Expertise
The Nigeria Data Protection Commission (NDPC) has initiated a compliance investigation across multiple sectors, giving 21 days (until 15 September 2025) for affected organisations to prove compliance with the Nigeria Data Protection Act (NDPA), 2023.
Introduction
The Nigeria Data Protection Commission (NDPC) has launched a compliance investigation across key sectors, giving affected organisations 21 days from the issuance of its public notice dated 25 August 2025 to demonstrate adherence to the Nigeria Data Protection Act (NDPA), 2023.
The exercise underscores the Commission’s mandate of safeguarding the constitutional rights, freedoms, and interests of data subjects; and strengthening the foundations of Nigeria’s digital economy to enable trusted participation in regional and global markets.
In total, the compliance sweep covers:
10 pension companies
35 insurance companies
136 gaming companies
795 financial services firms
392 insurance brokers
Exercising its powers under Sections 5(i), 6(a), 6(c), 46(3), and 47(1)–(2) of the NDPA, the NDPC issued formal Compliance Notices to the affected organisations, requiring them to, within 21 days of issuance, provide evidence of the following::
Filing of 2024 Compliance Audit Returns (S.6(d));
Appointment or designation of a Data Protection Officer with full contact details (S.32);
A summary of technical and organisational safeguards adopted for data protection (S.39); and
Registration as a Data Controller or Processor of Major Importance (S.44).
Failure to comply could trigger strict enforcement measures, including Enforcement Orders, administrative fines, or criminal prosecution.
Companies whose names appear on the list are advised to engage a licensed Data Protection Compliance Organisation (DPCO) to assist with their compliance obligations under the NDPA before the 21 days deadline, which falls on 15 September 2025. Data controllers and processors that have not yet fulfilled their compliance requirements are also advised to do so promptly to avoid possible sanctions and penalties under the NDPA.
This news update is provided for informational purposes only and does not constitute legal advice. For personalized legal advice and assistance on meeting the NDPC compliance requirement, please contact DataProtection@jee.africa.
Important Notice: The information contained in this Article is intended for general information purposes only and does not create a lawyer-client relationship. It is not intended as legal advice from Jackson, Etti, & Edu (JEE) or the individual author(s), nor intended as a substitute for legal advice on any specific subject matter. Detailed legal counsel should be sought prior to undertaking any legal matter. The information contained in this Article is current to the last update and may change. Last Update: October 1, 2024.
