The Nigeria Data Protection Commission (NDPC) has opened investigations into 1,369 organisations accused of breaching the Nigeria Data Protection Act (NDPA) 2023, in what is now the largest enforcement drive since the law came into effect.
The companies under investigation cut across some of Nigeria’s most sensitive industries. They include 795 financial institutions, 392 insurance brokers, 35 insurance companies, 10 pension firms, and 136 gaming operators. Each has been given 21 days to prove compliance or risk sanctions.
According to a statement signed by Babatunde Bamigboye, head of Legal, Enforcement and Regulations at the NDPC, the affected organisations must present evidence of their 2024 compliance audit returns, the appointment of a Data Protection Officer with full contact details, as well as technical and organisational safeguards they have put in place.
They are also expected to confirm registration as a “data controller or processor of major importance.”
“These organisations are required to within 21 days of issuance provide evidence of filing NDP Act Compliance Audit Returns for 2024, evidence of designation or appointment of a Data Protection Officer, including name and contact details.
“They are also to provide summary of technical and organisational measures for data protection within the organisation and evidence of registration as a data controller or processor of major importance,” the Commission stated.
The Commission argues that such enforcement is necessary to secure citizens’ rights under the 1999 Constitution and to strengthen trust in Nigeria’s digital economy. The NDPC says that failure to comply could trigger fines, enforcement orders, or even criminal prosecution as stipulated under the NDPA.
This latest development comes weeks after Multichoice Nigeria was fined ₦766.2 million for data protection violations, the biggest penalty imposed so far.
The pay-TV operator was found guilty of intrusive data practices, unauthorised cross-border transfers, and processing subscriber and non-subscriber data without proper consent.
National Commissioner, Dr Vincent Olatunji, explained that the Commission operates a remediation-first approach to enforcement. He noted that businesses willing to correct violations are given an opportunity to do so before penalties are applied.
“Usually, when we investigate and find a breach, if they are ready to comply with the law, what is the point of making noise? It’s only when an organisation is unwilling to comply with the law that we are forced to impose sanctions,” he said.
Experts believe the Commission’s growing assertiveness shows a turning point. For years, compliance was largely voluntary, but this change shows that regulators are no longer content with awareness campaigns.
The NDPA, modelled after global standards such as the GDPR, is designed both to protect Nigerians’ personal data and also to give local firms credibility in regional and international markets.
