SecurePrivacy Logo

Nigerian Data Protection Regulation (NDPR)

View Law Text
Maximum Fine
2% of annual revenue
Scope
National
Regulator
NITDA
Enacted
2019

Need Help with Nigerian Data Protection Regulation (NDPR) Compliance?

Get expert guidance on implementing NDPR requirements and ensuring ongoing compliance for your organization.

Get Expert Help

Overview

The Nigerian Data Protection Regulation (NDPR) establishes comprehensive requirements for the processing of personal data in Nigeria, enforced by the National Information Technology Development Agency (NITDA).

Key Facts

  • Enacted in 2019
  • Enforced by NITDA
  • Requires annual data protection audit

Key Principles

Lawfulness and Consent

Personal data must be processed lawfully and with proper authorization.

Requirements

  • Obtain valid consent
  • Identify legal basis
  • Document processing grounds
  • Regular compliance reviews
  • Maintain consent records

Examples

  • Consent mechanisms
  • Legal basis documentation
  • Processing records
  • Compliance reports

Data Security

Implementation of appropriate security measures to protect personal data.

Requirements

  • Implement security controls
  • Regular risk assessments
  • Staff training
  • Incident response plans
  • Security monitoring

Examples

  • Security policies
  • Training programs
  • Incident procedures
  • Monitoring systems

Data Localization

Requirements for storing and processing personal data within Nigeria.

Requirements

  • Local storage implementation
  • Cross-border transfer controls
  • Regular audits
  • Compliance monitoring
  • Documentation maintenance

Examples

  • Storage policies
  • Transfer procedures
  • Audit reports
  • Compliance records

Compliance Requirements

Data Protection Officer

Requirements for appointing and maintaining a Data Protection Officer position.

Implementation Steps

  • Appoint qualified DPO
  • Define responsibilities
  • Ensure independence
  • Provide resources
  • Document activities

Required Documentation

  • DPO appointment letter
  • Role description
  • Activity reports
  • Training records
  • Resource allocation

Annual Data Protection Audit

Requirement to conduct annual data protection audit.

Implementation Steps

  • Engage licensed auditor
  • Conduct comprehensive audit
  • Document findings
  • Implement recommendations
  • Submit audit report

Required Documentation

  • Audit reports
  • Findings documentation
  • Action plans
  • Implementation records
  • Submission receipts

International Transfers

Requirements for transferring personal data outside Nigeria.

Implementation Steps

  • Assess transfer necessity
  • Implement safeguards
  • Obtain approvals
  • Document transfers
  • Monitor compliance

Required Documentation

  • Transfer assessments
  • Safeguard documentation
  • Approval records
  • Transfer logs
  • Monitoring reports

Enforcement & Penalties

Administrative Penalties

NITDA can impose significant administrative penalties for violations.

Penalty Categories

Severe Violations
2% of annual gross revenue
For serious breaches of NDPR requirements
Processing Violations
1% of annual gross revenue
For unauthorized processing of personal data
Documentation Violations
0.5% of annual gross revenue
For failure to maintain required documentation

Example Cases

Major Bank
NGN 100M
2023 - Unauthorized data sharing and insufficient security measures
Telecom Provider
NGN 75M
2022 - Failure to conduct mandatory data protection audit

Additional Measures

NITDA can impose various corrective measures beyond monetary penalties.

Penalty Categories

Processing Bans
Temporary or Permanent
Suspension of data processing activities
Criminal Prosecution
Case Referral
Referral to Attorney General for prosecution
Public Notice
Publication
Public disclosure of violations

Example Cases

Tech Company
Processing Ban
2023 - Ordered to cease illegal data collection practices
Financial Institution
Public Warning
2022 - Public notice of repeated compliance failures