Briefly

June 30, 2026

Briefly
Nigeria Data Protection Commissionpress_release
press_releaseNigeria·Nigeria Data Protection Commission·Briefly Analysis

Abstract

On June 30, 2026, the Nigeria Data Protection Commission (NDPC) issued comprehensive guidelines on data breach notification and incident response, further operationalizing the Nigeria Data Protection Act (NDPA) 2023. These guidelines clarify the obligations of data controllers and processors regarding the identification, assessment, and reporting of personal data breaches, including specific timelines and content requirements for notifications to the NDPC and affected data subjects. The directive underscores the NDPC's commitment to robust enforcement and aims to provide much-needed clarity for organisations navigating Nigeria's evolving data protection landscape, particularly in light of increasing regulatory scrutiny and significant penalties for non-compliance.

Introduction

The Nigeria Data Protection Commission (NDPC) announced on June 30, 2026, the release of its comprehensive Guidelines on Data Breach Notification and Incident Response. This pivotal development marks a significant step in the operationalisation of the Nigeria Data Protection Act (NDPA) 2023, providing critical clarity for data controllers and processors across all sectors. The guidelines are a direct response to the escalating incidence of cyberattacks and data breaches, which pose substantial risks to the rights and freedoms of data subjects in Nigeria.

This latest directive from the NDPC is particularly pertinent for legal practitioners advising clients on data protection compliance. It elaborates on the statutory obligations enshrined in the NDPA 2023, offering detailed procedures and expectations for managing and reporting personal data breaches. The article will delve into the key provisions of these new guidelines, examining their implications for legal and compliance strategies, and highlighting the imperative for organisations to enhance their incident response capabilities to avoid severe administrative sanctions.

Background

Nigeria's data protection framework has undergone a significant transformation, evolving from the Nigeria Data Protection Regulation (NDPR) 2019 to the comprehensive Nigeria Data Protection Act (NDPA) 2023. The NDPA, signed into law on June 12, 2023, repealed the earlier regulation and established the Nigeria Data Protection Commission (NDPC) as the independent regulatory authority responsible for safeguarding data privacy and enforcing compliance across the nation. The NDPC's mandate includes monitoring, investigating, and imposing penalties for violations of the Act, thereby strengthening the legal foundations of Nigeria's digital economy.

A cornerstone of the NDPA 2023 is Section 40, which mandates data controllers to notify the NDPC within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects. Furthermore, where a breach is likely to result in a *high risk* to the rights and freedoms of data subjects, the affected individuals must also be notified without undue delay. These statutory requirements were further elaborated by the General Application and Implementation Directive (GAID) 2025, which serves as the operational rulebook for the NDPA. The NDPC has demonstrated an increasingly aggressive enforcement posture, with numerous investigations and significant fines imposed on non-compliant entities, signaling a shift towards a compliance-in-practice model.

Analysis

The NDPC's new Guidelines on Data Breach Notification and Incident Response, issued on June 30, 2026, provide critical detail on the existing statutory obligations under the NDPA 2023. These guidelines clarify the scope of what constitutes a 'personal data breach,' defined as a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. They further elaborate on the assessment criteria for determining whether a breach poses a 'risk' or 'high risk' to data subjects' rights and freedoms, which dictates the necessity and scope of notification.

Central to the guidelines is the strict 72-hour notification timeline for reporting breaches to the NDPC. The clock for this period begins the moment a data controller becomes 'aware' of a personal data breach. The guidelines clarify that 'awareness' is established when there is a reasonable degree of certainty that a security incident has compromised personal data, rather than merely the initial detection of an anomaly. Where it is impossible to provide all required information within this timeframe, the guidelines permit phased reporting, provided an initial notification is made promptly.

The content requirements for breach notifications to the NDPC are meticulously detailed. Data controllers must provide information on the nature of the breach, the categories and approximate number of data subjects and personal data records concerned, the likely consequences of the breach, and the measures taken or proposed to address and mitigate its effects. For breaches posing a high risk to data subjects, the guidelines mandate direct communication to affected individuals in clear and plain language, including advice on steps they can take to mitigate potential adverse effects.

Data processors also bear significant responsibilities under these guidelines, being explicitly required to notify their respective data controllers of any personal data breach without undue delay. This ensures a cascading notification process, enabling the data controller to meet their primary reporting obligations to the NDPC. The guidelines also touch upon the potential for overlapping regulatory obligations, particularly for entities like Internet Access Service Providers (IASPs) who may be subject to shorter 48-hour notification requirements under sector-specific instruments such as the Internet Code of Practice 2026.

Non-compliance with these guidelines carries substantial administrative fines, reinforcing the NDPC's robust enforcement architecture. Penalties can reach up to 2% of an organisation's annual gross revenue or NGN 10 million, whichever is higher, for controllers dealing with more than 10,000 data subjects. The NDPC has already demonstrated its willingness to impose significant sanctions, with recent enforcement actions against major corporations and financial institutions underscoring the serious implications of failing to adhere to data protection laws.

Conclusion

The NDPC's new Guidelines on Data Breach Notification and Incident Response represent a critical development for all entities processing personal data in Nigeria. For legal practitioners, these guidelines necessitate a thorough review of existing client compliance frameworks, particularly their incident response plans and data breach protocols. It is imperative that organisations not only understand the detailed requirements but also implement robust technical and organisational measures to prevent, detect, and respond to breaches effectively within the stipulated timelines.

Practitioners should advise clients to conduct regular data protection impact assessments, enhance staff training on data security and breach identification, and establish clear internal communication channels for incident reporting. The NDPC's intensified enforcement drive, coupled with these comprehensive guidelines, signals a zero-tolerance approach to data protection negligence. Proactive compliance and a well-rehearsed incident response strategy are no longer optional but essential for mitigating legal, financial, and reputational risks in Nigeria's increasingly regulated digital landscape. Staying abreast of future NDPC pronouncements and enforcement trends will be crucial for maintaining compliance.

Citations

  1. 1.Nigeria Data Protection Act 2023
  2. 2.Nigeria Data Protection Regulation 2019