June 2026 has been one of the most active months in the three-year history of the Nigeria Data Protection Act. The Nigeria Data Protection Commission (NDPC) marked the third anniversary of the NDPA’s signing with a series of significant announcements, the most consequential of which is a planned review of the Act itself. At the same time, a landmark two-year data protection programme funded by Meta Platforms was launched, and major public sector capacity-building initiatives were rolled out.
If your organization has not yet registered with the NDPC, filed its Compliance Audit Report, or appointed a Data Protection Officer, this month’s developments make that delay significantly more costly. Here is what happened and what it means for you.
Summary: NDPC plans NDPA 2023 amendment to explicitly cover AI, robotics and big data. Meta-funded M-SIDP programme launched June 8. NDPC and NIMC enrolled 4,000 public sector staff in privacy training. Enforcement continues: ₦10M+ maximum penalty, 1,348+ compliance notices already issued.
Key Takeaways
• The NDPC is seeking a formal review of the NDPA 2023 to address AI, robotics, and big data, stricter and more specific compliance obligations are coming
• The Meta-Supported Initiatives for Data Protection (M-SIDP) launched June 8, 2026, signals deepening institutional capacity and enforcement confidence
• With 38,677 organizations registered and 8,155+ CAR filings submitted, compliance is now mainstream. Non-compliant organizations are increasingly visible to regulators
• Now is the time to register, file, and build your compliance infrastructure before the NDPA becomes even more prescriptive
The NDPA 2023 Is Being Updated and the Stakes Are Rising
On June 19, 2026, speaking at an event marking the third anniversary of the NDPA’s signing into law by President Bola Tinubu, the National Commissioner and Chief Executive Officer of the NDPC, Dr Vincent Olatunji, announced that the Commission plans to seek a review of the Nigeria Data Protection Act 2023.
Why the Review Is Happening
The core reason is straightforward: when the NDPA was drafted, artificial intelligence had not yet become central to Nigeria’s digital economy in the way it has today. Dr Olatunji acknowledged this directly, noting that the existing Act’s references to emerging technologies are too broad to effectively govern AI, robotics, machine-learning models, and big data applications.
He stated: “We are in the era of emerging technologies. At that time, we could only make general references to emerging technologies, but today we can specifically mention Artificial Intelligence, robotics and big data. Ten years ago, nobody was talking about AI the way we are now, but today it has become central to virtually every aspect of digital transformation. We need to be more specific.”
The proposed review is not merely symbolic. The National Assembly’s Senate Committee on ICT and Cybersecurity, chaired by Senator Afolabi Salisu, has separately confirmed that lawmakers are already reviewing the legislation to ensure it addresses developments in AI and emerging cybercrime threats. Both the regulator and the legislature are moving in the same direction simultaneously.
What the Amendment Is Expected to Cover
Industry experts and legal analysts have identified several gaps the review is expected to close:
• Automated decision-making: the current Act lacks explicit rules on algorithmic profiling and AI-driven decisions that affect individuals
• Machine-learning model training: organizations using personal data to train AI models need specific governance requirements
• Big data processing: large-scale aggregation and analysis of personal data at scale requires more targeted controls than the current framework provides
• Human-in-the-loop mandates: Dr Olatunji was explicit: “We still need the human component. We should not leave everything to artificial intelligence.” Future amendments are expected to mandate human oversight for high-risk automated systems
• Digital footprints and cross-platform data: continuous regulatory attention to how behavioral data is collected across digital platforms
What This Means for Your Organisation
For organizations already operating with AI or planning to deploy it in credit scoring, customer profiling, fraud detection, marketing automation, or HR systems, this review signals a period of increased scrutiny. The review process will likely take some time to conclude, but the direction is clear: specificity is replacing generality, and enforcement will follow.
Organisations that begin strengthening their internal data governance frameworks now, before the amended law takes effect, will be in a significantly stronger position than those who wait for the new rules and scramble to catch up.
As a starting point, this means conducting a comprehensive data audit to understand what personal data your organisation holds and how it is processed, documenting any AI systems and their data inputs, and ensuring your existing NDPA compliance is solid before stricter obligations arrive.
Meta-Supported Initiatives for Data Protection (M-SIDP). What It Is and Why It Matters
On June 8, 2026, the NDPC launched the Meta-Supported Initiatives for Data Protection (M-SIDP), a two-year programme funded by Meta Platforms as part of a court-approved settlement concluded in 2025. The settlement followed regulatory proceedings over concerns about how Meta processed the personal data of Nigerian users across Facebook, Instagram, and WhatsApp.
What the M-SIDP Programme Covers
The programme is built around four strategic pillars:
• Governance, research, and development: strengthening the institutional foundations of Nigeria’s data protection ecosystem through policy work and research
• Safety and sustainability: promoting stronger privacy and security practices across digital platforms and technology systems
• Capacity building for DPOs and DPCOs: training and developing the professionals responsible for implementing compliance including Data Protection Officers and licensed Data Protection Compliance Organizations
• Public awareness: educating ordinary Nigerians about their data rights, with specific focus on children, elderly users, rural communities, and vulnerable groups
Why This Matters Beyond the Headline
The M-SIDP launch carries a signal that goes beyond the specific programme content. It demonstrates that the NDPC has the institutional credibility and enforcement capability to hold one of the world’s largest technology companies accountable and extract concrete, publicly beneficial commitments. The Commission was explicit that the settlement does not limit its regulatory authority, Meta’s funding does not buy Meta immunity from future enforcement.
For Nigerian businesses, the practical implication is this: if the NDPC has the leverage to impose a $220 million settlement on Meta and turn it into a national compliance programme, the enforcement capacity directed at local organizations such as banks, fintechs, healthcare providers, and e-commerce platforms is proportionately significant.
NDPC and NIMC: 4,000 Staff Enrolled in the Virtual Privacy Academy
On June 14, 2026, the NDPC and the National Identity Management Commission (NIMC) announced a major capacity-building initiative. Approximately 4,000 NIMC staff will be enrolled in the NDPC’s Virtual Privacy Academy (VPA), a structured training programme covering data protection principles and responsible data handling practices.
NIMC is the custodian of Nigeria’s foundational identity system, the National Identity Number (NIN) and all associated biometric data. The fact that the NDPC is prioritizing privacy capacity building at this institution reflects the Commission’s focus on securing the most sensitive data repositories in the country.
For private sector organizations, this development has a direct implication: if public institutions are being held to structured privacy training standards, regulated private sector entities in banking, fintech, healthcare, and telecoms will face comparable expectations. Staff training is not a peripheral compliance activity, it is a core NDPA obligation.
Where Enforcement Stands: The Numbers You Need to Know
These are the current enforcement metrics published by the NDPC, as of mid-2026:
• 38,677 organisations registered as data controllers or processors of major importance
• 307 licensed Data Protection Compliance Organizations (DPCOs) – 6030 Technologies is one of them
• 8,155+ Compliance Audit Reports (CARs) submitted
• 1,348 organisations issued formal compliance notices across banking, insurance, pensions, and gaming sectors
• 246 investigations into data protection and privacy breaches concluded
• ₦16.2 billion – the current estimated value of Nigeria’s data protection industry, up from ₦5.5 billion at the time the NDPA was signed
• ₦766.2 million – fine imposed on MultiChoice Nigeria
• ₦555.8 million – fine imposed on Fidelity Bank for processing personal data without informed consent
• $220 million – administrative penalty against Meta Platforms, upheld through court proceedings
These figures represent a regulator in active enforcement mode, not one that is still building its framework. The question for any organization that has not yet registered or filed is not whether enforcement will come, but when.
What Nigerian Organisations Must Do Right Now
Taken together, June 2026’s NDPC developments point in one direction: the compliance window is closing. Here is what organisations should prioritise immediately.
1. Register With the NDPC if You Have Not Already
If your organization collects, processes, or stores personal data of Nigerian residents, and almost every business does, you are required to register with the NDPC as a data controller or processor. With the NDPA review underway, registration requirements are unlikely to become less onerous. Register now, on the current framework, before amended rules add further obligations.
2. File Your Compliance Audit Report
The CAR deadline for 2025 was extended to May 30, 2026. If your organization has not yet filed, you are already in a late position and face a 50% surcharge on applicable fees. Do not wait for the next cycle, get your filing in order immediately. The CAR requires documented evidence of your data protection practices, policies, breach notification procedures, and staff training activities.
3. Appoint or Engage a Data Protection Officer
If your organisation processes large volumes of sensitive personal data, monitors data subjects at scale, or falls within the DCPMI categories defined by the GAID, you are required to have a registered DPO. Organisations that do not meet the threshold for a mandatory DPO should still seriously consider engaging one, given the direction of the NDPA review.
4. Conduct a Data Audit and Update Your Privacy Policies
With the NDPA review targeting AI, robotics, and big data, organisations that deploy automated decision-making systems need to document those systems now. Your privacy policy, data processing notices, and consent mechanisms should reflect your actual data practices. The gap between what your policy says and what you actually do is exactly what NDPC investigators look for.
5. Prepare for Stricter AI Governance Requirements
If your organization uses AI in any capacity such as credit scoring, fraud detection, customer service automation, HR screening, marketing profiling, begin building the governance documentation now. This includes an inventory of AI systems and their training data, records of human oversight mechanisms, and DPIA documentation for high-risk automated processing activities.
Frequently Asked Questions: NDPC 2026 Updates
Does the NDPA review mean I have to comply with new rules immediately?
No. The review is a process that will involve the NDPC, the National Assembly, and stakeholder consultations before any amended legislation is signed into law. However, the direction is clear and the timeline could be shorter than expected given that both the regulator and the legislature are moving concurrently. Organisations should use the current period to strengthen their compliance under the existing framework, so they are well-positioned when the amended rules arrive.
My organisation is not a fintech or bank. Does NDPA 2023 still apply to me?
Yes. The NDPA applies to any organization that collects, processes, or stores the personal data of Nigerian residents regardless of sector. This includes schools, hospitals, e-commerce businesses, consulting firms, NGOs, media companies, and government agencies. If you hold a name, phone number, email address, or any other information that can identify a person, the NDPA applies to you.
What is a Compliance Audit Report and when is it due?
A Compliance Audit Report (CAR) is an annual submission to the NDPC documenting your data protection practices, security controls, breach history, staff training activities, and processing records for the preceding year. It is required of all registered data controllers and processors of major importance. The standard deadline is March 15 annually, though the 2025 CAR deadline was extended to May 30, 2026. Late filings attract a 50% surcharge. A licensed DPCO such as 6030 Technologies can prepare and file your CAR on your behalf.
What is the difference between a DPO and a DPCO?
A Data Protection Officer (DPO) is an individual appointed within or on behalf of an organization to oversee data protection compliance. A Data Protection Compliance Organization (DPCO) is a firm licensed by the NDPC to provide data protection advisory and compliance services to other organizations. 6030 Technologies is a licensed DPCO. We can provide DPO services, file your CAR, conduct your data audits, and manage your ongoing NDPC compliance.
What will the NDPA amendment mean for organisations using AI?
The amendment is expected to introduce more specific obligations around automated decision-making, machine-learning model training using personal data, and algorithmic profiling. This will likely include mandatory Data Protection Impact Assessments for AI deployments, documentation requirements for AI systems and their data sources, human-in-the-loop governance for high-risk automated decisions, and explicit consent or legal basis requirements for AI-driven processing. Organisations should begin building AI governance frameworks now, before these requirements become law.
How long does NDPC registration take?
Registration timelines vary but typically take two to six weeks from submission of a complete application. The process involves providing details of your organisation’s data processing activities, legal basis for processing, security measures in place, and DPO appointment. Working with a licensed DPCO significantly reduces the back-and-forth that can delay registration.
Is Your Organisation Ready for What Is Coming? 6030 Technologies Can Get You There.
The NDPC’s June 2026 announcements are not background noise. They are the clearest signal yet that Nigeria’s data protection enforcement is maturing, expanding, and becoming more technically specific. Organizations that are not registered, have not filed their CAR, or are running AI systems without governance documentation are exposed.
6030 Technologies is a licensed Data Protection Compliance Organisation (DPCO) under the Nigeria Data Protection Act 2023. Our principals hold CISSP, CRISC, CISM, OSCP, GCIH, and GWAPT certifications. We have helped Nigerian banks, fintechs, healthcare organisations, and government agencies build compliance programmes that satisfy NDPC auditors and hold up under scrutiny.
What we provide:
NDPC Registration – We register your organization as a data controller or processor and manage your compliance profile with the Commission.
CAR Filing – We prepare and submit your annual Compliance Audit Report accurately and on time, with full documentation.
Data Protection Officer (DPO) as a Service – We provide a qualified, NDPC-registered DPO without the cost of a full-time hire.
Data Audit and Gap Analysis – We assess your current data processing practices against NDPA 2023 requirements and produce a prioritized remediation roadmap.
DPIA – We conduct Data Protection Impact Assessments for high-risk processing activities, including AI deployments.
Privacy Policy and Documentation – We draft and update your privacy notices, consent mechanisms, data processing records, and internal policies.
Staff Training – We deliver staff data protection training aligned with NDPA 2023 requirements, with attendance records for your CAR filing.
SecureProbe – Our AI-powered attack surface scanner produces the security evidence the NDPC requires as part of your compliance posture – identifying and fixing vulnerabilities before auditors or attackers find them.
The CAR deadline has passed. The NDPA review is underway. Now is the time to act.
Book a free consultation:
📧 info@6030technologies.com
6030 Technologies · Licensed DPCO · 6030technologies.com · info@6030technologies.com