INTRODUCTION
On 25 August 2025, the Nigerian Data Protection Commission (“NDPC” or “the Commission”) issued a sector-wide compliance notice pursuant to its powers under Sections 5(i), 6(a), 6(c), 46(3), and of the Nigerian Data Protection Act 2023 (“NDPA” or “the Act”). The notice, titled “Compliance Notice: NDPC Commences Sector-By-Sector Investigation in Compliance with NDPA 2023”, signals the Commission’s intent to investigate and enforce compliance with the NDPA across several regulated sectors.
Why Did NPDC Issue a Compliance Notice?
The compliance notice was prompted by reported instances of non-compliance and suspected breaches relating to the processing of personal data. In response, the NDPC has mandated organisations in specified industries to submit documentation evidencing their data protection compliance within twenty-one (21) days of the notice. Failure to comply may result in administrative penalties, monetary fines, or criminal liability.
This article provides a legal analysis of the compliance obligations under the NDPA, identifies the sectors affected, and outlines the practical steps required for organisations to achieve compliance.
SECTORS UNDER INVESTIGATION
The Commission has identified the following sectors as the immediate focus of its enforcement efforts:
- Insurance companies
- Pension fund administrators and custodians
- Gaming and betting companies
- Financial institutions
- Insurance brokers
These sectors, due to the volume and sensitivity of personal data they process, are deemed to be of significant regulatory importance.
STATUTORY COMPLIANCE OBLIGATIONS
Organisations operating within the affected sectors are required to submit the following within the stipulated 21-day period:
- Evidence of Filing Compliance Audit Returns (CARS) for 2024
In accordance with Section 6(d) of the NDPA, data controllers and processors are required to file their annual Compliance Audit Returns (CARs). The CARs must detail the organisation’s data protection framework, risk assessment processes, and mitigation strategies.
Upon successful submission and approval, the Commission may issue an Audit Trust Mark as a formal attestation of compliance.
- Evidence of Appointment of a Data Protection Officer (DPO)
Pursuant to Section 32 of the NDPA, each organisation is required to designate a qualified Data Protection Officer (DPO). The DPO must possess the requisite knowledge of data protection law and shall be responsible for monitoring compliance, advising on data processing practices, and acting as the liaison between the organisation and the NDPC.
Organisations must submit the full name and contact details of their appointed DPO.
- Summary of Technical and Organisational Measures (TOMs)
Under Section 39 of the NDPA, data controllers and processors are obligated to implement appropriate technical and organisational measures to ensure the confidentiality, integrity, and availability of personal data. These measures should protect against unauthorised access, accidental loss, unlawful processing, or data breaches.
A summary of the organisation’s current TOMs is required as part of the compliance response.
- Evidence of Registration as a Data Controller or Processor of Major Importance
Entities that process a significant volume of personal data or data of sensitive importance are classified under the NDPA as “Date Controllers or Processors of Major Importance.” Such entities must be registered with the NDPC under the statutory framework established by the Act.
Affected organisations are required to provide evidence of such registration or demonstrate eligibility under this category.
NEXT STEPS FOR AFFECTED ORGANISATIONS
With the regulatory deadline fast approaching, organisations within the targeted sectors are advised to take immediate steps to ensure full compliance. Non-compliance may expose defaulting entities to administrative fines under Section 48 of the NDPA, in addition to potential criminal liability for serious breaches.
Recommended actions include:
- Conducting a comprehensive internal compliance audit to assess the organisation’s data protection framework.
- Verifying the appointment and qualifications of the DPO and ensuring that internal policies reflect the DPO’s responsibilities under the NDPA.
- Reviewing and updating technical and organisational safeguards to ensure alignment with statutory data protection principles.
- Confirming registration status with the NDPC, particularly for entities that qualify as controllers or processors of major importance.
- Engaging qualified legal counsel or compliance professionals to advise on regulatory obligations, documentation, and submission of required reports.
CONCLUSION
The NDPC’s recent enforcement initiative marks a significant development in Nigeria’s evolving data protection landscape, The sectoral investigation serves as a clear indication that the Commission intends to rigorously implement the provisions of the NDPA 2023 and hold non-compliant entities accountable.
Organisations are urged to view this as an opportunity to strengthen their data governance structures and establish sustainable compliance mechanisms. The cost of inaction—both reputational and financial—could be severe.
