ELDR-RN-2026-005 · Research Note · Regulatory Intelligence

Nigeria NDPA at Year Two: Enforcement Signals and Documentation Obligations

Pub IDELDR-RN-2026-005
TypeResearch Note
Reading~5 min
DateJuly 2026
Research Note · ELDR-RN-2026-005
Regulatory intelligence note. Nigeria Data Protection Act enforcement trajectory.

The Nigeria Data Protection Act 2023 (NDPA) established the Nigeria Data Protection Commission (NDPC) and created a comprehensive data protection framework broadly aligned with GDPR principles. Two years into the NDPC's operational existence, enforcement signals are emerging that have implications for organizations processing personal data of Nigerian residents — both Nigerian-headquartered organizations and multinational organizations with Nigerian market operations.

What Enforcement Activity Has Revealed

NDPC enforcement activity in 2025–2026 has been focused on three compliance elements: data controller registration (organizations processing personal data are required to register with the NDPC), Data Protection Compliance Organizations (DPCO) engagement for large-scale data processors, and Data Protection Impact Assessments (DPIA) for high-risk processing activities. The NDPC has issued enforcement notices and administrative fines for registration non-compliance, and has published guidance on DPIA requirements that specifies the documentation content expected in NDPA-compliant DPIAs.

Three Documentation Obligations That Are Now Enforceable

First, NDPC registration and registration documentation. Data controllers processing personal data of Nigerian residents are required to register with the NDPC. The registration process requires documentation of the data controller's data processing activities — categories of data processed, purposes of processing, data retention periods, and third-party processors. Organizations that have not registered and cannot produce the required data mapping documentation are exposed to enforcement action.

Second, DPIA documentation for high-risk processing. The NDPC's DPIA guidance specifies that processing activities meeting defined high-risk criteria — including large-scale processing of sensitive personal data, systematic profiling, and automated decision-making with significant effect — require a documented DPIA before processing commences. The DPIA documentation requirements align broadly with GDPR Article 35 DPIA requirements, with specific NDPC guidance on format and content. Organizations with GDPR-compliant DPIA programs may find that NDPA DPIA requirements are substantially satisfied by existing DPIA documentation, with Nigerian-specific supplementary elements required.

Third, data breach notification documentation. NDPA requires notification to the NDPC of personal data breaches within 72 hours of discovery. The notification documentation requirements specify incident description, categories and estimated number of affected data subjects, likely consequences, and measures taken or proposed. Organizations processing Nigerian resident data must have incident response procedures that produce the required notification documentation within the 72-hour window.

ELDR Observation

The NDPA is not a paper tiger. NDPC enforcement is developing — it is not yet at GDPR enforcement scale, but organizations treating NDPA compliance as aspirational rather than operational are creating enforcement exposure that the NDPC's developing enforcement posture will increasingly make consequential. Multinational organizations with Nigerian market operations that have built GDPR-compliant data protection documentation programs should assess NDPA alignment specifically: NDPA is not GDPR, and GDPR-compliant programs have specific gaps (NDPC registration, DPCO engagement, Nigeria-specific DPIA documentation) that must be addressed separately.