📋 About the Nigeria Data Protection Act 2023

Law Enacted

2023

Regulator

NDPC

Max Penalty

₦10M or 2%

Breach Notice

72 hours

Applies To

All processors in NG

DPO Required

Major controllers

0/20

questions answered yes

✅

NDPA 2023 Compliance Checklist

▾

Click each item to mark as Yes, we comply. Your score updates in real time.

📊

Your Compliance Score

▾

Compliance Score 0%

0%50% (Low)80% (Medium)100% (High)

📅

Key NDPA Deadlines & Contacts

▾

Obligation	Deadline / Threshold
Breach notification to NDPC	Within 72 hours of discovery
Data subject rights response	Acknowledge within 72 hours; resolve within reasonable time
Annual audit report filing (major controllers)	By 15 March each year
DPO appointment (major controllers)	Immediate obligation on designation
NDPC registration (major controllers)	Within 6 months of designation
DPIA for high-risk processing	Before commencement of processing

Regulator

Nigeria Data Protection Commission (NDPC)

Portal

ndpc.gov.ng

Penalties

Up to ₦10,000,000 or 2% of annual gross revenue (whichever is higher)

Criminal Sanction

Up to 3 years imprisonment for individuals

Case workspace

Build, save and export this legal workflow

This workspace turns the ndpa control audit result into a reusable matter note, dashboard item and gated PDF checklist. Use the app first, then save the evidence trail.

Matter or project Country or regime Target date Status

Evidence checked

Risk flags

Private notes

Open dashboard

Continue workflow

Competitor check - 28 April 2026

What stronger tools teach this app

Benchmarked against Termly, OneTrust and enterprise consent platforms. The goal is not to copy them; it is to bring the useful workflow pattern into an Africa-first tool with official-source caution and local evidence capture.

Observed feature pattern

Mature privacy tools scan or map real processing activity, then connect policies, cookie choices, DSARs, consent logs and regulator evidence.
They preserve an audit trail instead of leaving users with a static policy that drifts away from the product.
They route high-risk processing into DPIA, breach and processor-contract workflows before launch or vendor onboarding.

Implemented on this app

This page now asks for matter, country or regime, date, status, evidence and risk flags before the user exports a note.
The app-specific checklist is not generic: it starts with "Keep a register of processing activities before answering the checklist".
Saved workflows can be resumed from the dashboard and handed off to Privacy Policy Generator when the matter naturally continues.
The PDF/export moment is a value-after-result gate, so users can still use the tool first and only share email when saving the report.

Best next move

Whether the business is likely to be a data controller or processor of major importance
Keep a register of processing activities before answering the checklist
Marking yes because a policy exists but staff cannot execute it

Reviewed 28 April 2026 · Nigeria

NDPA control audit

The checker is most useful when the score becomes a remediation list: lawful basis, privacy notice, data-subject rights, processor contracts, breach response, DPIA, registration and audit evidence.

Decisions this clarifies

Whether the business is likely to be a data controller or processor of major importance
Which controls must be documented before a regulator, partner, or enterprise customer asks
Which gaps create immediate breach, audit, or cross-border-transfer risk

Before you rely on it

Keep a register of processing activities before answering the checklist
Attach evidence for each yes answer, such as policy, log, contract or training record
Prioritise breach response, processor contracts and privacy notice fixes first

Red flags

Marking yes because a policy exists but staff cannot execute it
Using consent as the lawful basis for every processing activity
Sending data abroad without a transfer basis and processor contract

Primary checks

Nigeria Data Protection Commission NDPC services

Next best tools

Review pack

Save the ndpa control audit trail

Before filing, signing, publishing, or sending anything, keep a short record that links the app result to evidence and official-source checks.

Capture

Save the country or regime, parties, dates, amounts, selected options, and final output. Add why this matters: Whether the business is likely to be a data controller or processor of major importance.

Attach

Keep a register of processing activities before answering the checklist. Also keep the strongest supporting document, receipt, portal reference, ID, contract, policy, or court file beside the generated result.

Escalate

If you see this risk, pause and get qualified help: Marking yes because a policy exists but staff cannot execute it.

Copyable review note

NDPA control audit action pack
Tool: ndpa-checker
Coverage: Nigeria

Result to save:
- Country or regime selected, parties involved, dates, amounts, and the generated output from the app.
- The reason this output was prepared: Whether the business is likely to be a data controller or processor of major importance.

Evidence to attach:
- Keep a register of processing activities before answering the checklist
- Attach evidence for each yes answer, such as policy, log, contract or training record
- Prioritise breach response, processor contracts and privacy notice fixes first

Escalate before filing or signing if:
- Marking yes because a policy exists but staff cannot execute it
- Using consent as the lawful basis for every processing activity
- Sending data abroad without a transfer basis and processor contract

Primary checks:
- Nigeria Data Protection Commission: https://www.ndpc.gov.ng/ndp-act-2023/
- NDPC services: https://www.ndpc.gov.ng/

Reviewed by AfroTools workflow on 28 April 2026. Informational only, not legal advice.

Paste this into your matter file, compliance folder, board pack, or lawyer handoff.

Understanding NDPA 2023 Compliance in Nigeria

The Nigeria Data Protection Act 2023 (NDPA) is Nigeria's comprehensive data protection legislation, replacing the earlier Nigeria Data Protection Regulation (NDPR) 2019. It establishes the Nigeria Data Protection Commission (NDPC) as the primary regulatory authority and introduces significantly stronger enforcement powers.

All organisations that process personal data of Nigerian residents must comply with the NDPA, regardless of whether the organisation is based in Nigeria or abroad. The Act applies to any processing of personal data where the data subject is in Nigeria or the processing relates to activities targeting Nigerian residents.

Major data controllers are organisations that process personal data of more than 2,000 data subjects within a 6-month period, or process sensitive personal data of more than 400 data subjects within the same period.
Sensitive personal data under the NDPA includes health data, biometric data, religious beliefs, political opinions, trade union membership, and sexual orientation.
Data Protection Officers (DPOs) must be appointed by major data controllers and must be suitably qualified. The DPO must be registered with the NDPC.
Data Protection Impact Assessments (DPIAs) are required before commencing any processing that is likely to result in a high risk to data subjects' rights and freedoms.

Non-compliance with the NDPA can result in administrative fines of up to ₦10,000,000 or 2% of annual gross revenue (whichever is higher), as well as criminal sanctions for individuals involved in serious breaches.

Disclaimer This tool provides general information and educational resources only. Not legal advice. Results are indicative only and should not be relied upon as a definitive legal assessment. Consult a qualified data protection lawyer for specific legal advice tailored to your organisation's circumstances.

🇳🇬 NDPA Compliance Checker