NDPC Compliance Notice: What You Need to Do
The Nigeria Data Protection Commission (“NDPC”), pursuant to its powers under the Nigeria Data Protection Act 2023 (“NDPA”), issued a compliance notice on August 25, 2025, to 1,368 organizations operating in Nigeria, with a 21-day timeline within which to report compliance.
In light of this development, we issue this advisory note to all our partners to underscore the importance of ensuring full compliance with the NDPA, the General Application and Implementation Directive (GAID) 2025, and other applicable data protection regulations in Nigeria.
We have outlined below the steps required to ensure compliance with the NDPC compliance notice:
| NDPC Compliance Map | Status |
| Register with the NDPC. | |
| Appoint a Data Protection Officer. | |
| Engage a Data Protection Compliance Organisation (DPCO) to conduct a detailed audit of your organisation’s data processing activities. | |
| Engage a DPCO to review and update your policies to ensure compliance with the standards. | |
| Engage a DPCO to conduct your data protection training. | |
| Ensure to file the compliance audit returns with the NDPC (if you have not filed) | |
| Deadline | On or before 14th September 2025 |
To understand the above in full detail, please see guidance below.
Compliance Obligations for Data Processors/Controllers
- Registration: Register as a Data Controller/Processor of Major Importance where applicable, in line with the NDPA.
- Data Protection Compliance Audit: Engage a Data Protection Compliance Organisation (DPCO) to conduct a data protection compliance audit of your data handling practices to identify gaps, areas of non-compliance and propose recommendations for compliance with the NDPA and GAID.
- Preparation, Assessment, and Review of Policies: Every data controller/processor has an obligation to prepare relevant data compliance policies and update its existing policies to align with the current standards provided under the NDPA and its extant regulations.
- Appointment of a Designated Data Protection Officer (DPO): In compliance with the NDPA, every organization must have a Data Protection Officer (DPO) who bears the responsibility of ensuring that the organization’s processes are in compliance with applicable rules. The DPO should possess expert knowledge of data protection laws and practices.
- Regulatory Filings:File annual Compliance Audit Returns (CAR) with the NDPC where applicable. Deadline for filing a CAR is on or before March 15 of each year; however, organizations are permitted to conduct late filing, following payment of a penalty fee.
- Capacity Building: The GAID provides that data processors/ controllers must undergo periodic training on data compliance. Organisations are encouraged to engage a DPCO to provide training and capacity building for employees and key personnel in line with NDPA requirements and maintain evidence of same.
Consequences of Non-Compliance
Failure to comply with the NDPA and applicable regulations may expose an organisation to the following penalties:
- Late filing fees (for late registrations or filings of compliance audit returns);
- Administrative fines or;
- A fine of ₦2,000,000, and 2% of the defaulter’s annual gross revenue in the preceding financial year (“standard maximum). Penalties applied are typically at the discretion of the NDPC.
We remain available to address any questions you may have. Hamu Legal, a licensed Data Protection Compliance Organisation with the NDPC, is equipped to guide your organization through each stage of the compliance process.
