AfriVest — Digitizing Africa

Nigeria — Regional Standard

NDPA

Nigeria's comprehensive data protection legislation — establishing the NDPC and protecting 220 million citizens' digital rights

— Overview

Understanding NDPA

The Nigeria Data Protection Act 2023 represents a watershed moment for data protection in Africa's largest economy and most populous nation. Prior to the NDPA, Nigeria relied on the Nigeria Data Protection Regulation 2019 (NDPR) — a subsidiary legislation issued by NITDA that lacked the full force of primary legislation. The NDPA elevates data protection to statutory law, establishes an independent commission, and aligns Nigeria with global best practices.

The Act applies to any processing of personal data by a data controller or processor who is domiciled, resident, or operating in Nigeria, as well as any processing of personal data of data subjects who are in Nigeria — regardless of where the controller or processor is located. This extraterritorial scope is critical for AfriVest's operations, as our platform serves Nigerian cooperatives, investors, and institutions across multiple jurisdictions.

The NDPA establishes six core principles of data processing: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; and integrity and confidentiality. These principles mirror the GDPR framework, making compliance familiar for organizations already operating under European standards.

For AfriVest, NDPA compliance is essential because Nigeria represents our largest addressable market — with over 220 million people, 40 million cooperative members, and a rapidly growing digital economy. Our tokenization platform, cooperative governance tools, and financial inclusion infrastructure all process personal data of Nigerian data subjects, requiring full compliance with the NDPA's provisions on consent, data subject rights, cross-border transfers, and security measures.

The establishment of the NDPC as an independent regulator — replacing the previous NITDA oversight — signals Nigeria's commitment to robust data protection enforcement. The Commission has powers to conduct investigations, issue enforcement notices, impose administrative sanctions, and refer criminal matters for prosecution.

Regulator
Nigeria Data Protection Commission (NDPC)
Enacted
2023
Effective Date
12 June 2023
Scope
Processing of personal data of data subjects in Nigeria, or by controllers/processors established in Nigeria
220M+
Population Covered
2023
Enacted
6
Principles
2% Revenue
Max Fine

— Key Provisions

Core Provisions of NDPA

Lawful Basis for Processing

Processing must be based on consent, contractual necessity, legal obligation, vital interests, public interest, or legitimate interests. AfriVest primarily relies on consent and contractual necessity for cooperative member data, with legitimate interests for fraud prevention and platform security.

Data Protection Impact Assessment

Controllers must conduct DPIAs before processing that is likely to result in high risk to data subjects — including large-scale processing of sensitive data, systematic monitoring, and automated decision-making. AfriVest conducts DPIAs for all new product launches and significant processing changes.

Data Protection Officer

Controllers processing personal data on a large scale or processing sensitive personal data must appoint a Data Protection Officer. AfriVest has appointed a DPO for our Nigerian operations who reports directly to the board.

Cross-Border Transfer Safeguards

Personal data may only be transferred outside Nigeria if the recipient country provides adequate protection, or appropriate safeguards are in place (binding corporate rules, standard contractual clauses, or NDPC-approved mechanisms).

Breach Notification

Controllers must notify the NDPC of a personal data breach within 72 hours of becoming aware, and notify affected data subjects without undue delay where the breach is likely to result in high risk.

Children's Data Protection

Special protections for processing personal data of children (under 18), requiring parental consent and prohibiting processing that is detrimental to the child's wellbeing.

— Data Subject Rights

Individual Rights Under NDPA

Right to Information

Data subjects must be informed about the collection and processing of their personal data, including the identity of the controller, purposes, and recipients.

Right of Access

Data subjects can request and obtain confirmation of whether their data is being processed, and access to that data along with supplementary information.

Right to Rectification

Data subjects can request correction of inaccurate personal data and completion of incomplete data without undue delay.

Right to Erasure

Data subjects can request deletion of their personal data where it is no longer necessary, consent is withdrawn, or processing is unlawful.

Right to Data Portability

Data subjects can receive their personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

Right to Object

Data subjects can object to processing based on legitimate interests or public interest, and to processing for direct marketing purposes.

— Compliance

Compliance Requirements

Registration with NDPC

Data controllers of major importance must register with the Nigeria Data Protection Commission and maintain current registration.

Privacy Policy Publication

Controllers must publish a clear, accessible privacy policy detailing processing activities, lawful bases, data subject rights, and contact information.

Data Processing Records

Maintain comprehensive records of all processing activities, including purposes, categories of data subjects, recipients, transfers, and retention periods.

Security Measures

Implement appropriate technical and organizational measures to ensure security of processing, including encryption, pseudonymization, and regular testing.

Annual Compliance Audit

Controllers of major importance must conduct annual data protection compliance audits and submit reports to the NDPC.

Consent Records

Maintain demonstrable records of consent obtained from data subjects, including the specific information provided and the mechanism used.

— Enforcement

Penalties & Enforcement

Administrative Fine (Data Controllers of Major Importance)
Up to 2% of annual gross revenue

For data controllers processing data of more than 2,000 data subjects within 6 months.

Administrative Fine (Other Controllers)
Up to N10 million

For data controllers not classified as controllers of major importance.

Criminal Penalties
Fines and/or imprisonment

For offenses including obstruction of the Commission, unauthorized disclosure, and failure to comply with enforcement notices.

AfriVest

Let's build Africa's
digital future together.

Connect with our team to explore how AfriVest's sovereign infrastructure can serve your nation, institution, or community.