The Nigeria Data Protection Act 2023 ("NDP Act") seeks to safeguard the fundamental rights, freedoms, and interests of data subjects as enshrined under the Constitution of the Federal Republic of Nigeria.
The Nigeria Data Protection Commission ("NDPC" or "Commission"), in a statement signed by Babatunde Bamigboye, Head of the Enforcement and Regulations Department at the NCPC, said that the Commission, in line with Sections 5(i), 6(a), 6(c), 46(3), and 47(1)-(2) of the NDP Act, has issued compliance notices to certain organizations listed in the schedule of its notice.
The list of these organizations is available. It targets 1,368 organizations, including financial institutions (795), insurance companies (35), insurance brokers (392), gaming companies (136), and pension companies (10).
These organizations are required to provide:
- Evidence of filing NDP Act Compliance Audit Returns for 2024 (S.6(d) of the NDP Act);
- Evidence of designation or appointment of a data protection officer, including name and contact details;
- Summary of technical and organizational measures for data protection within the organization; and
- Evidence of registration as a data controller or processor of major importance, within 21 days of issuance.
Failure to comply with the compliance notice may result in enforcement actions, including the issuance of an enforcement order, administrative fines, and/or criminal prosecution in accordance with the NDP Act.
Other companies acting in Nigeria, outside the listed sectors, are also advised to review their data governance practices in light of the NDPC's enforcement posture.
