Steve Aya

The Nigeria Data Protection Commission (NDPC) has launched sweeping investigations into more than 1,300 organisations suspected of breaching the Nigeria Data Protection Act (NDPA), marking the country’s most extensive enforcement move since the law was enacted in June 2023.

According to the Commission, a total of 1,368 organisations across key sectors including 795 financial institutions, 35 insurance companies, 392 insurance brokers, 136 gaming companies and 10 pension firms have been issued compliance notices. Each organisation has 21 days to provide evidence of adherence to the NDPA or face possible sanctions.

In a statement, Babatunde Bamigboye, Head of Legal, Enforcement and Regulations at the NDPC, warned: “The failure to comply with the compliance notice may result in enforcement actions, including issuance of enforcement orders, administrative fines, and/or criminal prosecution in accordance with the NDPA”.

The notices require companies to submit proof of filing compliance audit returns for 2024, appointment of data protection officers, technical and organisational safeguards for data protection, and registration as data controllers or processors of major importance. The NDPC says the measures are designed to strengthen public trust, and safeguard Nigerians’ fundamental rights in the digital economy.

Legal experts say the crackdown, though expected, signals a tougher approach by the Regulator. Sumbo Akintola and Timothy Ogele of Aluko & Oyebode observed that, while the Commission had announced “massive and proactive” enforcement for 2025, the decision to publish notices naming non-compliant entities marks a significant shift. “This change reflects a more assertive stance, signalling increased regulatory pressure on organisations to proactively ensure compliance”. The Lawyers also pointed to challenges faced by organisations, including operational delays and shifting regulatory guidance. They cited a 2024 court ruling that nullified parts of the Commission’s guidance on registering data controllers and processors of major importance, forcing many companies to reassess their compliance strategies. Similarly, a 2023 judgement voiding the NDPC’s whitelist on cross-border data transfers, created further uncertainty.

Despite these challenges, analysts believe the NDPC’s action is only the beginning. Sectors such as aviation, telecommunications, e-commerce, and healthcare—where large volumes of personal and sensitive data are processed—are likely to face similar scrutiny in coming months.

With the NDPA’s General Application and Implementation Directive set to take effect in September 2025, experts warn that this latest crackdown should serve as a wake-up call. “Given the uncertainty around the NDPC’s next line of action, this is a reminder for organisations to put their house in order”, Akintola and Ogele cautioned.