Data Residency in Nigeria: NDPR and NDPA Compliance Guide

Introduction

Nigeria, Africa's largest economy and most populous nation, has rapidly developed its data protection framework in recent years. The Nigeria Data Protection Regulation (NDPR) of 2019, followed by the Nigeria Data Protection Act (NDPA) of 2023, established a comprehensive legal framework for personal data protection. With over 200 million people and a booming digital economy, Nigeria's data residency rules are increasingly important for organizations operating in West Africa and across the continent.

Evolution of Nigeria's Data Protection Framework

Timeline

Year	Development
2019	Nigeria Data Protection Regulation (NDPR) issued by NITDA
2020	NDPR Implementation Framework published
2022	Nigeria Data Protection Bureau (NDPB) established
2023	Nigeria Data Protection Act (NDPA) signed into law
2023	Nigeria Data Protection Commission (NDPC) established under the NDPA

From NDPR to NDPA

The NDPR, issued by the National Information Technology Development Agency (NITDA), served as Nigeria's primary data protection regulation from 2019. The NDPA, signed into law in June 2023, elevated data protection to the level of a parliamentary act and established the Nigeria Data Protection Commission (NDPC) as an independent regulatory body.

Overview of the NDPA

The NDPA applies to the processing of personal data by:

• Data controllers or processors established in Nigeria
• Data controllers or processors not established in Nigeria but processing data of individuals in Nigeria
• Data controllers or processors not established in Nigeria but processing data within Nigeria

Key Definitions

• Personal Data: Any information relating to an identified or identifiable natural person
• Sensitive Personal Data: Data revealing racial or ethnic origin, religious or similar beliefs, political opinions, health data, sexual life, genetic data, biometric data, trade union membership, criminal records, and other data designated by the NDPC
• Data Controller: A person who determines the purposes and means of processing personal data
• Data Processor: A person who processes personal data on behalf of a data controller
• Data Subject: An identified or identifiable natural person

Lawful Bases for Processing

The NDPA provides several legal bases:

• Consent of the data subject
• Performance of a contract
• Compliance with a legal obligation
• Protection of vital interests
• Performance of a task in the public interest
• Legitimate interests of the controller or a third party

Cross-Border Data Transfer Rules

The NDPA establishes specific conditions for transferring personal data outside Nigeria.

Transfer Conditions

Personal data may be transferred to another country or international organization if:

• The NDPC has determined that the destination provides adequate protection
• Appropriate safeguards are in place (standard contractual clauses, binding corporate rules, codes of conduct, or certification mechanisms)
• The data subject has given explicit consent after being informed of the risks
• The transfer is necessary for contract performance
• The transfer is necessary for important reasons of public interest
• The transfer is necessary for legal claims
• The transfer is necessary to protect vital interests

Adequacy Assessments

The NDPC considers the following factors when assessing adequacy:

• The rule of law and respect for human rights
• The existence of an independent supervisory authority
• Data protection legislation and enforcement
• International commitments
• The country's data protection track record

Data Localization Considerations

While the NDPA does not impose a blanket data localization requirement, certain practical considerations apply:

• The NDPC may issue sector-specific guidance requiring localization
• Government data may have localization requirements
• Sector regulators (particularly in banking and telecommunications) may impose additional requirements
• The NDPA requires that data controllers maintain a record of processing activities, which must be accessible to the NDPC

Consent Requirements

The NDPA establishes detailed consent requirements:

• Consent must be freely given, specific, informed, and unambiguous
• For sensitive data, consent must be explicit
• Consent for children (under 18) must be given by a parent or guardian
• The data subject must be informed of the right to withdraw consent at any time
• Withdrawal of consent must be as easy as giving consent
• Consent must not be bundled with other terms and conditions

Rights of Data Subjects

The NDPA grants comprehensive rights:

• Right to Information: Be informed about the processing of their data
• Right of Access: Obtain confirmation of processing and access to their data
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure: Request deletion of data in certain circumstances
• Right to Restriction: Request restriction of processing
• Right to Data Portability: Receive data in a structured, commonly used format
• Right to Object: Object to processing, including for direct marketing
• Right Regarding Automated Decisions: Not be subject to decisions based solely on automated processing that produce significant effects

Obligations for Data Controllers

Data Protection Impact Assessment

Controllers must conduct DPIAs when processing is likely to result in high risk, including:

• Large-scale processing of sensitive data
• Systematic monitoring of public areas
• Use of new technologies
• Profiling with significant effects

Data Protection Officer

A DPO must be appointed when:

• The controller is a public authority
• Core activities require regular and systematic monitoring of data subjects on a large scale
• Core activities consist of large-scale processing of sensitive data

Breach Notification

In the event of a personal data breach:

• The NDPC must be notified within 72 hours of becoming aware of the breach
• Data subjects must be notified without undue delay when the breach is likely to result in high risk
• Notifications must include the nature of the breach, categories of data affected, likely consequences, and measures taken

Record Keeping

Controllers must maintain records of processing activities, including:

• Purposes of processing
• Categories of data subjects and personal data
• Recipients of data
• Cross-border transfers
• Retention periods
• Security measures

Compliance Audit Requirements

The NDPA and its predecessor NDPR require certain organizations to conduct annual data protection audits:

• Organizations processing personal data of more than 2,000 data subjects in a 12-month period must file a data protection audit report
• Audits must be conducted by a licensed Data Protection Compliance Organization (DPCO)
• Audit reports must be filed with the NDPC

Data Protection Compliance Organizations (DPCOs)

DPCOs are organizations licensed by the NDPC to:

• Conduct data protection audits
• Provide training on data protection
• Assist organizations with compliance
• Serve as external DPOs

Penalties and Enforcement

The NDPA provides for significant penalties:

Violation Type	Penalty
Data controllers processing more than 10,000 data subjects	Up to 2% of annual gross revenue or NGN 10 million, whichever is higher
Data controllers processing less than 10,000 data subjects	Up to 2% of annual gross revenue or NGN 2 million, whichever is higher
Specific criminal offenses	Fines and/or imprisonment as specified

Additional enforcement powers include:

• Issuing enforcement notices
• Ordering corrective actions
• Suspending data processing activities
• Ordering data deletion

Sector-Specific Considerations

Banking and Finance

The Central Bank of Nigeria (CBN) has additional requirements:

• Consumer protection regulations include data handling provisions
• Risk-based cybersecurity framework affects data security
• Payment data has specific handling requirements

Telecommunications

The Nigerian Communications Commission (NCC) has rules for:

• Subscriber data protection
• SIM registration data handling
• Data retention requirements

Healthcare

Health data is classified as sensitive under the NDPA and requires:

• Explicit consent for processing
• Enhanced security measures
• Compliance with National Health Act provisions

Practical Compliance Steps

Step 1: Register and Engage a DPCO

If your organization processes data of more than 2,000 data subjects, engage a licensed DPCO for annual audit compliance.

Step 2: Conduct a Data Inventory

Map all personal data processing activities, including storage locations and cross-border transfers.

Step 3: Implement Consent Management

Build systems for obtaining, recording, and managing consent in compliance with NDPA requirements.

Step 4: Review Cross-Border Transfers

For each international transfer:

• Check NDPC adequacy determinations
• Implement appropriate safeguards
• Document the legal basis for each transfer

Step 5: Establish Breach Notification Procedures

Prepare for the 72-hour notification requirement with tested incident response procedures.

How GlobalDataShield Supports Nigerian Compliance

Nigeria's rapidly evolving data protection landscape requires adaptable infrastructure. GlobalDataShield enables organizations to implement data residency controls that support NDPA compliance, providing the encryption, access management, and audit trail capabilities needed to meet both NDPC requirements and sector-specific obligations.

Conclusion

Nigeria's data protection framework has matured significantly with the NDPA, establishing the NDPC as an independent regulator and introducing comprehensive data protection obligations. Organizations processing personal data of Nigerian residents must invest in compliance infrastructure, including annual audits, robust consent management, and careful management of cross-border data flows. As the NDPC develops its regulatory guidance, organizations should stay informed and maintain flexible compliance programs.