NG

Nigeria Data Protection Act 2023 (NDPA): AI Compliance Requirements

Nigeria's Data Protection Act 2023 (signed June 12, 2023) replaced the 2019 NDPR framework and established the Nigeria Data Protection Commission (NDPC) as the regulatory authority. The NDPA applies to any organization processing personal data of Nigerian residents, wherever the organization is located. This is Africa's most comprehensive data protection law and directly addresses AI-driven processing. Section 24 provides the right to object to automated processing. The NDPA explicitly recognizes AI as a key risk area and requires organizations deploying AI for significant decisions to conduct Data Protection Impact Assessments, obtain legal basis, and maintain processing records. The Act is modelled on GDPR principles.

Check your compliance — freeDownload checklist

Key Facts

Effective Date

June 12, 2023

Maximum Penalty

2% of annual gross revenue or NGN 10,000,000 (~$6,500 USD), whichever is greater; criminal penalties for willful violations

What Your Business Must Do

3 compliance requirements identified. Critical requirements carry the highest risk of enforcement action.

Right to Object to Automated Processing (Section 24)

Critical

Nigeria NDPA Section 24: data subjects have the right to object to solely automated processing — including AI profiling — that produces decisions with legal or similarly significant effects. Implement: (1) Privacy notice disclosure of AI-driven significant decisions. (2) A clear mechanism to submit objections and request human review. (3) Timely response (NDPA requires compliance within reasonable time). Document all automated decision systems and objection handling procedures.

Data Protection Impact Assessment (DPIA) for AI

High Priority

DPIAs are required for processing likely to result in high risk, including automated decision-making, large-scale profiling, biometric data processing, and novel technology deployments. Before deploying AI systems processing Nigerian residents' data: conduct a formal DPIA, document it, and retain records for NDPC inspection. High-risk DPIAs may require NDPC prior consultation.

NDPC Registration & Data Protection Officer

Medium Priority

Organizations processing personal data of Nigerian residents on a large scale, or processing sensitive personal data, must: (1) Register with the NDPC (ndpc.gov.ng). (2) Designate a Data Protection Officer. (3) Maintain records of processing activities. Unregistered organizations processing Nigerian data face enforcement action.

Frequently Asked Questions

Does Nigeria Data Protection Act 2023 (NDPA) apply to my business?

Nigeria's Data Protection Act 2023 (signed June 12, 2023) replaced the 2019 NDPR framework and established the Nigeria Data Protection Commission (NDPC) as the regulatory authority. The NDPA applies to any organization processing personal data of Nig. Use ComplianceIQ's free scanner to get a personalized assessment in under 5 minutes.

What is the penalty for non-compliance?

The maximum penalty under Nigeria Data Protection Act 2023 (NDPA) is: 2% of annual gross revenue or NGN 10,000,000 (~$6,500 USD), whichever is greater; criminal penalties for willful violations. Fines are typically scaled by company size, severity of violation, and whether violations were willful or accidental.

How do I comply with Nigeria Data Protection Act 2023 (NDPA)?

The 3 requirements above cover the core obligations. The fastest path to compliance is: (1) conduct an AI risk assessment, (2) document your AI systems, (3) implement transparency disclosures where required. ComplianceIQ generates all required documents automatically.

Official Source

https://ndpc.gov.ng/media/NDPA_2023.pdf

Last updated: 2026-04-12 — verify at source before relying on this information.

Don't leave compliance to chance

ComplianceIQ scans your AI tools, tells you exactly which regulations apply, and generates all required documents — in 30 minutes.

Start your free compliance scan