NDPC Gives Banks, Insurers 21 Days For Data Audit

The Nigeria Data Protection Commission (NDPC) has ordered banks, insurance firms, gaming companies, and pension operators to provide evidence of compliance with the Nigeria Data Protection Act (NDP Act), 2023 within 21 days or face sanctions.
The directive was contained in a compliance notice signed by Babatunde Bamigboye, the commission’s head of legal, enforcement and regulations. “The NDP Act, 2023 seeks to safeguard the fundamental rights, freedoms, and interests of data subjects as guaranteed under the Constitution of the Federal Republic of Nigeria, 1999,” the commission said.
According to the notice, the law strengthens the legal foundations of Nigeria’s digital economy and ensures the country’s trusted and beneficial participation in regional and global economies through the responsible use of personal data.
The NDPC said the directive was issued pursuant to Sections 5(i), 6(a), 6(c), 46(3), and 47(1)-(2) of the Act, mandating companies to submit proof of compliance within the timeline.
Organisations were asked to provide evidence of filing their NDP Act Compliance Audit Returns for 2024, proof of appointment of a Data Protection Officer including name and contact details, summary of technical and organisational measures for data protection, and evidence of registration as a Data Controller or Processor of Major Importance.
The commission warned that companies that fail to comply will face enforcement actions, which could include enforcement orders, administrative fines, or even criminal prosecution.
The agency said the measure was aimed at entrenching a culture of accountability and trust in Nigeria’s data protection ecosystem while safeguarding citizens’ privacy rights and strengthening the digital economy.