Our Expert in Nigeria
In May 2026, Nigeria’s National Assembly publicly signalled its intention to review the National Data Protection Act Nigeria enacted in 2023, citing the rapid expansion of artificial intelligence, escalating cyber threats, and the need for stronger enforcement mechanisms. For in-house counsel, Data Protection Officers, CTOs, and compliance officers at Nigerian and multinational organisations, this legislative review creates both urgency and uncertainty: existing obligations under the NDPA remain fully enforceable, yet the rules governing AI, cross-border data transfers, and breach notification could shift materially within the coming legislative cycle.
This guide provides a practical compliance roadmap, grounded in the current Act, the Nigeria Data Protection Commission’s (NDPC) General Application and Implementation Directive (GAID), and the parliamentary signals reported to date, so that organisations can act now rather than scramble later.
The National Data Protection Act 2023 (NDPA) is Nigeria’s primary data protection legislation. It replaced the earlier Nigeria Data Protection Regulation (NDPR) 2019 and established a comprehensive, statute-based framework for the processing of personal data. The Act also created the Nigeria Data Protection Commission (NDPC) as an independent regulatory body with investigation, enforcement, and penalty-issuing powers.
The NDPA applies to any data controller or data processor that processes the personal data of individuals residing in Nigeria, regardless of whether the controller or processor is itself located in Nigeria. This extraterritorial reach means that foreign cloud providers, SaaS platforms, and multinational employers with Nigerian staff or customers fall squarely within the Act’s scope. Controllers bear primary accountability for lawful processing; processors must act only on documented instructions and comply with security and breach-response obligations.
The Act codifies principles that will be familiar to anyone who has worked with the EU’s GDPR or the African Union Convention on Cyber Security. These principles form the foundation for every compliance assessment:
The NDPC serves as the supervisory authority under the National Data Protection Act Nigeria framework. Its mandate includes receiving complaints from data subjects, conducting investigations and compliance audits, and issuing enforcement notices. The Commission also administers a registration regime for data controllers and processors of major importance, requiring them to file details of their processing activities.
A distinctive feature of Nigeria’s regime is the licensing of Data Protection Compliance Organisations (DPCOs). These are third-party firms authorised by the NDPC to conduct data protection audits and assist controllers with compliance. Under the GAID issued by the NDPC, organisations that meet specified thresholds must engage a licensed DPCO to carry out annual audits and submit audit reports to the Commission. The likely practical effect of the 2026 review will be to tighten these audit requirements and raise the stakes for non-compliance.
The parliamentary review signals reported in May 2026 point to several areas where amendments are either likely or possible. It is important to distinguish between the two: “likely” amendments are those where political momentum, NDPC advocacy, and international regulatory trends all converge; “possible” amendments are those under discussion but without clear consensus. The analysis below reflects editorial commentary based on publicly reported signals and regulatory trends, no amendment bill text has been published at the time of writing.
Industry observers expect the National Assembly to expand the NDPC’s enforcement toolkit. Under the current Act, the Commission can issue compliance notices, conduct investigations, and impose administrative fines. However, early indications suggest lawmakers are considering graduated penalty scales tied to annual turnover, a model already adopted by the EU’s GDPR and Kenya’s Data Protection Act. The likely practical effect would be substantially higher financial exposure for large-scale data controllers, particularly in financial services, telecommunications, and e-commerce. Penalty caps may also be introduced for smaller enterprises to avoid disproportionate impact.
Separately, there are signals that the review may grant the NDPC power to order the suspension of processing activities, a far more disruptive sanction than fines alone. Organisations should model their risk exposure under both current and potential penalty regimes.
The intersection of AI regulation Nigeria businesses face and data protection law is a central driver of the review. The current NDPA does not contain explicit provisions addressing automated decision-making, algorithmic profiling, or machine-learning model training. Industry observers expect the review to introduce at minimum a right for data subjects to obtain human review of solely automated decisions that produce legal or similarly significant effects, mirroring Article 22 of the GDPR.
A possible further step would be mandatory algorithmic impact assessments for high-risk AI systems processing Nigerian personal data. If enacted, this would require organisations to document the logic, training data provenance, and fairness testing of AI models before deployment. Companies building or procuring AI tools should begin these assessments now, as retroactive compliance will be significantly more costly.
Cross-border data transfers Nigeria organisations routinely undertake, to cloud providers, group companies, and offshore processors, are likely to face stricter scrutiny. The current NDPA permits transfers where the receiving country provides an adequate level of protection or where appropriate safeguards (such as contractual clauses) are in place. The review may introduce a formal adequacy-determination process managed by the NDPC, as well as mandatory transfer impact assessments. Data localisation requirements, mandating that certain categories of data be stored on servers physically located in Nigeria, remain a possible but more contentious proposal.
The DPCO audit model is likely to be strengthened. Early indications suggest amendments may expand the categories of organisations required to undergo mandatory annual audits and increase the documentation that must be submitted to the NDPC. Organisations that currently fall below the audit threshold should assess whether expanded thresholds would capture them.
For CTOs and AI teams, the combination of existing NDPA obligations and anticipated amendments creates a specific set of legal risks that must be managed proactively. Even without explicit AI provisions in the current Act, core data protection principles, lawfulness, data minimisation, accuracy, and accountability, apply to every AI system that processes personal data.
Several provisions of the current National Data Protection Act Nigeria framework have direct implications for AI and machine-learning projects. The data minimisation principle limits the volume and categories of personal data that may be ingested into training datasets. The accuracy principle requires that models producing outputs about individuals be reasonably accurate and subject to correction. The accountability principle demands that controllers be able to demonstrate, through documentation, audit trails, and impact assessments, that their AI systems comply with the law. Where AI systems process special categories of personal data (health data, biometric data, or data revealing ethnic origin), additional safeguards apply.
When engaging AI vendors or cloud-based ML platforms, organisations should include contractual provisions that address NDPA compliance specifically. Key clauses include: processor obligations to act only on documented instructions; restrictions on secondary use of personal data for model training; audit rights allowing the controller (or its DPCO) to inspect the vendor’s processing operations; and data breach notification timelines that are at least as strict as the NDPA requires.
| AI Risk | NDPA Issue | Mitigation |
|---|---|---|
| Training on excessive personal data | Data minimisation principle breach | Anonymise or pseudonymise datasets; document necessity for each data category |
| Opaque algorithmic decisions | Transparency and accountability obligations | Implement explainability frameworks; maintain model cards |
| Automated profiling with legal effect | Potential ADM rights under amended NDPA | Build human-in-the-loop review; conduct DPIA before deployment |
| Bias in model outputs | Accuracy principle; special categories risk | Bias testing pre- and post-deployment; fairness audits by independent DPCO |
| Cross-border model training | Transfer rules under NDPA; potential localisation | Transfer impact assessment; contractual safeguards with offshore vendors |
Organisations do not need to wait for the National Assembly to table a bill before taking action. The current NDPA is fully in force, and the NDPC has been actively issuing guidance and conducting audits. The following 90-day roadmap provides a structured approach to strengthening compliance posture while the legislative review unfolds.
The first priority is understanding the organisation’s current exposure. This phase should produce a clear picture of what personal data the organisation processes, on what legal basis, and where it flows.
With the data inventory complete, the focus shifts to preparing the documentary evidence the NDPC will expect during an audit and remediating contractual gaps.
The final phase embeds data protection compliance Nigeria organisations need into ongoing governance structures rather than treating it as a one-off project.
The NDPC has been building its enforcement capacity since the NDPA came into force, and the GAID provides detailed implementation guidance for regulated entities. Understanding what the Commission expects during an NDPC compliance audit is essential for any organisation processing Nigerian personal data at scale.
Typical audit triggers include complaints from data subjects, breach notifications that reveal systemic weaknesses, failure to register or file annual audit reports, and sector-wide sweeps targeting industries with high volumes of personal data (banking, telecoms, health tech, and e-commerce). The NDPC assesses compliance across multiple dimensions: lawfulness of processing, adequacy of security measures, completeness of documentation, and responsiveness to data subject rights requests.
| Evidence Category | Documents / Records Required |
|---|---|
| Data processing inventory | Register of processing activities; data flow maps; legal basis documentation |
| Contracts and agreements | Data processing agreements; SCC equivalents; sub-processor lists and contracts |
| Privacy notices and consent | Current privacy policies; consent collection mechanisms and logs; opt-out records |
| DPIAs | Completed DPIAs for high-risk processing; risk mitigation records; review schedules |
| Security measures | Information security policies; encryption standards; access control logs; penetration test reports |
| Breach response | Incident response plan; breach register; NDPC notification records; forensic reports |
| Training and governance | DPO appointment letter; training materials and attendance logs; board reporting records |
| DPCO audit reports | Annual audit reports filed with NDPC; remediation action plans and completion evidence |
The likely practical effect of the 2026 review is that audit obligations will expand. Organisations that build comprehensive audit-readiness files now will be better positioned regardless of whether the threshold for mandatory audits is lowered or the scope of required documentation is broadened.
Contractual controls are a front-line defence for data protection compliance Nigeria businesses rely upon, particularly when personal data flows to processors or group companies outside the country. The current NDPA permits cross-border data transfers where adequate safeguards are in place, but the 2026 review may introduce a formal adequacy framework and mandatory transfer impact assessments.
| Entity Type | NDPA Obligation (Summary) | Practical Action (Example) |
|---|---|---|
| Data Controller (domestic) | Notify NDPC of personal data breaches within NDPA timelines and preserve forensic evidence | Establish incident response plan; legal-reviewed breach notice template; forensic vendor on retainer |
| Data Processor (international cloud vendor) | Assist controllers with breach response; comply with contractual notification clauses | Add specific SLA clauses; extra-jurisdictional logging and access controls |
| Data Controller (foreign entity processing Nigerian residents’ data) | Subject to NDPA; must appoint local representative and comply with transfer rules | Appoint local legal representative; perform transfer impact assessments |
The National Assembly’s 2026 review of the National Data Protection Act Nigeria framework is not a reason to wait, it is a reason to accelerate compliance. Every obligation under the current NDPA remains enforceable, and the direction of reform points unambiguously toward stronger enforcement, broader audit requirements, and new rules for AI and cross-border transfers. Organisations that act now will navigate the transition with far less disruption than those that defer.
Five priority actions stand out. First, complete a data processing inventory and rapid impact assessment within 30 days. Second, build an NDPC audit-readiness file and remediate processor contracts within 60 days. Third, conduct DPIAs for all high-risk processing, especially AI systems, within 90 days. Fourth, establish a tested breach-response protocol with forensic vendor support. Fifth, monitor the legislative review and NDPC directives closely, adjusting governance frameworks as amendment details emerge. Qualified data protection lawyers in Nigeria can provide tailored guidance on each of these steps, from NDPC registration and DPCO engagement to AI governance advisory and cross-border transfer structuring.
Disclaimer: This article provides general legal information current as of May 17, 2026. It does not constitute legal advice. Organisations should obtain advice tailored to their specific circumstances from a qualified legal professional. The legislative review discussed is ongoing, and the content will be updated as the National Assembly and NDPC publish further materials.
This article was produced by Global Law Experts. For specialist advice on this topic, contact Paul Mgbeoma at Tayo Oyetibo LP, a member of the Global Law Experts network.
posted 8 minutes ago
posted 32 minutes ago
posted 1 hour ago
posted 2 hours ago
posted 2 hours ago
posted 2 hours ago
posted 3 hours ago
posted 4 hours ago
posted 4 hours ago
posted 5 hours ago
Find the right Advisory Expert for your business
Sign up for the latest advisor briefings and news within Global Advisory Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Global Advisory Experts is dedicated to providing exceptional advisory services to clients around the world. With a vast network of highly skilled and experienced advisors, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Send welcome message
