Data & Privacy - Nigeria

The Nigeria Data Protection Act 2023 is the country's general personal-data protection statute, in force since 12 June 2023; it sets out lawful bases, processing principles, and obligations across all sectors and repealed the NDPR 2019.

The Act establishes the Nigeria Data Protection Commission (NDPC) as the regulator responsible for administering all data-protection matters, issuing regulations and guidelines, investigating complaints, conducting audits, and imposing administrative fines.

The NDPC issued the General Application and Implementation Directive (GAID) on 20 March 2025, fully effective 19 September 2025, translating the Act's principles into operational compliance requirements and replacing the residual NDPR framework.

Individuals have rights to be informed, access, rectification, erasure ('right to be forgotten'), data portability, restriction, objection, and protection against certain automated decision-making; rights extend to data subjects in Nigeria and, in defined cases, to Nigerians abroad.

Controllers and processors must apply lawful processing principles, register/file as 'data controllers or processors of major importance' where applicable, and notify the NDPC of personal-data breaches within 72 hours of becoming aware of them.

Personal data may leave Nigeria only where the recipient country/organization offers adequate protection or another lawful mechanism applies; non-compliance can attract fines up to ₦10,000,000 or 2% of annual gross revenue for controllers/processors of major importance (₦2,000,000 or 2% for others), whichever is higher.