The Nigeria Data Protection Commission (NDPC) has given organisations in banking, insurance, pensions, and gaming 21 days to show proof of compliance with the Nigeria Data Protection Act (NDP Act), 2023, or face sanctions.
In a statement issued in Abuja, Babatunde Bamigboye, Head of Legal, Enforcement and Regulations at the NDPC, said the notice follows the launch of an investigation into organisations suspected of failing to meet their obligations under the Act.
According to the Commission, Compliance Notices have been sent to several organisations, requiring them to submit within 21 days evidence of filing their 2024 Compliance Audit Returns, proof of appointment of a Data Protection Officer (with contact details), a summary of data protection measures in place, and evidence of registration as a Data Controller or Processor of Major Importance.
“This exercise is to ensure that organisations are not only aware of their obligations under the NDP Act but are taking steps to comply,” Bamigboye said.
The NDPC added that a list of organisations under investigation would be published in national newspapers beginning Monday, August 25, 2025.
Relevant provisions of the Act include Sections 6(d), 32, 39 and 44, which outline the responsibilities of data controllers and processors. The Commission is acting under its enforcement powers provided in Sections 5, 6, 46 and 47.
Read Also: NDPC begins sectoral investigations into data protection violations
Sanctions for non-compliance may include enforcement orders, administrative fines, or criminal prosecution.
Enacted in 2023, the NDP Act aims to protect the data rights of Nigerians and align the country’s data governance with international standards.
The NDPC urged organisations that process significant volumes of personal data to review their compliance status and take the necessary steps to meet the law’s requirements.
“The Commission remains committed to promoting data protection and privacy in Nigeria,” the statement added.
