NDPC gives banks, insurance firms 21 days to comply with data protection audit

The Nigeria Data Protection Commission (NDPC) has given banks, insurance firms, gaming companies, and pension operators 21 days to show proof of compliance with the Nigeria Data Protection Act (NDP Act), 2023 or face sanctions.

The NDPC issued the directive in a compliance notice by Babatunde Bamigboye, its head of legal enforcement and regulations.

The commission said a list of affected organisations will be published in major national newspapers on August 25.

“The NDP Act, 2023 seeks to safeguard the fundamental rights, freedoms, and interests of data subjects as guaranteed under the Constitution of the Federal Republic of Nigeria, 1999,” the notice reads.

“Strengthen the legal foundations of Nigeria’s digital economy while ensuring the nation’s trusted and beneficial participation in regional and global economies through responsible use of personal data.

“In line with Sections 5(i), 6(a), 6(c), 46(3), and 47(1)-(2) of the NDP Act, the Commission has issued Compliance Notices to certain organisations listed in the schedule of its notice.

“The list of these organisations will be published on Monday, 25th August 2025, in some major newspapers across the country.

“The list of organisations were drawn from insurance companies, pension companies, gaming companies, banks, and insurance brokers.”

Citing sections 5(i), 6(a), 6(c), 46(3), and 47(1)-(2) of the law, the NDPC said the companies are required to submit evidence of compliance within 21 days.

“The organisations are required to provide; Evidence of filing NDP Act Compliance Audit Returns for 2024 (S.6(d) of the NDP Act),” the data agency added.

“Evidence of designation or appointment of a Data Protection Officer, including name and contact details (S.32).

“Summary of technical and organisational measures for data protection within the organisation (S.39). Evidence of registration as a Data Controller or Processor of Major Importance (S.44)”

The commission warned that failure to comply with the directive could result in enforcement actions, “including the issuance of an enforcement order, administrative fines, and/or criminal prosecution”.

The NDPC said the exercise was part of efforts to ensure a culture of accountability and trust in Nigeria’s data protection and privacy ecosystem, “while safeguarding the rights of data subjects and strengthening the nation’s digital economy”.