As data usage in Nigeria is fast becoming an inevitable part of business practices, the regulatory oversight of the National Information Technology Development Agency (NITDA) in protecting personal information now cuts across most sectors of the economy. More than ever before, it is important that all companies assess their practices in view of the Nigeria Data Protection Regulation (NDPR) to avoid penalties which could be as much as 1-2% of the annual revenue of the company.

In assessing the level of compliance by companies with the NDPR, NITDA requires companies to engage a licensed Data Protection Compliance Organisation (DPCO) to conduct a data protection audit and file the report with NITDA. Although the deadline for data protection audits for the audit year of 2020 to 2021 lapsed on June 30, 2021, companies who are yet to carry out the audit are encouraged to engage a DPCO who is empowered to apply and obtain specific extension for each company.

Companies who have been audited and therefore in good standing, are expected to continuously monitor their data protection practices, ensuring they remain compliant. In this article, we have itemised five things companies should do to properly monitor their data protection practices.

Appoint a Data Protection Officer

Any company or organisation that meets the following criteria is expected to appoint a Data Protection Officer (DPO) within 6 months of commencing operation. The company:

  1. processes personal information of over 10,000 Nigerians;
  2. processes sensitive personal information in the regular course of its business;
  3. processes critical national information; or
  4. is a government agency or ministry.

The DPO is to be knowledgeable in data protection; and will be responsible for monitoring compliance with the NDPR, advising the management, employees and third-party privy to personal information, and acting as the primary contact person for NITDA.

Conduct Data Protection Impact Assessment

A data protection impact assessment (DPIA) is a process carried out by the DPO to assess and minimise the possible risk to a data processing activity. For a company launching a new business process or activity which would involve the use of sensitive information or heavy use of personal information of individuals, the DPO of the company is to carry out a DPIA to identify, evaluate and minimise possible data protection risks. This will help companies address the risks in the processes and ensure continuous compliance with the NDPR.

Carry Out Regular Internal Audit

A company may monitor its compliance level by carrying out a periodic internal audit of its data protection practices to map, identify systems and improve these practices.

Conduct Periodic Due Diligence on Third Party

Under the NDPR, a company that qualifies as a data controller will be responsible for the actions of its data processors (data administrators) i.e. third parties using personal information to provide services to the business. Consequently, companies are expected to conduct due diligence on the third party to ensure their data processing practices are in line with the NDPR.

Submittoan Audit by a Licensed Data Protection Compliance Organisation

All companies that collect or process the personal information of over 1,000 individuals are required to submit to a data protection audit by a DPCO. The DPCO shall review the data protection documentation of the company, assess the systems and practices of the company and assess the knowledge of the staff before providing recommendations.


It is advisable for companies with the personal information of Nigerians (including foreign companies) to ensure such information is processed in compliance with the NDPR to avoid regulatory sanctions. These companies are further advised to implement these five steps to ensure their continued compliance with the NDPR.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.