ARTICLE
5 August 2025

UUBO Contributes To Bowman's 2025 Africa Guide To Data Protection Publication

UU
Udo Udoma & Belo-Osagie

Contributor

Founded in 1983, Udo Udoma & Belo-Osagie is a multi-specialisation full service corporate and commercial law firm with offices in Nigeria’s key commercial centres. The firm’s corporate practice is supported by a company secretarial department, Alsec Nominees Limited, which provides a full range of company secretarial services and our sub-firm, U-Law which caters exclusively to entrepreneurs, MSMEs, startups, and growth businesses across several industries, including the FinTech industry. It is designed as a one-stop-shop for all basic business-related legal needs, providing high-quality support in a simplified and straightforward manner at super competitive prices. We are privileged to work with diverse local and international clients to create and implement innovative practical solutions that facilitate business in Nigeria and beyond. When required, we are well-placed to work across Africa with a select network of leading African and international law firms with whom we enjoy established relationships.
Data protection in Nigeria is a developing area of law. The principal data protection legislation is the Nigeria Data Protection Act, 2023 (NDPA)...
Nigeria Privacy

Data protection in Nigeria is a developing area of law. The principal data protection legislation is the Nigeria Data Protection Act, 2023 (NDPA), which was enacted in June 2023. It established the Nigeria Data Protection Commission (NDPC) as the country's data protection authority.

The NDPC issued the NDPA General Application and Implementation Directive 2025 (GAID) on 20 March 2025. The GAID has a six-month transition period and will become effective as of 19 September 2025. The GAID will replace the Nigerian Data Protection Regulation, 2019 (NDPR) and the Nigerian Data Protection Regulation 2019: Implementation Framework (Implementation Framework), which will continue to apply until the GAID becomes effective.

Currently, the data protection landscape is regulated by the NDPA, NDPR, Implementation Framework as well as other national and sector-specific laws containing data protection and privacy obligations.

Main laws The NDPA, the GAID, the NDPR and the Implementation Framework 
 Key regulators The NDPA established the NDPC as the data protection authority in Nigeria. The NDPC is responsible for the enforcement of the NDPA and other subsidiary regulations. Various sector-specific regulatory authorities are also responsible for data protection in each of their sectors. 
Are there specific requirements applicable to the collection and processing of data? Yes, requirements exist under the NDPA.
Is there a requirement for data localisation?

Yes, the mandatory Guidelines for Nigerian Content Development in Information and Communication Technology issued by the National Information Technology Development Agency have certain data localisation requirements, including, for example, that all data and information management companies host all sovereign data in Nigeria.

In addition, there are certain data localisation provisions in some sector-specific laws. For example, the Central Bank of Nigeria (CBN) mandates that bank verification number (BVN) data must be stored in Nigeria and must not be routed outside the country without the approval of the CBN.

Are there limitations on cross-border transfers of data?  Yes, the NDPA governs the cross-border transfer of personal data outside Nigeria. Cross-border transfers of personal data are overseen by the NDPC and are only allowed where the data controller or data processor relies on the bases for transfer stipulated in the NDPA.
Are there registration requirements

 Yes, there are registration requirements under the NDPA. Entities deemed to be data controllers and processors of major importance (DCPMI) must register with the NDPC. The NDPC has issued a Guidance Notice (Notice), which defines the entities that are deemed to be DCPMIs. According to the Notice, a DCPMI is a data processor or controller that keeps or has access to a filing system (whether analogue or digital) for the processing of personal data, and:

  • processes the personal data of more than 200 data subjects in six months; or carries out commercial information communication technology (ICT) services on any digital device that has storage capacity and belongs to another individual; or
  • processes personal data as an organisation or a service provider in any of the following sectors: financial, communication, health, education, insurance, export and import, aviation, tourism, oil and gas, and electric power sectors.

In addition, the Notice classifies DCPMIs into three levels or categories, namely:

  • Major data processing-ultra high level (MDP-UHL): These are entities that process the personal data of over 5 000 data subjects in a six-month period. In addition, entities such as commercial banks operating at national or regional level, telecommunication companies, insurance companies, multinational companies, electricity distribution companies, oil and gas companies, public social media app developers and proprietors, public email app developers and proprietors, communication device manufacturers, payment gateway providers, and fintechs are also deemed to be MDP-UHLs.
  • Major data processing-extra high level (MDP-EHL): These are entities that process the personal data of over 1 000 data subjects within six months. In addition, entities such as ministries, departments, and agencies of government (MDAs), microfinance banks, higher institutions (Universities, Polytechnics, Colleges of Education, etc), hospitals providing tertiary or secondary medical services, and mortgage banks are also designated MDP-EHL.
  • Major data processing-ordinary high level (MDP-OHL): These are entities that process the personal data of over 200 data subjects within a six-month period. In addition, entities such as primary and secondary schools, primary health centres, agents, contractors, and vendors who engage with data subjects on behalf of other organisations/ entities (third-party data processors) are deemed to be MDP-OHL.
Is a Data Protection Officer required? Yes, the NDPA requires data controllers and data processors of major importance to designate data protection officers with expert knowledge of data protection laws and practices.
Is a risk assessment/ privacy impact assessment required? Yes. Under the NDPA, where the processing of personal data may likely result in a high risk to the rights and freedoms of a data subject by virtue of its nature, scope, context and purposes, a data controller must, prior to processing, carry out a data privacy impact assessment.
Must data breaches be reported?  Yes, the NDPA requires data controllers to notify the NDPC within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of individuals. Certain institutions, such as banks, also have obligations to report data breaches under their sector-specific laws.
Key enforcement/ sanction provisions  Breaches of the NDPA may result in penalties that vary in amount, depending on whether the entity is a DCPMI. If it is a DCPMI, there is a fine of 2% of annual gross revenue for the preceding year or payment of the sum of NGN 10 million, whichever is greater. In the case of a data controller or data processor not of major importance, a fine of 2% of the annual gross revenue for the preceding year or payment of the sum of NGN 2 million, whichever is greater, may be imposed.
Is cybercrime regulated in terms of any laws, regulations or directives?   Yes, cybercrime is primarily regulated under the Cybercrimes (Prohibition, Prevention, etc) Act, 2015 (as amended by the 2024 Amendment Act) (Cybercrimes Act).
If regulated, are there any cybercrime reporting requirements?  Yes, the Cybercrimes Act requires that any person or institution operating a computer system or network, whether public or private, inform the National Computer Emergency Response Team (CERT) Coordination Centre of any attacks, intrusions, or other disruptions that could hinder the functioning of computer systems or networks within seven days of the occurrence. Reports to the CERT Coordination Centre must be routed through the respective sectoral CERTs or sectoral Security Operations Centres. 

To view the full article, click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More