The Nigeria Data Protection Commission (NDPC) has directed banks, insurance firms, gaming companies, and pension operators to show proof of compliance with the Nigeria Data Protection Act (NDP Act) 2023 within 21 days or risk penalties.
The directive was issued in a compliance notice signed by Babatunde Bamigboye, Head of Legal, Enforcement, and Regulations at the NDPC.
According to the Commission, a list of the affected organisations will be published in major national newspapers on Monday, August 25, 2025.
“The NDP Act, 2023 seeks to safeguard the fundamental rights, freedoms, and interests of data subjects as guaranteed under the Constitution of the Federal Republic of Nigeria, 1999,” the notice stated.
It added that the Act is designed to “strengthen the legal foundations of Nigeria’s digital economy and ensure the country’s trusted participation in regional and global markets through the responsible use of personal data.”
Citing relevant sections of the law, the NDPC mandated organisations to submit the following within the 21-day window:
- Evidence of filing their 2024 compliance audit returns (Section 6d).
- Details of a designated Data Protection Officer, including name and contact information (Section 32).
- A summary of technical and organisational measures in place for data protection (Section 39).
- Proof of registration as a Data Controller or Processor of Major Importance (Section 44).
The Commission stressed that failure to comply may attract enforcement measures such as administrative fines, enforcement orders, or even criminal prosecution.
The NDPC explained that the compliance drive is part of ongoing efforts to build accountability, strengthen public trust in Nigeria’s data protection framework, and safeguard the rights of citizens in the country’s expanding digital economy.
