NDPA vs NDPR: Key Changes Every Business Must Know

Nigeria’s data protection rules changed significantly when the Nigeria Data Protection Act (NDPA) replaced the Nigeria Data Protection Regulation (NDPR) in June 2023. The NDPA introduced stronger enforcement powers, higher penalties, and new requirements that every business handling Nigerian customer data must follow. If your business collected data under the old NDPR framework, you need to update your practices now.

The shift from NDPR to NDPA is more than just a name change. In fact, the new law creates a permanent data protection commission with real authority to investigate and fine companies. It also gives people more control over their personal information. Additionally, it sets clear rules for moving data outside Nigeria.

Many businesses still follow old NDPR guidelines without realising the NDPA added new duties. For example, data breach reporting timelines and consent requirements have both changed. As a result, how you collect, store, and use customer information may need to be updated. Understanding these changes helps you avoid penalties and build trust with your customers.

Not sure where to start? 6030 Technologies offers end-to-end NDPA compliance support for businesses of all sizes across Nigeria.

Key Takeaways

The NDPA replaced the NDPR in 2023 and introduced stronger enforcement powers and higher penalties for violations. (Source: NDPC)
Businesses must follow new requirements for data protection, breach notification, and international data transfers
Companies need to update their compliance practices and filing procedures to meet current 2026 standards

Overview of NDPR and NDPA: Key Differences

Nigeria’s data protection framework changed from a regulation to a full law in June 2023. Specifically, the Nigeria Data Protection Act 2023 replaced the Nigeria Data Protection Regulation. This shift gave data protection rules stronger legal standing across the country.

Background of Data Protection in Nigeria

Nigeria took its first major step in data protection when the National Information Technology Development Agency (NITDA) issued the Nigeria Data Protection Regulation in January 2019. This regulation created the initial framework for protecting personal data in Nigeria.

The NDPR addressed the growing need to protect Nigerian citizens’ data as digital transactions increased. It set basic rules for how organisations could collect and process personal data. However, before the NDPR existed, Nigeria had no comprehensive data protection rules at all. Organisations handled personal data with little oversight or standardised requirements. The NDPR filled this gap by establishing clear guidelines for data controllers and processors.

NDPR as Regulatory Foundation

The Nigeria Data Protection Regulation served as Nigeria’s primary data protection framework from 2019 to 2023. NITDA issued this regulation under its authority to regulate information technology practices.

The NDPR covered these key areas:

Collection and processing of personal data
Rights of data subjects
Obligations of data controllers
Security requirements for personal data
Penalties for non-compliance

However, the NDPR had significant limitations. It lacked the full legal force of an act passed by the National Assembly. As a result, organisations sometimes questioned its enforcement power. Furthermore, because it came from a regulatory body rather than formal legislation, its authority was seen as weaker than that of a proper law.

Despite these limitations, the NDPR protected Nigerian citizens both inside and outside Nigeria. It applied to any organisation processing Nigerian citizens’ personal data, regardless of where that organisation was based.

NDPA as Legislative Evolution

The Nigeria Data Protection Act 2023 became law on June 12, 2023, when President Bola Ahmed Tinubu signed it into law. This act replaced the NDPR entirely and gave data protection full legislative backing for the first time in Nigeria’s history.

The NDPA strengthened data protection in several ways. First, it created a more robust legal framework with clearer enforcement mechanisms. Second, it expanded the rights of data subjects. Third, it increased penalties for violations significantly.

One major change involved scope. The NDPA protects individuals residing in Nigeria. Importantly, it does not extend protection to Nigerian citizens living abroad — a key difference from the NDPR’s broader reach.

As a result of the NDPA, NITDA now has enhanced powers to enforce data protection rules. Organisations therefore face legal consequences backed by an act of the National Assembly, rather than just regulatory penalties.

Transition Timeline and Legal Precedence

The transition from NDPR to NDPA happened officially in June 2023. Consequently, organisations had to adapt their compliance programmes to meet the new legal requirements.

The NDPA repealed the NDPR and its implementation framework entirely. Any references to the NDPR in existing contracts or policies therefore became outdated. By 2026, your business must operate under NDPA guidelines exclusively.

The legal precedence also changed significantly. The NDPA carries more weight in courts and legal proceedings than the NDPR did. Moreover, enforcement actions under the NDPA have much stronger legal standing.

Organizations that built compliance programmes under the NDPR needed to update their practices. In particular, the NDPA introduced new requirements for data processing, stricter consent rules, and higher penalties for violations. If your organization has not yet made this update, book a free compliance consultation with 6030 Technologies today.

What Changed from NDPR to NDPA

Nigeria’s data protection framework underwent a major shift with the introduction of the NDPA 2023. Furthermore, the General Application and Implementation Directive (GAID), issued in March 2025, provided additional clarity. Together, these instruments established an independent regulatory body, expanded key definitions, introduced stricter registration requirements, and replaced the NDPR entirely.

Creation of the Nigeria Data Protection Commission (NDPC)

The NDPA 2023 established the Nigeria Data Protection Commission (NDPC) as an independent regulatory authority with significant enforcement powers. Under the old NDPR, enforcement fell under NITDA, which lacked a dedicated focus on data protection.

The NDPC now operates independently. It has the power to issue directives, conduct investigations, and impose penalties. This shift gives data protection regulation its own institutional framework, separate from broader IT development goals.

The NDPC has already demonstrated its enforcement capabilities. For instance, the commission collected ₦7.2 billion in penalties, showing that it actively monitors compliance and takes action against violations. In addition, over 4,000 Compliance Audit Returns have been filed under its oversight. (Source: Global CBPR Forum – Nigeria Letter of Intent)

Expanded Definitions: Data Processors, Sensitive Data, Processing

The NDPA provides more detailed definitions than the NDPR for critical terms like data controllers, data processors, and sensitive data. A data controller determines the purposes and means of processing personal data, while a data processor handles data on behalf of the controller.

Sensitive data now explicitly includes genetic data and biometric data alongside categories like health information, religious beliefs, and political opinions. Moreover, the GAID clarifies that processing covers any operation performed on personal data, whether automated or manual.

These expanded definitions help you understand your obligations more clearly. For example, if you collect fingerprints or DNA information, you are now handling sensitive data that requires additional safeguards. Furthermore, the law now regulates private individuals as data controllers, not just organisations.

Mandatory Registration and New Classification of Controllers and Processors

The NDPA introduced the concept of Data Controllers and Processors of Major Importance (DCPMI). This classification replaced the previous system. The GAID defines three levels:

Ultra High Level (UHL): 50,000+ data subjects
Extra High Level (EHL): 2,500–49,999 data subjects
Ordinary High Level (OHL): Below 2,500 data subjects

Your registration requirements depend on your classification. UHL and EHL entities register once but must submit an annual Compliance Audit Report (CAR). OHL entities, on the other hand, must renew registration annually but do not file a CAR.

Importantly, the GAID clarifies that you do not need physical presence in Nigeria to qualify as DCPMI. In other words, if you target Nigerian data subjects from outside the country, these rules still apply to you.

Unsure which category applies to your business? Enter some details about your company or speak with our team for a free assessment.

GAID: The General Application and Implementation Directive

The GAID, issued in March 2025, officially repealed the NDPR 2019 and its 2020 Implementation Framework. As a result, this directive now serves as the primary implementation guide for the NDPA 2023.

The GAID introduced several new requirements beyond what the NDPR required. For example, you must now conduct Data Protection Impact Assessments (DPIAs) in scenarios involving automated decision-making, systematic monitoring, and processing data of vulnerable subjects. Additionally, the directive established a Legitimate Interest Assessment (LIA) framework for evaluating lawful processing grounds.

Storage limitations also changed significantly. If you have no time-bound storage obligation, you must delete personal data within six months after fulfilling its original purpose. Furthermore, the GAID expanded Data Protection Officer (DPO) obligations, requiring semi-annual reports and annual credential assessments by the NDPC. (Source: NDPC GAID 2025)

Core Legal and Compliance Obligations under NDPA

The NDPA establishes clear requirements for how organisations must handle personal data. These include multiple lawful bases for processing, expanded data subject rights, mandatory privacy-by-design principles, and annual audit obligations. Organisations operating in Nigeria must therefore understand these core obligations to maintain compliance and avoid penalties.

Lawful Bases for Processing: Consent, Contract, Legitimate Interest

You must have a valid lawful basis before processing any personal data under the NDPA. The act provides several legal bases for processing. Notably, the most significant change is the introduction of legitimate interest as a valid ground — something that did not exist under the NDPR.

Consent remains a primary lawful basis. You need clear, specific agreement from data subjects before collecting or using their personal data. The consent must also be freely given and easy to withdraw.

Legitimate interest is now recognised under the NDPA. This marks a major shift from the NDPR framework. You can now process personal data when it serves your legitimate business interests, provided those interests do not override the data subject’s rights and freedoms. This addition gives you more flexibility in business operations without requiring explicit consent for every processing activity.

Other valid legal bases for processing include:

Performance of a contract with the data subject
Compliance with legal obligations
Protection of vital interests
Performance of tasks in the public interest

You must document which lawful basis applies to each processing activity. Additionally, you must communicate this information to data subjects through your privacy notices. (Source: CookieYes – NDPA Guide)

Expanded Rights of Data Subjects

The NDPA strengthens the rights of data subjects significantly. It also requires you to respond to their requests promptly. As a result, data subjects now have comprehensive rights over their personal data that you must honour.

Right to access allows individuals to request confirmation of whether you are processing their data and obtain copies of that information. You must respond to these requests within the timeframes specified by the NDPC.

Right to rectification requires you to correct inaccurate or incomplete personal data when a data subject requests it. Therefore, you need systems in place to quickly identify and update incorrect information across your databases.

Right to be forgotten (erasure) lets data subjects demand deletion of their personal data under specific circumstances. You must comply unless you have compelling legitimate grounds to retain the data, such as legal obligations or ongoing litigation.

Additional data subject rights include:

Right to restrict processing
Right to object to processing
Right to lodge complaints with the Commission

You must establish clear procedures and use a standard notice to address grievance when handling data subject requests and complaints.

Data Protection by Design and Default

You must incorporate privacy protections into your systems and processes from the start, not as an afterthought. Data protection by design therefore requires you to implement technical and organisational measures that embed privacy into your operations from day one.

When developing new products, services, or systems, you need to consider data protection requirements during the design phase. This includes minimising data collection, ensuring accuracy, limiting storage periods, and securing information against unauthorised access.

Data protection by default means your systems must automatically apply the highest privacy settings. You should only process the personal data necessary for each specific purpose. In addition, you must limit access to those who need it for legitimate business reasons.

Key implementation requirements include:

Pseudonymisation and encryption of personal data
Regular testing and assessment of security measures
Documentation of all processing activities
Privacy impact assessments for high-risk processing

Importantly, these requirements apply throughout the entire data lifecycle, from collection through to deletion.

Annual Compliance Audits and Reporting

You must conduct regular assessments of your data protection practices and submit reports to the NDPC. The annual data protection audit verifies that your organisation meets all NDPA requirements.

Data controllers and processors of major importance must complete a compliance audit that examines all aspects of your data processing activities. The audit report documents your policies, procedures, security measures, and any compliance gaps.

You can engage licensed Data Protection Compliance Services to help monitor, audit, and report on your data protection compliance. These services replaced the Data Protection Compliance Organisations (DPCOs) that existed under the NDPR framework.

Your data protection audit should cover:

Lawfulness of all processing activities
Data subject rights fulfilment
Security measures and breach response procedures
International data transfer mechanisms
Staff training and awareness programmes

You must maintain detailed records of your compliance audit report and provide them to the Commission upon request. Data controllers processing significant volumes of personal data face stricter audit requirements. Furthermore, they may need to register with the Commission within six months of meeting the threshold for “major importance” status. 6030 Technologies can handle your annual audit and CAR filing on your behalf.

Role and Responsibilities of Key Stakeholders

The NDPA establishes clear roles for everyone involved in handling personal data. Data controllers and processors face specific duties. Meanwhile, businesses must appoint qualified data protection officers and may need to work with licensed compliance organisations.

Obligations for Data Controllers and Processors

The NDPA defines data controllers more broadly than the NDPR did. A data controller now explicitly includes individuals and private entities who determine how and why personal data gets processed. Consequently, even private citizens who control personal data fall under the law’s scope.

Data controllers must ensure lawful processing of personal data. You need a valid legal basis before collecting or using someone’s information. As noted earlier, the NDPA added legitimate interest as a lawful ground, something the NDPR had left out.

When you work with data processors, the NDPA requires a written Data Processing Agreement (DPA). This contract must clearly state what you are instructing the processor to do with the data. The processor can therefore only act on your documented instructions.

Both controllers and processors must implement appropriate security measures. You are responsible for protecting personal data against unauthorised access, loss, or destruction. Notably, the NDPA specifically includes data availability as part of your security obligations, meaning you must be able to produce personal data when required.

Appointment and Credentialing of Data Protection Officers (DPOs)

Your organisation may need to designate a Data Protection Officer depending on the nature and scale of your data processing activities. The DPO serves as your internal expert on data protection compliance. They also act as a contact point with the NDPC.

The DPO must understand both data protection law and your business operations. Crucially, this person needs independence to perform their duties without interference. You cannot dismiss or penalise your DPO for doing their job.

Under the NDPA, DPOs may need to go through a credential assessment process. While the specific requirements continue to evolve, you should therefore ensure your DPO has proper qualifications and stays updated on regulatory changes. Your DPO should also have direct access to senior management and sufficient resources to fulfil their responsibilities. (Source: KPMG – Nigeria Data Protection Act 2023 Review)

The Function of Data Protection Compliance Organisations (DPCOs)

Data Protection Compliance Organisations provide specialised data protection compliance services to businesses. Importantly, these organisations must receive proper authorisation from the NDPC before offering their services.

DPCOs help you meet your compliance obligations by conducting audits, providing training, and advising on data protection matters. They can assess your privacy practices and identify gaps in your compliance framework.

If you engage a law firm for data protection compliance services, note that the NDPA requires accreditation rather than licensing. This distinction matters because lawyers already hold licences under the Legal Practitioners Act. As a result, the accreditation process for legal practitioners follows different rules than for other service providers.

You can use DPCOs to supplement your internal capabilities. However, they do not replace your own compliance responsibilities. The data controller remains ultimately responsible for compliance, even when working with a DPCO. 6030 Technologies is a fully licensed DPCO registered with the NDPC.

Data Security, Breach Notification, and International Transfers

The NDPA introduces stricter requirements for how you must protect personal data, report breaches, and handle cross-border transfers. These changes require you to implement specific security measures, follow tight notification timelines, and use approved transfer instruments when moving data outside Nigeria.

Data Security Requirements under NDPA

You must implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or destruction. The NDPA requires you to use security measures that match the sensitivity and volume of data you process.

Your security controls must include encryption for data in transit and at rest, access controls that limit who can view personal data, and regular security audits. In addition, you need to document all security decisions and maintain records of the safeguards you have put in place.

Data minimisation is now a core requirement. You can only collect and retain the minimum amount of personal data needed for your specific purpose. When you no longer need the data, you must therefore delete it according to documented retention schedules.

Personal Data Breach Notifications

You must report any personal data breach to the NDPC within 72 hours of becoming aware of it. A data breach includes unauthorised access, accidental loss, destruction, or any incident that compromises personal data security.

Your breach notification must include specific details: the nature of the breach, the categories and approximate number of affected individuals, the likely consequences, and the measures you have taken or plan to take. Furthermore, you need to notify affected individuals directly when the breach poses a high risk to their rights and freedoms.

The NDPA imposes penalties for late reporting or failure to report data breaches. As a result, you should establish an incident response plan that allows you to detect, investigate, and report breaches within the required timeframe. (Source: CookieScript – NDPA Guide)

Cross-Border Transfers and Adequacy

You can only transfer personal data outside Nigeria under specific conditions. The NDPA requires you to ensure that the receiving country provides adequate protection for personal data, as determined by the NDPC.

Before transferring data internationally, you must conduct a Transfer Impact Assessment (TIA). This assessment evaluates whether the destination country’s laws and practices provide sufficient protection for the data you plan to transfer.

The NDPC maintains a list of countries with adequacy decisions. If you transfer data to an approved country, you do not need additional safeguards. For transfers to other countries, however, you must use approved transfer instruments and obtain prior approval from the NDPC.

Allowed Transfer Instruments and Contractual Clauses

When adequacy does not exist, you must use approved Cross-Border Data Transfer Instruments. The NDPA recognises several mechanisms: Standard Contractual Clauses, Binding Corporate Rules, and codes of conduct approved by the NDPC.

Standard Contractual Clauses (SCCs) are pre-approved contract templates that create legal obligations between you and the data recipient. You must use the NDPC’s official SCC templates and obtain commission approval before the transfer begins.

Binding Corporate Rules (BCRs) allow multinational organisations to transfer data between entities within the same corporate group. Similarly to SCCs, you need NDPC approval for your BCRs. These must include enforceable data protection policies and individual rights mechanisms.

You must document all international data transfers and maintain records of your transfer mechanisms. Consequently, you should update your vendor contracts and data processing agreements to include the required transfer instruments and obtain the necessary approvals. Need help with cross-border data transfer compliance? Get in touch with our compliance team.

Compliance Audit Cycle, Filing Fees, and Practical Steps for 2026

The 2026 audit cycle introduces new filing fees ranging from ₦100,000 to ₦1,000,000, structured deadlines, and specific documentation requirements. Organisations classified as Data Controllers or Processors of Major Importance therefore face stricter obligations, including detailed records of processing activities and formal DPIAs.

Audit Filing Fees and Registration Deadlines

New official audit filing fees apply starting with the 2026 audit cycle. Your organisation will pay between ₦100,000 and ₦1,000,000 based on the volume of personal data you process.

You must conduct your first compliance audit within 15 months of starting business operations. After that, you need to complete audits annually. The January 2026 launch officially marks the start of the yearly data protection compliance audit cycle.

If your organisation qualifies as ultra-high-level or extra-high-level, you must file your Compliance Audit Returns (CAR) through a licensed DPCO. Regular high-level data controllers and processors of major importance can file directly without engaging a DPCO.

You should register with the NDPC through their official portal. In most cases, the filing process and registration can be completed within one day after submitting your online application and paying the applicable fees.

Compliance for Major and Non-Major Organisations

Only Data Controllers and Processors of Major Importance must file CARs under the GAID. The directive removes some classification metrics from earlier guidance, making the criteria more specific and less broad.

Your organisation may be exempt from classification as a Data Controller or Processor of Major Importance under the updated Guidance Notice on Registration. Therefore, you need to review the new criteria to determine your classification status.

If you do not qualify as a major organisation, you still must comply with basic NDPA requirements. These include having proper data protection policies and responding to data subject rights requests. However, you will not face the same audit filing obligations or fees that apply to major organisations.

Records and Documentation: Processing, Policies, and DPIAs

You must maintain detailed records of processing activities. These records should document what personal data you collect, why you process it, and how you protect it. Your data protection policies and privacy policies must also be clear and accessible to data subjects, including vulnerable individuals.

When you provide information through privacy policies, you need to ensure it is comprehensible. If you cannot provide a privacy policy during physical events or interactions, you must make the information accessible in an alternative format. Remember that providing this information does not equal obtaining consent as these are separate obligations.

You must conduct a Data Protection Impact Assessment (DPIA) when your processing activities pose high risks to data subjects. The GAID includes a DPIA template you should use for consistency. Importantly, your DPIA must go through the Commission’s vetting process before you begin high-risk processing activities. (Source: NDPC GAID 2025)

Your data processing agreements need to clearly define the roles and responsibilities between data controllers and processors. These agreements protect both parties and demonstrate compliance with the NDPA.

Emerging Technologies and Sector-Specific Codes

The GAID addresses how you should handle emerging technologies in your data processing operations. Specifically, you need to assess new technologies for privacy risks before implementation and document your compliance approach.

Sector-specific codes of conduct provide tailored guidance for your industry. You should review whether a code of conduct exists for your sector and follow its provisions alongside the general NDPA requirements.

Capacity building is now a formal consideration under the GAID. As a result, you must train your staff on data protection principles and ensure your Data Protection Officer has adequate resources and support to perform their duties effectively.

Real-World Enforcement: Why Compliance Is No Longer Optional

The NDPC has made it clear that enforcement is active and ongoing. Two landmark cases in particular show the scale of penalties that non-compliant organisations can face.

In July 2024, following a 38-month joint investigation with the NDPC, the Federal Competition and Consumer Protection Commission (FCCPC) imposed a $220 million fine on Meta (Facebook, WhatsApp, and Instagram) for multiple data privacy violations, including unauthorised sharing of user data and failure to provide opt-out mechanisms. A tribunal subsequently upheld the penalty in April 2025.

In a separate case, the NDPC fined Multichoice Nigeria ₦766.2 million for violating the Nigeria Data Protection Act. The investigation found that Multichoice had breached subscribers’ privacy rights and carried out illegal cross-border transfers of personal data. (Source: Vanguard News)

These cases are not isolated. They demonstrate a clear enforcement trend. No organization regardless of size or profile is exempt from the obligations of the NDPA.

The minimum fine for non-compliance is ₦10,000,000 or 2% of annual gross revenue, whichever is higher. By comparison, a full compliance package with a licensed DPCO costs a fraction of that amount.

Frequently Asked Questions

The shift from NDPR to NDPA brings specific changes to data protection definitions, legal bases for processing, and compliance requirements. Businesses now face clearer penalties, adjusted DPO requirements, and new registration obligations based on their size.

What are the key differences between NDPR and the new NDPA?

The NDPA provides a legislative framework passed by parliament, while the NDPR was a regulation issued by a government agency. This distinction is important because it addresses international standards that require data protection to be governed by law rather than regulation.

The NDPA also introduces legitimate interest as a legal basis for processing personal data. Under the NDPR, you could not rely on legitimate interest to process data without consent. Additionally, the definition of personal data is narrower under the NDPA. It now requires identification by reference to an identifier, which may exclude some artificial intelligence data.

Sensitive data now includes genetic data, biometric data, and information about conscience and philosophy. Furthermore, the NDPA removed references to data subjects’ nationality or lineage. This limits conflicts between different countries’ laws and makes it easier to determine which law applies.

Finally, data portability is no longer an automatic right. The Data Protection Commission can choose to reintroduce this right through future regulations.

How should businesses adapt their data protection programmes to comply with the NDPA?

First, review your legal bases for processing personal data. If you previously relied on legitimate interest, you must now document this basis properly since it was not available under the NDPR.

Second, expand your definition of what counts as a personal data breach. The NDPA includes breaches that are “likely to lead to” data security issues, not just actual breaches.

Third, determine if you qualify as a data controller or processor of major importance. If so, you must register with the Data Protection Commission within six months.

Finally, update your international data transfer mechanisms. You can now use binding corporate rules, contractual clauses, codes of conduct, or certification mechanisms as alternatives to adequacy decisions. Need step-by-step support? Book a free consultation with 6030 Technologies.

Does the NDPA introduce any new responsibilities for data protection officers?

The NDPA limits the DPO requirement to data controllers of major importance only. Under the NDPR, every data controller had to designate a DPO. As a result, you may no longer need a DPO if you are not a controller of major importance.

However, if you are a Nigerian subsidiary of a multinational company and qualify as a controller of major importance, your DPO must be based in Nigeria. The local presence requirement remains in force. Your DPO must also have full access to management in Nigeria, even if they report to a global DPO.

What are the primary requirements introduced by the NDPA that were not part of the NDPR?

The most significant new requirements include: mandatory registration with the NDPC for controllers and processors of major importance; formal establishment of the NDPC as an independent authority; and the introduction of legitimate interest as a valid lawful basis for processing.

In addition, Data Protection Compliance Services now replace the specific mention of DPCOs. These services monitor, audit, and report on your compliance. Furthermore, you must assess whether your security breaches are “likely to lead to” data incidents expanding your breach notification obligations beyond actual incidents.

What penalties do businesses face under the NDPA for non-compliance?

The NDPA provides a much stronger enforcement framework than the NDPR because it comes from parliament rather than a regulatory agency. This gives penalties greater legal weight and reduces challenges to enforcement authority.

Specifically, organisations can face fines of up to ₦10,000,000 or 2% of annual gross revenue, whichever is higher. The registration requirement for controllers and processors of major importance creates an additional enforcement point. Failure to register within six months can result in immediate penalties.

Your breach notification obligations are also broader under the NDPA. The expanded definition of a breach means you must report more potential incidents and face penalties if you fail to do so.

This article was prepared by 6030 Technologies, a licensed Data Protection Compliance Organisation (DPCO) registered with the Nigeria Data Protection Commission (NDPC). For professional NDPA compliance support, contact our team.