If your business collects customer names, email addresses, phone numbers, or payment details in Nigeria, you are now subject to one of the most significant data protection laws on the continent. The Nigeria Data Protection Act (NDPA), signed into law on 12 June 2023, replaced the older Nigeria Data Protection Regulation (NDPR) and created the Nigeria Data Protection Commission (NDPC) as an independent regulator with real enforcement power.

And the NDPC is using it. In 2025 alone, Multichoice Nigeria was fined over 766 million naira for illegal cross-border data transfers, Meta Platforms settled a 32.8 million dollar dispute over behavioural advertising violations, and the NDPC issued compliance notices to 1,368 organisations demanding evidence of audit filings and data protection measures within 21 days. This is no longer a “big company” problem. SMEs are firmly in scope.

Who Does the NDPA Apply To?

The short answer: almost every business handling personal data in Nigeria. The NDPA applies to any organisation that is domiciled in, resides in, or operates in Nigeria; processes data within Nigeria; or processes data of individuals located in Nigeria, even if the organisation itself is based abroad. An e-commerce platform in London selling to Nigerian customers is just as covered as a logistics company in Lagos.

Organisations classified as being of “major importance” face heightened obligations. This classification applies to entities that process data of more than 200 data subjects within six months, operate in economically significant sectors, or handle confidential data in a fiduciary capacity. For many SMEs in fintech, healthcare, retail, or professional services, that threshold is easily crossed.

What the Law Requires

The NDPA’s core obligations mirror global standards like the GDPR but are tailored to Nigeria’s context. All data processing must be lawful, fair, and transparent. Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes and silence do not count. You need a documented lawful basis for every type of data processing your business performs, whether that is consent, contractual necessity, legitimate interest, or one of the other recognised grounds.

Individuals have the right to access, correct, delete, and port their data, and to withdraw consent at any time. If a customer asks what data you hold on them, you are legally obligated to respond. Data breaches must be reported to the NDPC within 72 hours. Cross-border data transfers require documented legal safeguards, which matters if you use any cloud service, CRM, or payment gateway hosted outside Nigeria.

The General Application and Implementation Directive (GAID), effective since September 2025, adds further requirements: mandatory NDPC registration for data controllers of major importance, annual Compliance Audit Return filings by 31 March, appointment of data protection officers where applicable, and opt-in cookie consent for websites and apps.

The Penalties

Fines for data controllers of major importance can reach 10 million naira or 2 percent of annual gross revenue, whichever is higher. Other organisations face up to 2 million naira or 2 percent of revenue. Non-compliance with NDPC orders can result in up to one year of imprisonment, and individuals can pursue civil damages. The NDPC has completed 246 investigations and generated over 5.2 billion naira from enforcement actions. The regulator has publicly stated that 2026 will see even stricter oversight.

A Practical Compliance Checklist

Getting compliant does not require a massive budget, but it does require deliberate action. Here are the essential steps for SMEs in 2026.

Map your data. Identify what personal data you collect, where it is stored, who has access, and how it flows through your business, including through third-party tools. You cannot protect what you do not know exists.

Update your privacy policy. It must be clear, accessible, and explain what data you collect, why, on what legal basis, how long you keep it, and how individuals can exercise their rights. A generic template copied from the internet will not suffice.

Secure your systems. At minimum, encrypt sensitive data, enforce access controls, keep software up to date, and have documented backup and recovery procedures. If customer records live in unprotected spreadsheets or WhatsApp groups, that is a liability.

Build a breach response plan. Know in advance who is responsible for assessing a breach, how you will notify the NDPC within 72 hours, and how affected customers will be informed. Do not wait until something goes wrong.

Register and file. If you qualify as a data controller of major importance, register with the NDPC at ndpc.gov.ng. File your annual Compliance Audit Return by 31 March. Appoint or engage a Data Protection Officer or licensed DPCO if required.

Train your team. Human error remains the leading cause of data breaches. Make sure your employees understand what constitutes personal data, how to handle it, and what to do if something goes wrong. The GAID requires periodic compliance training.

Why This Matters Beyond Avoiding Fines

Data protection is fast becoming a trade requirement. The convergence of the EU’s NIS2 Directive and African data protection laws means businesses seeking international partnerships or investment must demonstrate compliance to maintain market access. Organisations that handle data responsibly will have a competitive edge when pursuing contracts, funding, and cross-border opportunities. Compliance is not just a cost of doing business. It is a signal of maturity and trustworthiness.

How QuotientSec Can Help

At QuotientSec, we help SMEs across Nigeria and the wider African continent build practical, sustainable compliance frameworks. From data mapping and gap analysis to privacy policy development, breach response planning, security controls, and team training, we provide clear guidance without enterprise-grade complexity or cost.

Ready to get your business NDPA-compliant?

Contact QuotientSec today for a free initial consultation.