Briefly

June 23, 2026

Briefly
Nigeria Data Protection Commissionpress_release
press_releaseNigeria·Nigeria Data Protection Commission·Briefly Analysis

Abstract

The Nigeria Data Protection Commission (NDPC) issued a significant press release on June 23, 2026, signaling a heightened focus on data processing compliance and accountability under the Nigeria Data Protection Act (NDPA) 2023. The release underscores the Commission's commitment to robust enforcement, particularly concerning data processing agreements and the obligations of data controllers and processors. This development reinforces the NDPC's proactive stance in safeguarding data privacy, building on its recent track record of investigations and substantial administrative fines. Legal professionals and entities operating in Nigeria must re-evaluate their data handling practices to align with the evolving regulatory landscape and avoid severe penalties.

Introduction

On June 23, 2026, the Nigeria Data Protection Commission (NDPC) released a pivotal statement that reverberated across Nigeria's digital economy, emphasizing its intensified commitment to enforcing the provisions of the Nigeria Data Protection Act (NDPA) 2023. This latest communication from the apex data protection regulator highlights a critical juncture in Nigeria's privacy landscape, moving firmly towards a regime of strict accountability and compliance. The press release, while not detailing specific enforcement actions, served as a clear directive to data controllers and processors to re-evaluate and fortify their data handling practices, particularly concerning the intricacies of data processing agreements and the overarching principles of data protection.

The NDPC's pronouncement reflects a strategic escalation of its regulatory oversight, building on a period of significant investigations and the imposition of administrative fines. It signals that the Commission is transitioning from an initial phase of awareness and guidance to a more assertive enforcement posture, where non-compliance will attract swift and substantial penalties. For legal practitioners, this development necessitates a thorough understanding of the NDPA 2023 and its subsidiary instruments, as clients will require urgent counsel on navigating the increasingly stringent compliance environment.

Background

The foundation of Nigeria's contemporary data protection framework is the Nigeria Data Protection Act (NDPA) 2023, which received presidential assent on June 12, 2023, and immediately came into force. This landmark legislation replaced the Nigeria Data Protection Regulation (NDPR) 2019, establishing a comprehensive statutory framework for personal data protection and creating the Nigeria Data Protection Commission (NDPC) as an independent regulatory authority. The NDPC is mandated to safeguard the rights of natural persons to data privacy, promote secure data processing practices, and strengthen the legal foundations of the national digital economy.

The NDPA 2023, drawing significant inspiration from international standards like the EU's GDPR, sets out core data protection principles, including lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality. To provide operational clarity and implement the Act's provisions, the NDPC issued the General Application and Implementation Directive (GAID) 2025, which became fully effective in September 2025. The GAID serves as the authoritative rulebook, detailing requirements for mandatory registration of Data Controllers and Processors of Major Importance (DCPMI), appointment of Data Protection Officers (DPOs), Data Protection Impact Assessments (DPIAs), and stringent breach reporting obligations.

Analysis

The NDPC's June 23, 2026, press release aligns with its publicly stated intention to intensify enforcement in 2026, following a period of significant activity. The Commission has already demonstrated its resolve through various enforcement actions, including substantial fines against major corporations for data protection violations. For instance, in July 2025, MultiChoice Nigeria was fined N766.2 million for intrusive data practices and unlawful cross-border transfers, while Fidelity Bank faced a N555.8 million penalty in 2024 for processing personal data without informed consent. These cases underscore the NDPC's commitment to moving beyond 'compliance-on-paper' to 'compliance-in-practice'.

A key area of focus for the NDPC, as implied by the ongoing emphasis on accountability, is the proper execution and management of Data Processing Agreements (DPAs). The NDPA 2023 mandates that data controllers, when engaging third-party data processors, must ensure a contractual relationship that obligates the processor to comply with data protection principles. The press release likely reinforces the need for robust DPAs that clearly define the scope of processing, security measures, data subject rights, and breach notification protocols, as outlined in the NDPA and GAID. Failure to implement adequate DPAs or ensure processor compliance can lead to significant penalties, which for DCPMIs can reach up to 2% of annual gross revenue or NGN 10 million, whichever is greater, alongside potential criminal penalties for willful violations.

Furthermore, the NDPC's proactive approach includes sector-by-sector investigations, with compliance notices issued to entities in banking, insurance, pension, and gaming sectors. This targeted enforcement, coupled with the mandatory requirement for DCPMIs to appoint Data Protection Officers (DPOs) and conduct annual Data Protection Compliance Audits, signifies a comprehensive regulatory push. The extraterritorial application of the NDPA means that organizations outside Nigeria processing the personal data of Nigerian residents are also subject to these stringent requirements, making global compliance strategies essential.

The Commission's emphasis on accountability extends to the principles of data minimisation, purpose limitation, and the secure storage of personal data, as enshrined in Section 24 of the NDPA. Data controllers are expected to collect only necessary data, use it for specified purposes, and implement robust technical and organisational safeguards against breaches. The NDPC's recent activities, including the conclusion of 246 investigations and the generation of over N5.2 billion in compliance revenue, demonstrate its capacity and willingness to enforce these provisions rigorously.

Conclusion

The Nigeria Data Protection Commission's press release of June 23, 2026, serves as a critical reminder for all entities operating within Nigeria or processing the personal data of Nigerian citizens: data protection compliance is no longer a peripheral concern but a core operational imperative. Legal practitioners must guide their clients in conducting thorough compliance audits, reviewing and updating data processing agreements, and ensuring that their data protection officers are adequately empowered and resourced. The NDPC's shift towards aggressive enforcement, backed by the comprehensive NDPA 2023 and GAID 2025, means that proactive measures are indispensable to mitigate legal and financial risks.

Going forward, businesses should anticipate continued scrutiny from the NDPC, particularly in sectors identified for targeted investigations. It is crucial to foster a culture of data privacy within organisations, implement robust technical and organisational safeguards, and maintain meticulous records of processing activities. Staying abreast of further guidance and directives from the NDPC, and engaging with Data Protection Compliance Organisations (DPCOs) where necessary, will be vital for navigating Nigeria's evolving data protection landscape and ensuring sustained compliance in this era of heightened regulatory vigilance.

Citations

  1. 1.Nigeria Data Protection Act 2023
  2. 2.Nigeria Data Protection Commission (NDPC) - About Us
  3. 3.Nigeria Data Protection Commission (NDPC) - Resources
  4. 4.Nigeria Data Protection Commission (NDPC) - Welcome to NDPC
  5. 5.General Application and Implementation Directive (GAID) 2025
  6. 6.Multilaw - Data Protection Guide Nigeria
  7. 7.Secure Privacy - Nigeria Data Protection Law: Complete NDPA Compliance Guide 2025
  8. 8.Dimeri AI - Nigeria Data Protection Act (NDPA) 2023: Complete Compliance Checklist
  9. 9.KPMG International - Nigeria Data Protection Act 2023 Review
  10. 10.KPMG Agentic Corporate Services - The Nigeria Data Protection Act, 2023
  11. 11.Data protection laws in Nigeria - OneTrust DataGuidance
  12. 12.Pavestones Legal - STAYING AHEAD OF THE CURVE: NAVIGATING NIGERIA'S DATA PROTECTION COMPLIANCE LANDSCAPE
  13. 13.The Future of Privacy Forum - Nigeria's New Data Protection Act, Explained
  14. 14.ComplianceIQ - Nigeria Data Protection Act 2023 (NDPA) — AI Compliance Requirements
  15. 15.Lex Luminar - Data Protection Enforcement in Nigeria: Powers of the NDPC
  16. 16.Businessday NG - NDPC concludes 246 investigations, generates N5.2bn revenue in show of ironclad enforcement
  17. 17.Wikipedia - Nigeria Data Protection Commission
  18. 18.The Nation - Businesses Face Up to N10m Fine as NDPC Tightens Data Protection Audit Enforcement
  19. 19.Aluko & Oyebode - Introducing the Nigeria Data Protection Act 2023
  20. 20.TechCabal - Nigeria Just Collected ₦7.2 Billion in Data Privacy Penalties—And It's Just Getting Started
  21. 21.Cookie Script - Understanding the Nigeria Data Protection Act, 2023 (NDPA)
  22. 22.YouTube - ENFORCEMENT ACTION: NDPC Launches Sector-by-Sector Investigation into Non-Compliant Organisations
  23. 23.KENNA - NDPC's 2025 Crackdown: The Hidden Costs of Data Protection Non-Compliance
  24. 24.Global CBPR Forum - Annex 1 OVERVIEW OF THE NIGERIA DATA PROTECTION ACT, 2023 AND IMPLEMENTATION BY THE NIGERIA DATA PROTECTION COMMISSION
  25. 25.Nigeria Data Protection Commission - GUIDANCE NOTICE REGISTRATION OF DATA CONTROLLERS AND DATA PROCESSORS OF MAJOR IMPORTANCE AND ALL MATTERS CONNECTED THEREWITH
  26. 26.Aluko & Oyebode - Privacy Please – Third Party Data Processing Agreements and Notification Requirements – Series 5
  27. 27.How to Draft a Compliant Data Processing Agreement in Nigeria (NDPA 2023 Guide)
  28. 28.Data Breaches: Compliance obligations under the Nigerian Data Protection Act 2023
AI Business Impact

How does this affect your business?

Get an AI analysis of this article grounded in your jurisdictions, practice areas, and any policy documents you've uploaded to Wansom.