The Nigeria Data Protection Commission (NDPC) has ordered banks, insurance firms, pension operators, and gaming companies to prove compliance with the Nigeria Data Protection Act (NDP Act), 2023, within 21 days—or face sanctions.
Compliance Demands
Head of Legal, Enforcement and Regulations at the NDPC, Babatunde Bamigboye, explained that the Commission launched investigations after suspecting several organisations of failing to meet their obligations under the law.
Accordingly, companies must submit their 2024 Compliance Audit Returns, provide proof of a Data Protection Officer, outline their data protection measures, and confirm registration as a Data Controller or Processor of Major Importance.
Public Accountability
Read Also: Meta Grows Africa’s Digital Reach With New Data Hubs, Cables
Moreover, starting Monday, August 25, 2025, the NDPC will publish the names of organisations under investigation in national newspapers.
The NDP Act empowers the NDPC to enforce compliance.
Specifically, Sections 6(d), 32, 39, and 44 define the duties of data controllers, while Sections 5, 6, 46, and 47 give the Commission authority to impose fines, enforcement orders, or criminal prosecution.
Since enacting the law in 2023, the NDPC has aimed to protect Nigerians’ data rights and align the country with international standards.
Therefore, the Commission urged organisations handling large volumes of personal data to review their compliance status immediately.
Bamigboye concluded, “The Commission remains committed to promoting data protection and privacy in Nigeria.”
