— Overview
Understanding NDPA
The Nigeria Data Protection Act 2023 represents a watershed moment for data protection in Africa's largest economy and most populous nation. Prior to the NDPA, Nigeria relied on the Nigeria Data Protection Regulation 2019 (NDPR) — a subsidiary legislation issued by NITDA that lacked the full force of primary legislation. The NDPA elevates data protection to statutory law, establishes an independent commission, and aligns Nigeria with global best practices.
The Act applies to any processing of personal data by a data controller or processor who is domiciled, resident, or operating in Nigeria, as well as any processing of personal data of data subjects who are in Nigeria — regardless of where the controller or processor is located. This extraterritorial scope is critical for AfriVest's operations, as our platform serves Nigerian cooperatives, investors, and institutions across multiple jurisdictions.
The NDPA establishes six core principles of data processing: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; and integrity and confidentiality. These principles mirror the GDPR framework, making compliance familiar for organizations already operating under European standards.
For AfriVest, NDPA compliance is essential because Nigeria represents our largest addressable market — with over 220 million people, 40 million cooperative members, and a rapidly growing digital economy. Our tokenization platform, cooperative governance tools, and financial inclusion infrastructure all process personal data of Nigerian data subjects, requiring full compliance with the NDPA's provisions on consent, data subject rights, cross-border transfers, and security measures.
The establishment of the NDPC as an independent regulator — replacing the previous NITDA oversight — signals Nigeria's commitment to robust data protection enforcement. The Commission has powers to conduct investigations, issue enforcement notices, impose administrative sanctions, and refer criminal matters for prosecution.
— Key Provisions
Core Provisions of NDPA
Lawful Basis for Processing
Processing must be based on consent, contractual necessity, legal obligation, vital interests, public interest, or legitimate interests. AfriVest primarily relies on consent and contractual necessity for cooperative member data, with legitimate interests for fraud prevention and platform security.
Data Protection Impact Assessment
Controllers must conduct DPIAs before processing that is likely to result in high risk to data subjects — including large-scale processing of sensitive data, systematic monitoring, and automated decision-making. AfriVest conducts DPIAs for all new product launches and significant processing changes.
Data Protection Officer
Controllers processing personal data on a large scale or processing sensitive personal data must appoint a Data Protection Officer. AfriVest has appointed a DPO for our Nigerian operations who reports directly to the board.
Cross-Border Transfer Safeguards
Personal data may only be transferred outside Nigeria if the recipient country provides adequate protection, or appropriate safeguards are in place (binding corporate rules, standard contractual clauses, or NDPC-approved mechanisms).
Breach Notification
Controllers must notify the NDPC of a personal data breach within 72 hours of becoming aware, and notify affected data subjects without undue delay where the breach is likely to result in high risk.
Children's Data Protection
Special protections for processing personal data of children (under 18), requiring parental consent and prohibiting processing that is detrimental to the child's wellbeing.
— Data Subject Rights
Individual Rights Under NDPA
Right to Information
Data subjects must be informed about the collection and processing of their personal data, including the identity of the controller, purposes, and recipients.
Right of Access
Data subjects can request and obtain confirmation of whether their data is being processed, and access to that data along with supplementary information.
Right to Rectification
Data subjects can request correction of inaccurate personal data and completion of incomplete data without undue delay.
Right to Erasure
Data subjects can request deletion of their personal data where it is no longer necessary, consent is withdrawn, or processing is unlawful.
Right to Data Portability
Data subjects can receive their personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
Right to Object
Data subjects can object to processing based on legitimate interests or public interest, and to processing for direct marketing purposes.
— Compliance
Compliance Requirements
Registration with NDPC
Data controllers of major importance must register with the Nigeria Data Protection Commission and maintain current registration.
Privacy Policy Publication
Controllers must publish a clear, accessible privacy policy detailing processing activities, lawful bases, data subject rights, and contact information.
Data Processing Records
Maintain comprehensive records of all processing activities, including purposes, categories of data subjects, recipients, transfers, and retention periods.
Security Measures
Implement appropriate technical and organizational measures to ensure security of processing, including encryption, pseudonymization, and regular testing.
Annual Compliance Audit
Controllers of major importance must conduct annual data protection compliance audits and submit reports to the NDPC.
Consent Records
Maintain demonstrable records of consent obtained from data subjects, including the specific information provided and the mechanism used.
— Enforcement
Penalties & Enforcement
For data controllers processing data of more than 2,000 data subjects within 6 months.
For data controllers not classified as controllers of major importance.
For offenses including obstruction of the Commission, unauthorized disclosure, and failure to comply with enforcement notices.




