Data protection in Nigeria is a developing area of law. The principal data protection legislation is the Nigeria Data Protection Act, 2023 (NDPA), which was enacted in June 2023. It established the Nigeria Data Protection Commission (NDPC) as the country's data protection authority.
The NDPC issued the NDPA General Application and Implementation Directive 2025 (GAID) on 20 March 2025. The GAID has a six-month transition period and will become effective as of 19 September 2025. The GAID will replace the Nigerian Data Protection Regulation, 2019 (NDPR) and the Nigerian Data Protection Regulation 2019: Implementation Framework (Implementation Framework), which will continue to apply until the GAID becomes effective.
Currently, the data protection landscape is regulated by the NDPA, NDPR, Implementation Framework as well as other national and sector-specific laws containing data protection and privacy obligations.
| Main laws | The NDPA, the GAID, the NDPR and the Implementation Framework |
| Key regulators | The NDPA established the NDPC as the data protection authority in Nigeria. The NDPC is responsible for the enforcement of the NDPA and other subsidiary regulations. Various sector-specific regulatory authorities are also responsible for data protection in each of their sectors. |
| Are there specific requirements applicable to the collection and processing of data? | Yes, requirements exist under the NDPA. |
| Is there a requirement for data localisation? |
Yes, the mandatory Guidelines for Nigerian Content Development in Information and Communication Technology issued by the National Information Technology Development Agency have certain data localisation requirements, including, for example, that all data and information management companies host all sovereign data in Nigeria. In addition, there are certain data localisation provisions in some sector-specific laws. For example, the Central Bank of Nigeria (CBN) mandates that bank verification number (BVN) data must be stored in Nigeria and must not be routed outside the country without the approval of the CBN. |
| Are there limitations on cross-border transfers of data? | Yes, the NDPA governs the cross-border transfer of personal data outside Nigeria. Cross-border transfers of personal data are overseen by the NDPC and are only allowed where the data controller or data processor relies on the bases for transfer stipulated in the NDPA. |
| Are there registration requirements |
Yes, there are registration requirements under the NDPA. Entities deemed to be data controllers and processors of major importance (DCPMI) must register with the NDPC. The NDPC has issued a Guidance Notice (Notice), which defines the entities that are deemed to be DCPMIs. According to the Notice, a DCPMI is a data processor or controller that keeps or has access to a filing system (whether analogue or digital) for the processing of personal data, and:
In addition, the Notice classifies DCPMIs into three levels or categories, namely:
|
| Is a Data Protection Officer required? | Yes, the NDPA requires data controllers and data processors of major importance to designate data protection officers with expert knowledge of data protection laws and practices. |
| Is a risk assessment/ privacy impact assessment required? | Yes. Under the NDPA, where the processing of personal data may likely result in a high risk to the rights and freedoms of a data subject by virtue of its nature, scope, context and purposes, a data controller must, prior to processing, carry out a data privacy impact assessment. |
| Must data breaches be reported? | Yes, the NDPA requires data controllers to notify the NDPC within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of individuals. Certain institutions, such as banks, also have obligations to report data breaches under their sector-specific laws. |
| Key enforcement/ sanction provisions | Breaches of the NDPA may result in penalties that vary in amount, depending on whether the entity is a DCPMI. If it is a DCPMI, there is a fine of 2% of annual gross revenue for the preceding year or payment of the sum of NGN 10 million, whichever is greater. In the case of a data controller or data processor not of major importance, a fine of 2% of the annual gross revenue for the preceding year or payment of the sum of NGN 2 million, whichever is greater, may be imposed. |
| Is cybercrime regulated in terms of any laws, regulations or directives? | Yes, cybercrime is primarily regulated under the Cybercrimes (Prohibition, Prevention, etc) Act, 2015 (as amended by the 2024 Amendment Act) (Cybercrimes Act). |
| If regulated, are there any cybercrime reporting requirements? | Yes, the Cybercrimes Act requires that any person or institution operating a computer system or network, whether public or private, inform the National Computer Emergency Response Team (CERT) Coordination Centre of any attacks, intrusions, or other disruptions that could hinder the functioning of computer systems or networks within seven days of the occurrence. Reports to the CERT Coordination Centre must be routed through the respective sectoral CERTs or sectoral Security Operations Centres. |
To view the full article, click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
