If your business collects personal data from customers in Nigeria, you are required by law to comply with the Nigeria Data Protection Act (NDPA). This NDPA compliance checklist will walk you through every step. Not eventually. Not when you get bigger. Now.
The Nigeria Data Protection Commission (NDPC) has made it clear that enforcement is not limited to large corporations. In 2025, the commission issued compliance notices to over 1,300 organisations and collected more than 5.2 billion naira in penalties. SMEs that assume they can fly under the radar are taking a gamble that gets more expensive every quarter.
This NDPA compliance checklist breaks down what compliance actually looks like for a small or mid-sized Nigerian business. No legal jargon. No enterprise-scale frameworks. Just the practical steps you need to take, in the order you should take them.
Before You Start Your NDPA Compliance Checklist
The first item on any NDPA compliance checklist is understanding whether the law applies to you. The NDPA applies to your business if you process personal data of individuals in Nigeria, operate within Nigeria, or offer goods and services to people located in Nigeria, regardless of where your business is physically based.
If your business qualifies as a “data controller of major importance” (processing data of more than 200 individuals within six months, operating in a significant sector, or handling data in a fiduciary capacity), you face additional obligations including mandatory NDPC registration and annual audit filings.
Most SMEs in fintech, healthcare, e-commerce, logistics, and professional services cross that threshold without realising it. If you have a customer database, a mailing list, or a payment system, the NDPA applies to you.
Step 1: Map Your Data (NDPA Compliance Checklist)
You cannot protect what you do not understand. Before anything else, document exactly what personal data your business collects, where it is stored, who has access to it, and how it moves through your systems.
This includes data in your CRM, email marketing tools, payment gateways, HR systems, WhatsApp groups, spreadsheets, and any third-party platforms you use. Many businesses discover during this exercise that personal data exists in places they never considered.
Your data map should answer these questions for every data type:
- What category of data is it? (names, emails, financial records, health data)
- Why are you collecting it? What is the lawful basis?
- Where is it stored? Is any of it stored outside Nigeria?
- Who has access to it internally?
- Is it shared with any third parties?
- How long do you keep it?
Step 2: Establish Your Lawful Basis for Processing
This part of the NDPA compliance checklist is where many Nigerian businesses stumble.
Under the NDPA, every instance of data processing must have a documented lawful basis. The most common grounds are consent, contractual necessity, legal obligation, and legitimate interest. You need to identify which basis applies to each type of processing your business performs.
Consent is the most frequently used basis, but it comes with strict requirements. It must be freely given, specific, informed, and unambiguous. Pre-ticked boxes, bundled consent, and vague terms do not meet the standard. If you rely on consent, you must be able to demonstrate that you obtained it properly and that individuals can withdraw it at any time.
Document your lawful basis for each processing activity in writing. This is not optional. The NDPC can request evidence at any time.
Step 3: Update Your Privacy Policy
Your privacy policy is a critical element of any NDPA compliance checklist. It is often the first thing the NDPC will review during an investigation. A generic template copied from the internet will not protect you. Your policy must be specific to your business and clearly explain:
- What personal data you collect and why
- The lawful basis for each type of processing
- How long you retain data
- Whether data is transferred outside Nigeria, and what safeguards are in place
- How individuals can access, correct, delete, or port their data
- How to withdraw consent
- How to lodge a complaint with the NDPC
The policy must be written in clear, accessible language. If your customers cannot understand it, it does not meet the standard.
Step 4: Implement Technical Security Measures
The NDPA requires “appropriate technical and organisational measures” to protect personal data. For SMEs, this means at minimum:
- Encrypting sensitive data at rest and in transit
- Enforcing role-based access controls so only authorised staff can view personal data
- Keeping all software, plugins, and systems up to date with security patches
- Using multi-factor authentication on all systems that store personal data
- Maintaining regular, tested backups of critical data
- Securing your website with HTTPS and implementing cookie consent
If customer data lives in unprotected spreadsheets, personal email accounts, or WhatsApp groups shared across the team, that is a liability you need to address immediately.
Step 5: Build a Breach Response Plan
The NDPA requires that data breaches be reported to the NDPC within 72 hours. That timeline starts from the moment you become aware of the breach, not from when you finish investigating it.
Most businesses that fail this requirement do so because they had no plan in place. When a breach happens, the clock is already ticking and improvising is not an option.
Your breach response plan should define:
- Who is responsible for assessing and classifying the breach
- The internal escalation process
- How to notify the NDPC within the 72-hour window
- How and when to inform affected data subjects
- Steps for containing the breach and preventing recurrence
- Documentation requirements for the full incident
Test this plan before you need it. A breach response plan that has never been rehearsed is barely better than having no plan at all.
Step 6: Manage Third-Party Data Processors
If any third party processes personal data on your behalf (cloud providers, payment gateways, CRM platforms, marketing tools, IT support), you need a Data Processing Agreement (DPA) with each one. This is a legal requirement under the NDPA, not a nice-to-have. Many businesses miss this step on their NDPA compliance checklist.
Your DPA should specify what data the processor handles, for what purpose, how long they retain it, what security measures they implement, and what happens to the data when the relationship ends. You remain legally responsible for data processed on your behalf, so choosing reliable processors and documenting the arrangement protects your business.
Review your current vendor list. Any service that touches customer data needs a documented agreement.
Step 7: Handle Cross-Border Transfers
If you use any cloud service, SaaS platform, or payment gateway hosted outside Nigeria, you are making cross-border data transfers. The NDPA requires adequate safeguards for these transfers, which may include adequacy decisions by the NDPC, binding corporate rules, standard contractual clauses, or explicit consent.
Audit your tech stack. Identify which tools store or process data outside Nigeria and document the legal basis for each transfer. The NDPC has already penalised organisations for unsanctioned cross-border transfers, and this area of enforcement is expanding.
Step 8: Register with the NDPC and File Annual Returns
If your business qualifies as a data controller of major importance, you must register with the NDPC through their portal at ndpc.gov.ng. Registration is mandatory, not optional.
Once registered, you are required to file an annual Compliance Audit Return by 31 March each year. This filing must demonstrate your compliance efforts, including data protection impact assessments, security measures, breach records, and staff training activities.
Missing the filing deadline or failing to register can trigger enforcement action on its own, separate from any data protection violation.
Step 9: Appoint a Data Protection Officer
The NDPA and the General Application and Implementation Directive (GAID) require certain organisations to appoint a Data Protection Officer (DPO) or engage a licensed Data Protection Compliance Organisation (DPCO). Even if your business is not strictly required to appoint one, having someone responsible for data protection governance is a practical safeguard.
Your DPO should understand the NDPA’s requirements, monitor compliance activities, serve as the point of contact for the NDPC, and manage data subject requests. For SMEs that cannot justify a full-time DPO, engaging an external DPCO is a cost-effective alternative.
Step 10: Train Your Team
The GAID explicitly requires periodic compliance training for staff. Human error remains the leading cause of data breaches in Nigerian businesses, from clicking phishing links to sharing customer data over unsecured channels.
The final step on this NDPA compliance checklist involves your people. Every employee who handles personal data should understand what the NDPA requires, how to identify a data breach, what to do if one occurs, and how to handle data subject access requests. Training does not need to be elaborate, but it does need to be documented and recurring.
The Complete NDPA Compliance Checklist Summary
Here is the full checklist at a glance:
- Map all personal data your business collects, stores, and processes
- Document the lawful basis for every processing activity
- Update your privacy policy to meet NDPA requirements
- Implement technical security measures (encryption, access controls, backups)
- Build and test a 72-hour breach response plan (a key item on your NDPA compliance checklist)
- Put Data Processing Agreements in place with all third-party processors
- Audit and document cross-border data transfers
- Complete your NDPA compliance checklist by registering with the NDPC and filing annual Compliance Audit Returns
- Appoint a DPO or engage a licensed DPCO
- Train your team on data protection obligations and procedures
What Happens If You Do Not Comply
Fines for data controllers of major importance can reach 10 million naira or 2% of annual gross revenue, whichever is higher. Other organisations face penalties of up to 2 million naira or 2% of revenue. Non-compliance with NDPC directives can result in up to one year imprisonment, and individuals affected by data protection failures can pursue civil damages.
Beyond the financial penalties, non-compliance creates real business risk. International partners, investors, and enterprise clients increasingly require evidence of data protection compliance before entering contracts. The cost of compliance is a fraction of the cost of getting caught without it.
Getting Started
NDPA compliance does not require a massive budget, but it does require deliberate action. Start with the data mapping exercise, because everything else builds on knowing what data you have and where it lives. Work through the checklist methodically, and document every step.
If you want to know where your business stands right now, take our free NDPA Compliance Scorecard. It takes under five minutes and gives you a clear picture of your current compliance gaps.
For a deeper walkthrough of the law and what it means for your business, download our free NDPA Compliance Guide.
And if you want help building a compliance programme that fits your business without enterprise-level complexity, get in touch with QuotientSec. We work with SMEs across Nigeria to make compliance practical, not painful.
Not sure where your business stands on NDPA compliance?
Take our free NDPA Compliance Scorecard to find out in under 5 minutes. Or read our complete NDPA Compliance Guide for a step-by-step breakdown.
