← Back to all articles Compliance

NDPR Compliance: What Nigerian Businesses Need to Know About Data Protection

A
ARX AMANI
January 25, 2026
6 min read
240 views

Understanding NDPR

The Nigeria Data Protection Regulation (NDPR) came into effect in January 2019, establishing data protection requirements for all organizations that collect, process, or store personal data of Nigerian citizens.

In 2023, the Nigeria Data Protection Act (NDPA) was signed into law, further strengthening these requirements and establishing the Nigeria Data Protection Commission (NDPC) as the regulatory body.

If your business handles customer data, employee data, or any personal information, this applies to you.

Who Needs to Comply?

Short answer: Almost every business.

Long answer: NDPR/NDPA applies if you:

  • Collect customer information (names, emails, phone numbers)
  • Process employee data (payroll, HR records)
  • Handle financial information
  • Store any personal data of Nigerian citizens
  • Process data on behalf of other organizations

Even small businesses with just a customer database need to comply.

Key NDPR Requirements

1. Lawful Basis for Processing

You must have a legal reason to collect and process personal data:

  • Consent: The person agreed to it
  • Contract: Necessary to fulfill a contract
  • Legal obligation: Required by law
  • Legitimate interest: Necessary for your business (with limitations)

For most businesses: Get clear consent before collecting data.

2. Data Subject Rights

Individuals have the right to:

  • Know what data you hold about them
  • Access their data
  • Correct inaccurate data
  • Delete their data ("right to be forgotten")
  • Object to processing
  • Data portability (receive their data in usable format)

Action required: Have a process to handle these requests.

3. Data Protection Impact Assessments

Required for high-risk processing:

  • Large-scale data processing
  • Sensitive personal data
  • Automated decision-making

For most SMEs: Document your data processing activities and assess risks.

4. Data Breach Notification

If a breach occurs:

  • Notify NDPC within 72 hours
  • Notify affected individuals if high risk
  • Document the breach and response

Action required: Have an incident response plan ready.

5. Security Measures

You must implement:

  • Technical measures (encryption, access controls)
  • Organizational measures (policies, training)
  • Regular security assessments

This is where IT security meets compliance.

6. Record Keeping

Maintain records of:

  • Data processing activities
  • Consent received
  • Data breaches
  • Security measures implemented

7. Data Protection Officer (DPO)

Required for organizations that:

  • Process data of more than 10,000 people annually
  • Handle sensitive personal data
  • Are public authorities

For smaller businesses: Designate someone responsible for data protection, even if not a formal DPO.

The IT Security Connection

Compliance isn't just about policies and paperwork. Technical security is required.

Security Measures NDPR Expects:

Access Control:

  • Only authorized personnel access personal data
  • Strong authentication (passwords, MFA)
  • Regular access reviews

Encryption:

  • Data encrypted in transit (HTTPS, VPN)
  • Data encrypted at rest (disk encryption)
  • Encryption of sensitive data

Endpoint Security:

  • Up-to-date antivirus/endpoint protection
  • Regular patching
  • Device management

Network Security:

  • Firewalls
  • Network segmentation
  • Intrusion detection

Monitoring:

  • Log collection and review
  • Anomaly detection
  • Security incident alerting

Backup and Recovery:

  • Regular backups
  • Tested recovery procedures
  • Offsite/cloud backup

The Compliance-Security Overlap

NDPR Requirement IT Security Implementation
Data security Endpoint protection, encryption
Breach notification Security monitoring, incident response
Access control Identity management, MFA
Data minimization Data classification, retention policies
Accountability Logging, auditing, reporting

Good IT security practices directly support NDPR compliance.

Common Compliance Mistakes

Mistake 1: "We have a privacy policy, we're compliant"

A privacy policy is one requirement. Compliance requires actual implementation of security measures.

Mistake 2: "We're too small to worry about this"

NDPR applies regardless of size. Smaller businesses may have simpler compliance needs, but they're not exempt.

Mistake 3: "We don't collect sensitive data"

Names, email addresses, and phone numbers are personal data. If you have customer records, you have personal data.

Mistake 4: "Our IT handles security, that's compliance"

Compliance requires both technical (IT security) and organizational (policies, training) measures.

Mistake 5: "We'll deal with it if audited"

Compliance is ongoing, not a one-time project. Waiting for an audit is waiting for a fine.

Penalties for Non-Compliance

The NDPA establishes:

  • Fines up to ₦10 million or 2% of annual gross revenue (whichever is higher)
  • Criminal liability for certain violations
  • Compensation to affected individuals
  • Reputational damage (public disclosure)

For a business doing ₦500 million annually, a 2% fine is ₦10 million—plus legal costs, remediation costs, and reputation damage.

A Practical Compliance Checklist

Documentation (Week 1-2):

  • Create/update privacy policy
  • Document data processing activities
  • Identify lawful basis for each processing activity
  • Create data subject request procedure

Technical (Week 3-4):

  • Implement endpoint protection on all devices
  • Enable encryption (disk encryption, HTTPS)
  • Set up access controls (who can access what data)
  • Implement backup procedures

Organizational (Week 5-6):

  • Designate data protection responsibility
  • Create incident response procedure
  • Train employees on data protection basics
  • Review vendor/third-party data handling

Ongoing:

  • Regular security assessments
  • Patch management (keep systems updated)
  • Monitor for security incidents
  • Annual compliance review

How Managed IT Services Help

MSPs can support NDPR compliance by:

Technical Implementation:

  • Deploying endpoint protection
  • Managing patch updates
  • Implementing encryption
  • Configuring access controls

Monitoring and Response:

  • 24/7 security monitoring
  • Incident detection and alerting
  • Breach response support
  • Evidence collection

Documentation and Reporting:

  • Security posture reports
  • Compliance evidence
  • Audit support

Expertise:

  • Security best practices
  • Regulatory awareness
  • Technical guidance

This doesn't replace legal/compliance advice, but strong IT security is the foundation of NDPR compliance.

Taking Action

If You Haven't Started:

  1. Read the NDPR/NDPA (it's not that long)
  2. Audit what personal data you collect and why
  3. Implement basic security measures
  4. Create a privacy policy
  5. Train your team

If You're Partially Compliant:

  1. Gap assessment: What's missing?
  2. Prioritize: Security measures first
  3. Document: Policies and procedures
  4. Monitor: Ongoing compliance

If You Think You're Compliant:

  1. When was your last assessment?
  2. Can you respond to a data subject request right now?
  3. Would you know within 72 hours if you had a breach?
  4. Is your documentation up to date?

Conclusion

NDPR compliance isn't optional, and it's not going away. The good news is that compliance and good security practices overlap significantly. By implementing proper IT security—endpoint protection, patching, monitoring, access controls—you're building the foundation for compliance.

Start with security. Document your practices. Train your team. Review regularly.

The businesses that treat data protection as a continuous practice rather than a checkbox will be better protected against both regulatory penalties and actual security threats.

NDPR compliance data protection regulations NDPA

Related Articles

🔐

How to Prepare for an IT Security Audit: A Step-by-Step Guide

Jan 29, 2026 • 5 min