NIGERIA DATA PROTECTION ACT 2023: WHAT BUSINESSES AND INDIVIDUALS MUST KNOW

Introduction

Protecting personal data has become one of the defining challenges of our digital age. In Nigeria, where mobile technology, social media, and fintech dominate daily life, the risks of data misuse are particularly high. To address this, the Federal Government enacted the Nigeria Data Protection Act 2023 (NDPA) 2023. The NDPA signals Nigeria’s ambition to align with global data protection standards such as the EU’s GDPR while tailoring solutions to local realities. This post explores the Act’s main provisions and what they mean for businesses and citizens.

From NDPR to NDPA: Closing the Gaps in Regulation

Nigeria’s first step toward regulating personal data came with the Nigeria Data Protection Regulation (NDPR) 2019. While it raised awareness and encouraged organizations to consider privacy, the NDPR had two major flaws. It was only a regulation, which limited its enforceability and it lacked a strong institutional framework.

The NDPA 2023 resolves these issues. It establishes a legal framework and creates a dedicated regulator. According to Section 1, the objectives of the Act are to:

1. Safeguard the rights and freedoms of individuals under the Constitution.
2. Regulate the processing of personal data
3. Promote responsible practices that protect privacy and security.
4. Ensure personal data is processed lawfully, fairly, and accountably.
5. Provide remedies when rights are breached and ensure organizations meet their obligations.

Scope of the NDPA

Section 2 defines the scope of the Act. It applies to the processing of personal data in Nigeria and covers data controllers and processors who are:

1. Based in Nigeria,
2. Operating in Nigeria, or
3. Processing the data of individuals located in Nigeria. Even organizations outside Nigeria must comply if they handle the data of people within the country.

The Nigeria Data Protection Commission (NDPC): Powers and Functions

The NDPA establishes the Nigeria Data Protection Commission (NDPC) as the primary regulator. Its responsibilities include:

1. Overseeing the implementation of the Act.
2. Developing policy directions.
3. Investigating violations of the Act and related regulations.
4. Imposing penalties for breaches.

The NDPC also has a broader role in strengthening Nigeria’s data protection culture. Under Section 5, it must:

1. Promote technical and organizational measures for data security.
2. Educate businesses and the public about privacy risks.
3. Register major data controllers and processors.
4. License and accredit data protection compliance organizations.

Core Principles of Data Processing

Like the GDPR, the NDPA is built on seven core principles that guide responsible data processing in Nigeria:

• Lawfulness, Fairness, and Transparency (Section 24(1)(a)). Organizations must process data on a lawful basis, avoid harmful or unfair use, and provide individuals with clear information on how their data is handled.

• Purpose Limitation (Section 24(1)(b)). Data must be collected for specific, legitimate purposes and not used for unrelated reasons.

• Data Minimization (Section 24(1)(c)). Only the data strictly necessary for the stated purpose should be collected and processed.

• Storage Limitation (Section 24(1)(d)). Personal data should not be kept longer than needed. Once it has served its purpose, it must be securely deleted.

• Accuracy (Section 24(1)(e)). Data must be accurate, complete, and up to date. Inaccurate or misleading information must be corrected or removed.

• Integrity and Confidentiality (Section 24(1)(f)). Organizations must secure data against unauthorized access, misuse, loss, or destruction. Measures like encryption, pseudonymization, and access controls are expected, depending on the sensitivity of the data and the risks involved.

• Accountability (Section 24(3)). Data controllers are responsible for demonstrating compliance. They must not only follow the law but also prove their commitment to protecting personal data when required by regulators or individuals.

Rights of Data Subjects

The NDPA empowers Nigerians with strong rights over their personal data. These rights include:

1. Right to be Informed – Individuals must be told whether their data is being processed, why, for how long, and who it will be shared with.
2. Right of Access – Individuals can request access to their data in a clear, understandable format.
3. Right to Rectification – Inaccurate, incomplete, or outdated data must be corrected or deleted.
4. Right to Erasure (“Right to be Forgotten”) – Individuals can request that their data be erased when it is no longer needed or processed unlawfully.
5. Right to Restrict Processing – Processing can be limited in certain circumstances, such as when accuracy is contested.
6. Right to Withdraw Consent – Consent must be as easy to withdraw as it is to give.
7. Right to Object – Individuals can object to processing based on certain grounds, including direct marketing. Once they object to marketing, their data must no longer be used for that purpose.
8. Right Not to be Subject to Automated Decisions – Individuals can challenge decisions made solely by algorithms, including profiling, unless exceptions apply.
9. Right to Data Portability – Individuals can request their data in a machine-readable format and transfer it to another service provider.

Conclusion

The Nigeria Data Protection Act 2023 is a landmark in Nigeria’s digital transformation. By creating a statutory Commission, introducing enforceable rights, and setting clear compliance obligations, it moves the country closer to international best practice. However, passing a law is only the first step. For the NDPA to succeed, businesses must take compliance seriously, regulators must enforce fairly and consistently, and citizens must be aware of their rights. The real challenge will be striking a balance between encouraging innovation and digital growth while ensuring that personal data is treated not just as an economic asset but as a fundamental human right.