NDPR Compliance for Nigerian Developers — Implementation Guide 2026

#nigeria #security #javascript #webdev

NDPR has been Nigerian law since 2019. Most Nigerian businesses aren't compliant. Here's a practical developer's guide to building NDPR compliance into Nigerian applications.

What Developers Need to Implement

1. Consent management

// Record explicit consent with full audit trail
await ConsentRecord.create({
  userId,
  consentGiven: { marketing, analytics, thirdPartySharing },
  consentMethod: 'EXPLICIT_OPT_IN', // NDPR requires this
  timestamp: new Date(),
  consentTextVersion: process.env.CONSENT_TEXT_VERSION
});

2. Data subject rights — 72hr response required

// Right to access — return everything you hold
async handleAccessRequest(userId) {
  const [profile, orders, consents] = await Promise.all([
    User.findByPk(userId),
    Order.findAll({ where: { userId } }),
    ConsentRecord.findAll({ where: { userId } })
  ]);
  return { profile, orders, consents };
}

// Right to erasure — anonymize if legal retention applies
async handleDeletionRequest(userId) {
  await User.update({
    name: 'ANONYMIZED',
    email: `anonymized_${userId}@deleted.local`,
    phone: 'ANONYMIZED'
  }, { where: { id: userId } });
}

3. Encrypt PII at rest

// AES-256-GCM for sensitive fields
const encryptPII = (data) => {
  const iv = crypto.randomBytes(16);
  const cipher = crypto.createCipheriv(
    'aes-256-gcm',
    Buffer.from(process.env.ENCRYPTION_KEY, 'hex'),
    iv
  );
  let encrypted = cipher.update(JSON.stringify(data), 'utf8', 'hex');
  encrypted += cipher.final('hex');
  return { encrypted, iv: iv.toString('hex'), tag: cipher.getAuthTag().toString('hex') };
};

4. Breach notification — 72hrs to notify NITDA

async reportBreach(breachDetails) {
  const breach = await DataBreach.create({
    ...breachDetails,
    nitdaDeadline: new Date(Date.now() + 72 * 60 * 60 * 1000)
  });
  await alertDPO(breach);
  // Submit notification to info@nitda.gov.ng within 72 hours
}