Overview
The Nigeria Data Protection Commission (NDPC) has through a public notice issued on 25th August 2025, notified organizations in several critical sectors including banking, insurance, pensions, and gaming sectors that they are under investigation for non-compliance with the Nigeria Data Protection Act (NDPA) 2023. The Notice highlighted over 1,300 affected entities mandated to provide proof of compliance within 21 days.
NDPC Public Notice on Data Protection Compliance
The Nigeria Data Protection Commission (“NDPC”) issued a public compliance notice on 25th August 2025 to crackdown on compliance with the Nigeria Data Protection Act 2023 (“the Act”). The notice announces sector-by-sector investigations of organizations suspected of violating the NDP Act. In total, over 1,300 companies have been publicly named in this notice, including banks, insurance firms (and brokers), pension funds, gaming companies, and related service providers. These organizations are required to demonstrate compliance with the Act within 21 days of the notice. According to the NDPC, this move is part of its mandate and powers under the Act1 to safeguard data subjects' rights and strengthen Nigeria's digital economy through “responsible use of personal data”. The notice specifies clear actions that the named organizations must take. They have 21 days to provide the NDPC with evidence of the following compliance measures:
- Audit Return Filings: Proof that the company has submitted its 2024 NDP Act compliance audit returns (as required by the Act).
- Data Protection Officer (DPO): Evidence of the appointment of a qualified Data Protection Officer (including the person's name and contact details).
- Data Protection Measures: A summary of the technical and organizational measures in place to protect personal data within the organization.
- NDPC Registration: Confirmation that the company is registered with the NDPC as a data controller or processor of major importance.
Calculating the time, each of the above items must be documented and submitted to the NDPC on or before September 15, 2025.
The NDPC warns that failure to comply with this notice will trigger regulatory penalties under the Act. Specifically, the Commission states that non-compliant organizations could face formal enforcement orders, administrative fines, or even criminal prosecution.
Comments
The notice serves both as a compliance reminder and a warning: the NDPC is actively monitoring and enforcing adherence to the Act, and non-compliance can result in severe regulatory penalties. All entities must ensure they meet their obligations under the Act which may vary across sectors and business level. In practice, this means organizations should immediately appoint data protection officers if they have not already, file the required audit returns, and update/review their data protection policies and measures.
The Act applies not only to entities in the sectors highlighted by the notice, but every organization and individual in Nigeria using data. Essentially, no one is exempted from its scope of applicability, hence, promptly taking steps to achieve compliance will help organizations avoid enforcement regulatory penalties and protect the personal data rights of their clients, partners and employees.
A more urgent takeaway is the fact that the Notice is a clear signal that the NDPC will henceforth hold data controllers and processors strictly accountable. Entities listed in the Notice or operating in the named sectors should urgently review their data protection practices.
Footnote
1. Sections 5(i), 6(a), 6(c), 6(e)-(f), 46(3), and 47(1)-(2) of the NDPA.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
