in Nigeria
Myth: NDPR only applies to large companies.
Reality: NDPR applies to any organisation that processes the personal data of Nigerian citizens. Small businesses, startups, and sole proprietors are not exempt. The compliance burden is scaled by data volume, but the legal obligation applies to every data processor.
Myth: Privacy policies on a website are enough for NDPR compliance.
Reality: A privacy policy is one part of compliance. Full compliance requires consent mechanisms, data processing agreements with third parties, DPCO registration, Data Protection Officer designation, breach response procedures, and annual audits. A privacy policy alone is insufficient.
Myth: NDPR compliance is a one-time activity.
Reality: NDPR compliance is an ongoing obligation. You must conduct annual audits, file annual returns with NITDA through your DPCO, update your policies as your data processing activities change, and maintain continuous breach monitoring and reporting readiness.
Frequently Asked Questions
Do all Nigerian businesses need to register with NITDA for NDPR compliance?
Any Nigerian business that collects, processes, or stores personal data of Nigerian citizens must comply with NDPR. The regulation applies to businesses of all sizes from sole proprietors to large enterprises. Organisations processing the personal data of more than 1,000 data subjects in a year must register with NITDA through a licensed Data Protection Compliance Organisation.
What are the penalties for NDPR non-compliance in Nigeria?
Penalties for NDPR non-compliance include fines of up to 2 percent of a company annual gross revenue for serious breaches or up to N10 million for lesser breaches. Regulators can also order data processing to cease, require deletion of unlawfully processed data, and issue public notices of non-compliance which damage business reputation.
What is a Data Protection Compliance Organisation (DPCO) in Nigeria?
A DPCO is a licensed organisation authorised by NITDA to audit, train, and certify businesses for NDPR compliance. Nigerian businesses must engage a DPCO to conduct annual data protection audits and file compliance returns with NITDA. DPCOs are the primary channel through which NITDA enforces the regulation.
How do I report a data breach in Nigeria?
Under NDPR, data breaches must be reported to NITDA within 7 days of discovery. The report must include the nature of the breach, the categories and number of data subjects affected, the likely consequences, and the measures taken to address it. Affected data subjects must also be notified if the breach poses a high risk to their rights and freedoms.
Does NDPR apply to foreign companies processing Nigerian data?
Yes. NDPR has extraterritorial reach. Any company anywhere in the world that processes the personal data of Nigerian citizens must comply with the regulation. This is similar to how GDPR applies to any company processing EU citizen data regardless of where the company is based.
Your Next Step: Audit Your Current Data Processing
Before you can achieve NDPR compliance, you need to know what data you collect, where it is stored, who has access to it, and how it is protected. Conduct a data audit across your entire organisation. Document every data processing activity. Identify gaps in consent, security, and documentation. Then engage a DPCO to guide you through the formal compliance process.
If you want to discuss how NDPR compliance affects your software product, book a free consultation and we will respond within 24 hours.