Nigeria passed the Data Protection Act (NDPA) in 2023, and the Nigeria Data Protection Commission (NDPC) is actively enforcing it. If you're building technology that processes personal data of Nigerian residents, this applies to you.
Most coverage of the NDPA is written for lawyers. Here's the developer-relevant version.
Who it applies to
Any organisation processing personal data of Nigerian residents. This includes:
- Nigerian fintechs and startups (obviously)
- International SaaS platforms with Nigerian users
- Any app available in Nigeria that collects user data
- Companies using AI APIs that process Nigerian customer queries
Key requirements
Lawful basis — you need a legal reason for every piece of personal data you process. Contract performance (providing the service they signed up for) covers most app functionality.
Privacy notices — tell users what data you collect, why, how long you keep it, and their rights.
DPIAs — Data Protection Impact Assessments for high-risk processing. AI systems, large-scale data processing, and automated decision-making all qualify.
DPO — if you process data of 2,000+ data subjects, you need a Data Protection Officer.
CAR filing — annual Compliance Audit Return filed through a licensed DPCO. The 2026 deadline was March 31.
Cross-border transfers — if you send Nigerian user data to cloud providers or AI APIs outside Nigeria, you need documented safeguards.
How it compares to GDPR
Similar principles, different implementation. The biggest difference: NDPA requires mandatory annual audits through licensed DPCOs, which GDPR doesn't have.
Full comparison: NDPA vs GDPR — Key Differences
Penalties
Up to 2% of annual gross revenue or ₦10 million, whichever is greater. NDPC is building enforcement capacity and has political backing.
Complete guide: Nigeria Data Protection Act 2023 — Complete Business Guide
Top comments (0)