Everything You Need to Know About Nigeria’s Data Protection Overhaul
The Nigeria Data Protection Act 2023 (“NDPA”) was signed into law by the president on June 12, 2023. The Nigeria Data Protection Regulation 2019 (“NDPR”) was superseded by the NDPA. Yes, this among other policies shows that Nigeria is making great progress in data protection laws, with the Global Artificial Intelligence and Data Governance Conference (GAID) 2025 serving as a critical launchpad for these measures.
The NDPA’s goals included, among other things, regulating and promoting data processing practices that protect the security of personal data and protecting the fundamental rights, freedom, and interest of data subjects as guaranteed by Section 37 of the Federal Republic of Nigeria’s 1999 Constitution (as amended).
HERE ARE 11 MOST IMPORTANT POINTS OF THE NDPA-GAID
1. Resolving data protection regulation overlaps:
GAID explains Nigeria’s data protection legal structure. According to Article 3, the Nigeria Data Protection Act (NDPA) will take precedence over any other legislation or regulation in the event of a disagreement.
2. Measures taken by data controllers and processors to ensure general compliance:
Data controllers and processors are required by the GAID to fulfill important duties, such as registering with the Commission, performing NDPA compliance audits, and filing semi-annual data protection reports.
Entities that are based, reside, or operate in Nigeria and process or plan to process the personal data of a sizable number of Nigerian data subjects are defined as “data controllers” and “data processors of major importance.” The Commission will take into account a number of considerations when determining substantial importance, including:
- the sensitivity of the personal data concerned
- the dangers to data subjects in the event that the business is exempt from the heightened duties under the NDPA.
3. Data controller and processor classification:
The GAID divides data controllers and processors into three major data processing levels: Ordinary-High Level (OHL), Extra-High Level (EHL), and UVL.
Commercial banks and telecommunications firms are included in UHL, hospitals and ministries are included in EHL, while schools and small health facilities are included in OHL.
4. Sending the commission an NDPA Compliance Audit Return (CAR):
GAID enforces penalties for non-filing returns and requires regular compliance audits. Data controllers must evaluate their data processing operations using a risk-based methodology. In addition to the initial filing charge, noncompliance with this order carries an administrative penalty equal to 50% of the required CAR filing fees.
5. Data Protection Officer
A “DPO” is a Data Protection Officer under GAID. may be an employee of the data controller, data processing company, or even an outside third party. Data controllers and processors are also required to post the DPO’s contact information and send it to the Commission.
6. Dependency on consent:
According to Article 17 of the GAID, consent may be given explicitly or constructively in specific circumstances. For instance, photos taken at public events may be used in reporting, but if they are to be used for advertising or commercial reasons, express agreement must be obtained. The Special Rule of Law Indexes (SRLI), which permit the use of alternative legal bases in situations where gaining consent is impractical, are also introduced in the article. These grounds include circumstances in which the rights of the data subject, security issues, or the general welfare are at stake.
7. Websites with sensitive Data:
The GAID requires websites that handle sensitive data to get users’ agreement before using cookies and other tracking tools. It also requires that the cookie banner be visible and not require scrolling to view.
8. Data privacy impact assessment:
Before beginning any data processing operations, the GAID requires that a Data Protection Impact Assessment (DPIA) be carried out. The DPIA has a six-month deadline for individuals who were processing data prior to the GAID’s issue. A certified Data Protection Officer (DPO) approved by the Commission must sign Schedule 4 of the GAID, which describes the process for doing the DPIA.
9. Data Processing Agreement:
GAID specifies the conditions of the Data Processing Agreement between data controllers and processors, including Section 29 of the NDPA requirements and information on the locations and goals of data processing.
10. Exercise of Right to Rectification:
The GAID makes sure that platforms give users the chance to fix mistakes in their personal information for free, even if the data controller or processor created the mistake.
11. Right to be Forgotten:
Under GAID, people can ask for their personal information to be deleted if it is no longer required, they no longer consent to its use, or they object to its use and there is no compelling reason to preserve it.
What You need to Do
In order to comply with the NDPA, enterprises must complete required Data Protection Impact Assessments (DPIAs) and designate Data Protection Officers (DPOs), according to the GAID 2025. defending data subjects’ rights, including the ability to file a Standard Notice to Address Grievance (SNAG) in the event that their privacy is breached and the right to erasure under certain circumstances.
With harsher sanctions for NDPA non-compliance, the NDPC is anticipated to step up its oversight and enforcement efforts. Additionally, the GAID defines the rules for employing transfer instruments and lists the considerations that the NDPC takes into account for cross-border data transfers.
Moreover, the NDPC has suggested a six-month transition period, with full implementation anticipated in the second half of 2025, even though the GAID does not specifically provide an implementation timeframe.
MAJOR CHALLENGES
Implementation: Ensuring compliance across all sectors, particularly small firms, is one of challenge that lies ahead.
Innovation and regulation in balance, cybersecurity risks being another – more robust defenses will be needed in light of growing cyberthreats but can the Country meet up to these is only a question that will stand the test of time.
CONCLUSION
By increasing user rights and defining more precise requirements for enterprises, this directive improves and clarifies the current Nigeria Data Protection Act (NDPA). These improvements are being spearheaded by the Nigeria Data Protection Commission (NDPC), which emphasizes the significance of privacy and data protection for both individuals and businesses
Related Posts
Nigeria Embraces ISSB Standards: A New Era of Sustainable Finance and Transparency
Nigeria steps onto the global stage with ISSB-aligned sustainability reporting—pushing for transparency, investor trust, and economic resilience.
Nigeria Dominates Google’s 2025 AI Accelerator Program with 6 Innovative Startups
Nigeria leads again! Six standout startups make the cut in Google’s 2025 Africa Accelerator, spotlighting the nation’s growing power in AI and innovation.
Naija Innovation Goes Global: Tech Meets Trade in Paris at VIVATECH 2025
Nigeria shines at #VivaTech2025 as startups & innovators showcase bold solutions on a global stage.
Nigeria’s Capital Market Enters a New Era as President Tinubu Signs ISA 2025 into Law
With new rules designed to boost investor confidence, prevent fraud, and align Nigeria’s financial market with global standards, ISA 2025 could be a game-changer for businesses and investors alike. But what exactly is changing?
From Cash to Contactless: Nigeria’s Journey Towards a Digital Payment Economy
Nigeria’s financial system has drastically been improved by contactless payments, which allows governments to implement social programs like subsidized pricing to lessen the impact of cutting subsidies on household finances.