The Nigeria Data Protection Commission (NDPC) has issued a 21-day ultimatum to banks, insurance companies, pension fund administrators, gaming operators and brokers suspected of violating the Nigeria Data Protection Act (NDPA) 2023.
In a statement on Sunday, the Commission said the directive is part of its sector-by-sector investigation to enforce compliance with the law, which came into effect last year to safeguard citizens’ rights and boost Nigeria’s standing in the global digital economy.
“The Nigeria Data Protection Commission, in furtherance of its mandate under the Nigeria Data Protection Act, 2023, has commenced a sector-by-sector investigation of organisations suspected of non-compliance with the provisions of the Act,” the NDPC said.
The notice, signed by Babatunde Bamigboye, Head of Legal, Enforcement and Regulations at the Commission, was issued pursuant to sections 5(i), 6(a), 6(c), 46(3), and 47(1)-(2) of the Act. The list of affected organisations will be published in national dailies on Monday, August 25, 2025.
“These organisations are required to, within 21 days of issuance, provide the following: evidence of filing NDP Act Compliance Audit Returns for 2024, evidence of designation or appointment of a Data Protection Officer, summary of technical and organisational measures for data protection within the organisation, and evidence of registration as a Data Controller or Processor of Major Importance,” the statement read.
The Commission warned that non-compliant firms would face tough sanctions. “Failure to comply with this Compliance Notice may result in enforcement actions, including the issuance of an Enforcement Order, administrative fines, and/or criminal prosecution in accordance with the NDP Act, 2023,” it added.
The NDPC stressed that its actions are aimed at safeguarding Nigerians’ digital rights and entrenching accountability in the sector.
“The NDPC remains committed to ensuring a culture of accountability and trust in Nigeria’s data protection and privacy ecosystem, while safeguarding the rights of data subjects and strengthening the nation’s digital economy,” it said.
The Commission has already shown its enforcement muscle by imposing heavy fines on defaulters. Multichoice Nigeria was fined N766.2m for what the NDPC described as “patently intrusive, unfair, unnecessary and disproportionate data practices,” including illegal cross-border transfers of subscriber data. Fidelity Bank was also fined N555.8m, equivalent to 0.1 per cent of its 2023 revenue, for processing personal data without informed consent.
Leave a comment