The Nigeria Data Protection Commission (NDPC) has issued a 21-day ultimatum to banks, insurance firms, pension fund administrators, gaming operators, and insurance brokers to provide evidence of compliance with the Nigeria Data Protection Act (NDP Act) 2023 or face sanctions.
In a compliance notice signed by Babatunde Bamigboye, NDPC’s Head of Legal Enforcement and Regulations, the commission warned that defaulters risk enforcement measures including administrative fines, criminal prosecution, and enforcement orders.
“The NDP Act, 2023 seeks to safeguard the fundamental rights, freedoms, and interests of data subjects as guaranteed under the Constitution of the Federal Republic of Nigeria, 1999,” the notice stated. “It strengthens the legal foundations of Nigeria’s digital economy while ensuring the nation’s trusted and beneficial participation in regional and global economies through the responsible use of personal data.”
The NDPC cited sections 5(i), 6(a), 6(c), 46(3), and 47(1)-(2) of the Act, mandating firms to submit within 21 days: evidence of filing their 2024 compliance audit returns (Section 6(d)); details of their designated Data Protection Officer (Section 32); a summary of organisational and technical data protection measures (Section 39); and proof of registration as a Data Controller or Processor of Major Importance (Section 44).
The commission said it will publish the list of affected organisations in national newspapers on August 25, 2025. It described the compliance exercise as critical to building accountability and trust in Nigeria’s data protection ecosystem, “while safeguarding the rights of data subjects and strengthening the nation’s digital economy.”
