Briefly

NDPC Reaffirms Commitment to Public Trust, Highlights Recent Nationwide Cyber Drills for MDAs

Briefly
Nigeria Data Protection Commissionpress_release
press_releaseNigeria·Nigeria Data Protection Commission·Briefly Analysis

Abstract

The Nigeria Data Protection Commission (NDPC) has reiterated its unwavering commitment to fostering public trust in Nigeria's burgeoning digital economy. This reaffirmation is underscored by the Commission's recent nationwide Technical and Organisational Measures (TOMs) cyber drills, specifically designed for Ministries, Departments, and Agencies (MDAs) of the Federal Government. These drills aim to bolster the cybersecurity posture and data protection practices within the public sector, ensuring the secure handling of citizens' personal data in line with the Nigeria Data Protection Act (NDPA) 2023. The NDPC's proactive engagement, encompassing enforcement actions, capacity building, and strategic partnerships, signals a robust regulatory environment focused on accountability and the safeguarding of data subjects' rights.

Introduction

In an era defined by rapid digital transformation, the integrity and security of personal data have become paramount. The Nigeria Data Protection Commission (NDPC) recently underscored its dedication to upholding public trust, a cornerstone for the sustainable growth of Nigeria's digital economy. This commitment is not merely rhetorical but is actively demonstrated through strategic initiatives, notably the recent nationwide cyber drills conducted for Ministries, Departments, and Agencies (MDAs) across the Federal Government. These drills represent a critical step in operationalizing the robust framework established by the Nigeria Data Protection Act (NDPA) 2023.

The NDPC's focus on enhancing the technical and organizational measures within public sector entities highlights a proactive regulatory approach. As Nigeria continues to digitize public services and expand its digital infrastructure, the exposure to cyber threats and data breaches intensifies. The Commission's efforts are therefore crucial in building resilience, ensuring compliance, and ultimately safeguarding the fundamental rights and freedoms of data subjects as guaranteed under the Nigerian Constitution. This article will delve into the statutory underpinnings of the NDPC, analyze its recent actions, and explore the implications for legal practitioners navigating Nigeria's evolving data protection landscape.

Background

The journey towards a comprehensive data protection framework in Nigeria gained significant momentum with the enactment of the Nigeria Data Protection Act (NDPA) 2023, signed into law by President Bola Ahmed Tinubu on June 12, 2023. This landmark legislation replaced the Nigeria Data Protection Regulation (NDPR) 2019, which, while foundational, lacked the full legislative backing necessary for effective enforcement. The NDPA 2023 established the Nigeria Data Protection Commission (NDPC) as the principal regulatory authority, succeeding the Nigeria Data Protection Bureau (NDPB).

The primary objectives of the NDPA 2023, and by extension the NDPC, include safeguarding the fundamental rights and freedoms of natural persons to data privacy, promoting data processing practices that ensure the security of personal data, and strengthening the legal foundations of the national digital economy. The Commission is vested with extensive powers, including regulating data controllers and processors through registration and supervision, investigating complaints, conducting compliance audits, issuing enforcement orders, and imposing financial penalties for violations. It is also mandated to develop sector-specific guidelines, maintain public registers of data controllers and processors of major importance, and promote public awareness regarding data protection obligations and rights.

Analysis

The NDPC's reaffirmation of its commitment to public trust is concretely demonstrated through a series of regulatory actions and capacity-building initiatives. A significant recent development is the nationwide Technical and Organisational Measures (TOMs) Drill launched for IT administrators across Ministries, Departments, and Agencies (MDAs) of the Federal Government. This initiative is critical, as public sector digital systems are increasingly vulnerable to cyber threats and data breaches. The drills are designed to enhance the capacity of IT personnel in safeguarding government digital infrastructure, promoting best practices in data protection, and strengthening coordination among government institutions in addressing emerging cyber risks.

Beyond capacity building, the NDPC has shown a firm resolve in enforcement. The Commission has initiated sector-by-sector investigations into organizations suspected of non-compliance with the NDPA 2023, issuing compliance notices to over 1,368 organizations, including financial institutions, insurance companies, gaming companies, and pension companies. These organizations are required to provide evidence of filing compliance audit returns, designation of a Data Protection Officer (DPO), a summary of technical and organizational measures, and evidence of registration as a data controller or processor of major importance. Failure to comply within stipulated timeframes can lead to enforcement orders, administrative fines, and even criminal prosecution, signaling a shift towards stricter compliance.

Furthermore, the NDPC has actively investigated alleged privacy breaches in critical national databases, such as the Corporate Affairs Commission (CAC) and the National Identity Management Commission (NIMC), invoking Section 46(3) of the NDPA. These investigations underscore the Commission's growing emphasis on protecting personal data and sustaining trust in the digital economy. The NDPC also commenced a sector-wide investigation of tertiary institutions to assess compliance, recognizing the significant volume of personal data processed by these entities. These actions collectively reinforce the NDPC's mandate to ensure accountability and protect data subjects' rights, aligning with the broader objective of fostering a secure and resilient digital ecosystem that supports Nigeria's digital transformation.

The Commission is also forward-looking, with plans to review the NDPA 2023 to accommodate emerging technologies like Artificial Intelligence (AI), robotics, and big data. This proactive stance demonstrates an understanding that the regulatory framework must evolve to address new challenges posed by technological advancements, ensuring that Nigeria's data protection laws remain relevant and effective in a rapidly changing global digital landscape.

Conclusion

The NDPC's recent actions, particularly the emphasis on nationwide cyber drills for MDAs and its robust enforcement posture, send a clear message to all data controllers and processors in Nigeria: data protection compliance is not optional. For legal practitioners, this necessitates a heightened focus on advising clients on their obligations under the NDPA 2023 and its subsidiary legislation, such as the General Application and Implementation Directive (GAID).

Practitioners must ensure that organizations, especially those classified as 'data controllers or processors of major importance,' are fully compliant with requirements such as appointing qualified Data Protection Officers, conducting Data Protection Impact Assessments, implementing robust technical and organizational security measures, and filing annual compliance audit returns. The NDPC's commitment to public trust, backed by its investigative and enforcement powers, means that non-compliance carries significant legal and financial risks, including substantial administrative fines. As the Commission continues to deepen its regulatory oversight and adapt to emerging technologies, legal professionals must remain vigilant, proactive, and well-versed in the evolving nuances of Nigeria's data protection regime to effectively guide their clients in building a trusted and secure digital future.

Citations

  1. 1.Nigeria Data Protection Act 2023
  2. 2.Nigeria Data Protection Commission website (ndpc.gov.ng)
  3. 3.KPMG International: Nigeria Data Protection Act 2023 Review
  4. 4.Secure Privacy: Nigeria Data Protection Law: Complete NDPA Compliance Guide 2025
  5. 5.Aluko & Oyebode: Introducing the Nigeria Data Protection Act 2023
  6. 6.ICLG: Data Protection Laws and Regulations Report 2025 - 2026 Nigeria
  7. 7.The Future of Privacy Forum: Nigeria's New Data Protection Act, Explained
  8. 8.Wikipedia: Nigeria Data Protection Commission
  9. 9.Punch Newspapers: NDPC, Meta unveil two-year data protection initiative
  10. 10.African Law & Business: Nigeria launches widespread probe into data protection violations
  11. 11.Technology Times: Data protection: Nigeria flags 1368 companies over non-compliance
  12. 12.THISDAYLIVE: NDPC Unveils Plans to Review Data Protection Act to Address AI, Robotics, Other Emerging Technologies
  13. 13.YouTube: NDPC Trains MDAs IT Administrators on Data Protection and Cybersecurity
  14. 14.Businessday NG: NDPC probes CAC data breach, signals tighter enforcement
  15. 15.News Agency Of Nigeria: Digital Revolution: NDPC And The Task Of Deepening Data Protection
  16. 16.BusinessDay: NDPC flags rising cyberattacks, orders tighter data security across institutions
  17. 17.NDPC: NDPC Reaffirms Commitment to Public Trust, Highlights Recent Nationwide Cyber Drills for MDAs (June 26, 2026)
  18. 18.NDPC: Nigeria Data Protection Commission launches Technical Drill to enhance data protection (June 01, 2026)
  19. 19.NDPC: NDPC commences investigation of tertiary institutions over compliance issues (February 19, 2026)
  20. 20.NDPC: Nigeria Launches Investigations into Noncompliance with Nigeria Data Protection Act 2023 (August 27, 2025)
  21. 21.YouTube: ENFORCEMENT ACTION: NDPC Launches Sector-by-Sector Investigation into Non-Compliant Organisations (August 25, 2025)