Africa

Nigeria Data Protection Regulation (NDPR 2019) + Nigeria Data Protection Act 2023: AI Compliance Requirements

Nigeria has Africa's most comprehensive data protection framework. The Nigeria Data Protection Regulation (NDPR 2019) was superseded by the Nigeria Data Protection Act (NDPA 2023), administered by the Nigeria Data Protection Commission (NDPC). Nigeria is the most populous African country and its largest economy, making compliance critical for any Africa-focused AI deployment. Organizations processing data of over 1,000 Nigerian individuals must file annual data audit reports. AI systems processing Nigerian data must comply with NDPA consent, transparency, and data subject rights requirements.

Check your compliance — free Download checklist

Key Facts

Effective Date

January 25, 2019

Enforcement Begins

June 14, 2023

Maximum Penalty

NGN 10,000,000 (~$6,500 USD) or 2% of annual gross revenue for data controllers. Criminal liability for willful breaches.

What Your Business Must Do

4 compliance requirements identified. Critical requirements carry the highest risk of enforcement action.

Lawful Basis and Consent Framework

Critical

NDPA 2023 Section 25 requires a documented lawful basis for all personal data processing: consent, contract, legal obligation, vital interests, public interest, or legitimate interest. AI systems processing Nigerian residents' data must document their basis prior to processing. Consent must be freely given, specific, informed, and unambiguous — pre-ticked boxes and bundled consent are prohibited.

Data Subject Rights (Access, Correction, Deletion)

Critical

NDPA 2023 Sections 34-43 grant Nigerian residents rights to access, rectify, erase, restrict, and port their personal data. AI automated decision-making must be disclosed and human review provided on request. Data controllers must respond within 30 days. A designated Data Protection Officer (DPO) is required for high-risk processing.

Annual Data Protection Audit Filing

High Priority

NDPR 2019 (and transitional NDPA 2023 obligations) require organizations processing data of more than 1,000 Nigerian individuals to submit an annual data audit report to the NDPC before 15 March each year. The report must cover categories of data processed, security measures, breach incidents, and AI-specific processing activities.

Cross-Border Data Transfer Safeguards

Medium Priority

NDPA 2023 Section 43 restricts transfer of Nigerian personal data outside Nigeria to countries with an adequate level of data protection or with NDPC-approved transfer mechanisms (BCRs, standard contractual clauses). Cloud AI services processing Nigerian data must document transfer controls and maintain records available for NDPC inspection.

Frequently Asked Questions

Does Nigeria Data Protection Regulation (NDPR 2019) + Nigeria Data Protection Act 2023 apply to my business?

What is the penalty for non-compliance?

The maximum penalty under Nigeria Data Protection Regulation (NDPR 2019) + Nigeria Data Protection Act 2023 is: NGN 10,000,000 (~$6,500 USD) or 2% of annual gross revenue for data controllers. Criminal liability for willful breaches.. Fines are typically scaled by company size, severity of violation, and whether violations were willful or accidental.

How do I comply with Nigeria Data Protection Regulation (NDPR 2019) + Nigeria Data Protection Act 2023?

The 4 requirements above cover the core obligations. The fastest path to compliance is: (1) conduct an AI risk assessment, (2) document your AI systems, (3) implement transparency disclosures where required. ComplianceIQ generates all required documents automatically.

Official Source

https://ndpc.gov.ng/NDPA2023.pdf

Last updated: 2026-04-14 — verify at source before relying on this information.

Don't leave compliance to chance

ComplianceIQ scans your AI tools, tells you exactly which regulations apply, and generates all required documents — in 30 minutes.

Start your free compliance scan