- within Privacy, Strategy and Criminal Law topic(s)
- with readers working within the Accounting & Consultancy, Securities & Investment and Law Firm industries
Introduction
Following recent enforcement trends, the Nigeria Data Protection Commission (NDPC) has continued its sector-by-sector regulatory compliance investigations. On 19 February 2026, the NDPC issued a 21-day compliance notice to entities operating within the educational sector in Nigeria. This regulatory action targets educational institutions, including universities, polytechnics, colleges of education, and other educational institutions that process a significant amount of personal data. The affected institutions are required to submit evidence of their compliance with their obligations under the Nigeria Data Protection Act 2023 (NDPA) to the NDPC within twenty-one (21) days of the compliance notice, that is to say, on or before 11 March 2026. Specifically, the compliance notice requires the educational institutions to submit the following documents:
- Evidence of the filing of their Compliance Audit Returns;
- Evidence of the appointment or designation of a Data Protection Officer (DPO);
- A summary of technical and organisational measures implemented to protect the personal data that is collected and processed by such institutions; and
- Evidence of their registration with the NDPC as Data Controllers or Processors of Major Importance (DCPMIs) where applicable.
Impact
This enforcement initiative is likely to have been driven by the fact of the large volumes of data these educational institutions process. This data includes sensitive personal data, or sometimes engaging in processing activities that could affect vulnerable individuals (particularly minors or persons below the age of 18 years), and who increasingly rely on digital platforms and systems for their operations.
The NDPC has indicated that institutions which fail to comply with the notice, or are unable to demonstrate adequate data protection practices, may be subject to regulatory enforcement actions, including the imposition of administrative penalties and fines.
Key takeaways
- Educational institutions must immediately initiate a comprehensive internal data protection assessment to identify existing compliance gaps.
- This process includes a
- a rigorous review of all data governance frameworks, specifically focusing on issues such as technical security safeguards, cross-border transfers, and third-party processing agreements.
- Furthermore, institutions are required to confirm that all mandatory annual data protection compliance audits have been conducted an
- that they comply with the relevant data privacy obligations under the NDPA.
- In addition, the affected entities should prioritise submitting their response to the NDPC within the 21-day timeframe in order to avoid the risk of the imposition of administrative penalties or further regulatory enforcement actions.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
