AuditXYZ

Compliance Framework

Nigeria Data Protection Act 2023

Nigeria's NDPA is Africa's largest economy's comprehensive data protection law, establishing the NDPC as the regulatory body, requiring annual audits for major data processors, and granting extensive data subject rights.

$5,000–$80,0003–9 monthsAudit Required2023
Request a ConsultationSee process
Issuing BodyNational Assembly of Nigeria / Nigeria Data Protection Commission (NDPC)
First Published2023-06-12
Latest Version2023
Typical Cost$5,000–$80,000
Typical Timeline3–9 months
Audit RequiredYes
Audit FrequencyAnnual data protection audit required for data controllers and processors of major importance. Audit must be conducted by a licensed Data Protection Compliance Organization (DPCO).
Geographynigeria

NDPA: The Complete Guide

The Nigeria Data Protection Act 2023 is a landmark piece of legislation for Africa's largest economy and most populous nation. Signed into law in June 2023, the NDPA replaces the earlier Nigeria Data Protection Regulation (NDPR) of 2019 and establishes the Nigeria Data Protection Commission as an independent regulatory body with broad enforcement powers.

What the NDPA Covers

The NDPA establishes a framework for lawful data processing built on principles of fairness, lawfulness, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability. Processing requires a lawful basis, including consent, contractual performance, legal obligation, vital interests, public interest, and legitimate interests.

Data subjects are granted comprehensive rights including the right to be informed, access their personal data, request rectification, request erasure, restrict processing, data portability, and object to processing. The Act also provides protections against automated decision-making and profiling that produce legal or significant effects.

Special personal data — including racial or ethnic origin, political opinions, religious beliefs, health, sexual life, genetic and biometric data, and criminal records — requires explicit consent or must meet specific conditions for processing.

Annual Audit Requirement

A distinctive feature of Nigeria's data protection framework is the mandatory annual data protection audit. Data controllers and processors designated as being of "major importance" by the NDPC must engage a licensed Data Protection Compliance Organization (DPCO) to conduct an annual audit and file the results with the Commission. This requirement creates a structured compliance verification mechanism not found in most other data protection laws.

Who Needs to Comply

The NDPA applies to all organizations that process the personal data of individuals in Nigeria, regardless of whether the organization is established in Nigeria. It also applies to organizations outside Nigeria that process personal data of Nigerian residents in connection with offering goods or services or monitoring behavior.

Enforcement and Penalties

The NDPC has the authority to investigate complaints, conduct audits, and impose penalties. Fines for violations can reach up to 2% of annual gross revenue or 10 million Naira, whichever is greater, for data controllers of major importance.

Practical Compliance Steps

  1. NDPC registration — Register with the Nigeria Data Protection Commission
  2. DPCO engagement — Engage a licensed Data Protection Compliance Organization for annual audits
  3. Lawful basis mapping — Document the legal basis for each processing activity
  4. Data subject rights — Implement mechanisms for exercising all data subject rights
  5. DPO appointment — Designate a Data Protection Officer as required
  6. Cross-border transfer assessment — Evaluate and implement safeguards for international data transfers

Get the NDPA starter pack

By submitting, you agree to our privacy policy.

Framework Mappings

Related frameworks

gdprpopiakenya-dpalgpd

Get matched with a NDPA auditor in 24 hours

Free, no-obligation — just tell us your email and we'll do the rest.

By submitting, you agree to our privacy policy.

Related Frameworks

GDPR
Framework
The GDPR is the world's most influential data protection law, setting the standard for how organizations collect, process, and protect personal data of individuals in the EU and EEA. This guide covers lawful bases, data subject rights, breach notification, and practical compliance steps.
View
Kenya DPA
Framework
Kenya's Data Protection Act establishes a comprehensive framework for personal data protection, creating the Office of the Data Protection Commissioner and granting individuals extensive rights over their personal data.
View
LGPD
Framework
Brazil's LGPD is a comprehensive data protection law closely modeled on the GDPR, establishing rights for data subjects, obligations for controllers and processors, and enforcement by the ANPD. This guide covers legal bases, data subject rights, and practical compliance.
View
POPIA
Framework
POPIA is South Africa's comprehensive data protection law modeled on European data protection principles. It establishes eight conditions for lawful processing, data subject rights, and the Information Regulator as the supervisory authority.
View

Recommended Tools

6clicks Review 2026: Pricing, Features, and Verdict
Tool
Review of 6clicks, the AI-powered GRC platform with hub-and-spoke architecture. Covers Hailey AI, multi-entity support, pricing, and ideal use cases.
View
Akitra Review 2026: Pricing, Features, and Verdict
Tool
Review of Akitra, a compliance automation platform with broad framework coverage including FedRAMP and CMMC. Covers pricing, features, and who should use it.
View
Anecdotes Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes, a compliance OS that aggregates security tool data. Covers the aggregation approach, AI gap analysis, and comparison with Vanta.
View
Anecdotes Trust Center Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes Trust Center, the compliance-as-code trust portal. Covers live compliance sync, developer-friendly approach, pricing, and positioning.
View