The Nigeria Data Protection Commission (NDPC) has announced plans to investigate organisations accused of data breaches, warning that defaulters will face sanctions under the Nigeria Data Protection Act (NDP Act), 2023.
The targeted companies cut across insurance, banking, hospitality, pensions, gaming, and insurance brokerage sectors, the commission disclosed.
In a statement issued in Abuja by its Head of Legal, Enforcement and Regulations, Babatunde Bamigboye, the NDPC said the move was in line with its mandate under the NDP Act, 2023, to safeguard the rights and freedoms of data subjects while strengthening Nigeria’s digital economy.
According to the statement, the commission will carry out sector-by-sector investigations into organisations suspected of failing to comply with the Act’s provisions. The NDP Act, it noted, is designed to protect personal data, uphold constitutional rights, and ensure Nigeria’s trusted participation in the regional and global digital economy.
“In line with sections 5(i), 6(a), 6(c), 46(3), and 47(1)-(2) of the NDP Act, the commission has issued Compliance Notices to certain organisations listed in the schedule of its notice,” the statement said.
The NDPC added that the names of the affected organisations would be published on Monday, August 25, 2025, in major national newspapers.
The commission directed the listed organisations to submit, within 21 days, the following:
- Evidence of filing NDP Act Compliance Audit Returns for 2024 (Section 6d);
- Evidence of designation/appointment of a Data Protection Officer with name and contact details (Section 32);
- A summary of technical and organisational measures for data protection within the organisation (Section 39);
- Proof of registration as a Data Controller or Processor of Major Importance (Section 44).
The NDPC stressed that non-compliance would attract appropriate enforcement actions, reinforcing its commitment to protecting citizens’ data and ensuring accountability across industries.
