The Nigeria Data Protection Commission, NDPC, has concluded arrangements to begin a comprehensive investigation of companies in the various sectors of the economy in order to expose data breaches and mete out appropriate sanctions.
The NDPC said companies in the insurance, banking, hospitality, pension, gaming and insurance brokers amongst others would be probed to determine their compliance with the NDP Act 2023.
The Commission in a statement issued in Abuja and signed by its Head of Legal, Enforcement and Regulations, Barrister Babatunde Bamigboye, said its action was “in furtherance of its mandate under the Nigeria Data Protection Act (NDP Act), 2023.”
Bamigboye said NDPC would commence a sector-by-sector investigation of organisations suspected of non-compliance with the provisions of the Act.
He added that the list of affected organisations/companies in various sectors would be published in some major national dailies on Monday 25th of August.
Bamigboye explained that the NDP Act, 2023 seeks to “safeguard the fundamental rights, freedoms, and interests of data subjects as guaranteed under the Constitution of the Federal Republic of Nigeria, 1999.
“And strengthen the legal foundations of Nigeria’s digital economy while ensuring the nation’s trusted and beneficial participation in regional and global economies through responsible use of personal data.”
Bamigboye said, “In line with Sections 5(i), 6(a), 6(c), 46(3), and 47(1)-(2) of the NDP Act, the Commission has issued Compliance Notices to certain organisations listed in the schedule of its notice.
“The list of these organisations will be published on Monday, 25th August 2025, in some major newspapers across the country. The list of organisations were drawn from insurance companies, pension companies, gaming companies, banks, and insurance brokers.
“These organisations are required to, within twenty-one (21) days of issuance, provide the following: Evidence of filing NDP Act Compliance Audit Returns for 2024 (S.6(d) of the NDP Act),
Evidence of designation or appointment of a Data Protection Officer, including name and contact details (S.32).
Others are “Summary of technical and organisational measures for data protection within the organisation (S.39).
“And Evidence of registration as a Data Controller or Processor of Major Importance (S.44).”
“The Commission reiterates that failure to comply with this Compliance Notice may result in enforcement actions, including the issuance of an Enforcement Order, administrative fines, and/or criminal prosecution in accordance with the NDP Act, 2023.
“The NDPC remains committed to ensuring a culture of accountability and trust in Nigeria’s data protection and privacy ecosystem, while safeguarding the rights of data subjects and strengthening the nation’s digital economy,” Bamigboye said.
