The Nigeria Data Protection Commission (NDPC) has issued a 21-day ultimatum to banks, insurance companies, pension funds, and gaming firms to prove compliance with the Nigeria Data Protection Act (NDP Act), 2023, or risk being sanctioned.
In a statement released in Abuja, Babatunde Bamigboye, Head of Legal, Enforcement, and Regulations at the NDPC, said the move follows a nationwide investigation into institutions suspected of failing to meet their statutory obligations.
Organisations flagged in the compliance notice must, within 21 days, submit:
Evidence of submitting their 2024 Compliance Audit Returns as mandated by Section 6(d) of the Act
Proof of appointing a Data Protection Officer, including contact details.
A summary of the technical and organisational measures in place to safeguard personal data
Proof of registration as a Data Controller or Processor of Major Importance.
The NDPC also announced that the list of affected organisations will be published in major national newspapers starting Monday, 25 August 2025.
This enforcement marks a significant step in Nigeria’s efforts to uphold citizens’ data rights and build a trusted digital economy.
The NDP Act, established in 2023, sets strict accountability for how organisations collect, store, and manage personal data.
With over 40 million Nigerians now spending upwards of six hours on social media daily, data protection has become a critical public concern. Institutions handling large volumes of personal data, especially in finance and entertainment, must now demonstrate transparency and preparedness.
This directive not only reinforces legal compliance but also signals growing institutional expectations in protecting personal data amid a digital-first economy.
