Skip to Main Content
Main Menu

Data Protection Act (DPA)

One of the goals of the DPA, among others, is to protect the fundamental rights, freedoms, and interests of data subjects as ensured by the 1999 Constitution of Nigeria.

Are you subject to the DPA?

Nigeria’s DPA applies to: (1) the data controller or data processor who is domiciled, ordinarily resident, or ordinarily operating in Nigeria, (2) the processing of personal data within Nigeria, and (3) the data controller of the data processor who is not domiciled, ordinarily resident, or ordinarily operating in Nigeria, but is processing personal data of a data subject in Nigeria.

Key obligations under the DPA

Data protection impact assessment

The Act emphasizes the necessity of conducting a data protection impact assessment (DPIA) when processing personal data poses a potential high risk to the rights and freedoms of data subjects based on its nature. The Act requires the controller to seek consultation with the Commission before proceeding with the processing if the DPIA identifies a high risk.

Data breach notification

In the event a breach occurs, the DPA requires the data processor to inform the controller or the engaging data processor promptly about the breach’s details and address any information inquiries from them. If the breach is expected to pose a risk to individuals’ rights, the controller must notify the Commission within 72 hours of becoming aware, with the ability to extend if necessary to properly assess the breach’s extent.

Appointment of a Data Protection Officer (DPO)

Controllers and data processors are required to appoint a DPO, responsible for overseeing compliance with the DPA and serving as a point of contact for data subjects and regulatory authorities.

Cross-border data transfers

According to the DPA, the transfer of personal data from Nigeria to another country is permissible only if the recipient of the data is bound by a law, binding corporate rules, contractual clauses, codes of conduct, or certification mechanisms that ensure an adequate level of protection for the personal data. The Act also grants the Commission the authority to periodically compile a ‘blacklist,’ identifying jurisdictions or entities that do not comply with the legislation.

Records of processing activities

Controllers and data processors must maintain records of their processing activities, including information about the purposes of processing, categories of data subjects, categories of personal data processed, recipients of personal data, and security measures implemented. The controller and data processor are also mandated to keep a record of all personal data breaches.


Building Trust and Competitive Advantage: The Value of Privacy Certifications

Join our experts in this webinar as they go over the importance of how privacy certifications can unlock business value and help you stay ahead of the competition in today’s privacy-conscious landscape.


  • What are the obligations of organizations under the DPA?

    Organizations processing personal data are required to adhere to several obligations under the DPA, including obtaining consent from data subjects before processing their personal data, implementing appropriate security measures to protect personal data, conducting data protection impact assessments (DPIAs) for high-risk processing activities, notifying the regulatory authority and affected individuals in the event of a data breach, and maintaining records of processing activities.

  • Are there restrictions on transferring personal data outside of Nigeria under the DPA?

    Yes, the DPA imposes restrictions on transferring personal data outside Nigeria. Personal data can only be transferred to another country or jurisdiction if the recipient ensures an adequate level of protection for the data, such as through laws, binding corporate rules, contractual clauses, codes of conduct, or certification mechanisms. The DPA also empowers the regulatory authority to maintain a ‘blacklist’ of non-compliant jurisdictions or entities.

  • What are the penalties for non-compliance with the DPA?

    Non-compliance with the DPA may result in various penalties, including fines, sanctions, or administrative actions imposed by the regulatory authority. The severity of penalties may vary depending on the nature and extent of the violation, with fines potentially reaching significant amounts for serious breaches of the regulations.

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top