Skip to main content
HubSecure
Menu

Blog

Nigeria NDPA 2023: A Compliance Guide for Fintechs, Banks, and Healthtech Companies

The Nigeria Data Protection Act replaced the NDPR in 2023 and brought significantly sharper teeth. Here is what regulated businesses in Nigeria's high-growth sectors need to have in place.

· By HubSecure Compliance

Nigeria’s Data Protection Act 2023 (NDPA) is not a minor update to the Nigeria Data Protection Regulation (NDPR) it replaced. It is a substantive new law with a dedicated enforcement authority, broader territorial scope, higher penalties, and—critically—a compliance timeline that the Nigeria Data Protection Commission (NDPC) is actively enforcing.

Nigeria’s tech ecosystem—the largest in Africa by funding volume—has not always taken data protection seriously. That era is ending. The NDPC has issued enforcement notices, conducted audits across sectors, and made clear that the combination of fintech scale (millions of users, sensitive financial data) and weak internal controls creates exactly the risk profile it was established to address.

This guide is for the compliance, legal, and technology teams at Nigerian fintechs, digital banks, mobile lenders, insurance platforms, and healthtech companies who are working out what the NDPA requires and whether their current programme is adequate.

What the NDPA changed

The NDPR (2019) was a regulation issued by the National Information Technology Development Agency (NITDA). It had meaningful requirements but limited enforcement infrastructure.

The NDPA 2023 is an Act of the National Assembly. Key changes:

Dedicated regulator. The NDPC replaces NITDA as the primary data protection authority. It has statutory independence, investigation powers, and a mandate to build enforcement capability.

Broader territorial scope. The NDPA applies to any organisation that processes personal data of persons in Nigeria, regardless of where the organisation is incorporated or operates from. A UK-based fintech with Nigerian users is within scope.

Stricter lawful basis requirements. Consent under NDPA must be freely given, specific, informed, and unambiguous. Pre-ticked boxes, bundled consent in terms and conditions, and consent obtained as a precondition to service where consent is not required all fail the standard.

Data localisation for sensitive data. Personal data relating to health, genetic information, biometric data, and financial details of Nigerian citizens must be stored on servers physically located in Nigeria, with cross-border transfer only permitted under specific conditions including NDPC approval.

Higher penalties. Violations carry fines of up to 2% of annual gross revenue (for organisations) or up to NGN 10 million for individuals, with aggravated penalties for intentional or negligent breaches.

The four pressure points for Nigerian fintechs

Consent at onboarding. Most Nigerian fintech onboarding flows were designed for conversion, not compliance. Consent checkboxes at the bottom of long terms documents, permission grants for data uses the user never encounters, and no mechanism for granular withdrawal all fail NDPA requirements. The consent architecture needs to be rebuilt—not patched.

BVN and NIN data handling. Bank Verification Numbers and National Identification Numbers are high-sensitivity identifiers. Their storage, access logging, and transfer practices attract NDPC scrutiny. If BVN/NIN data is accessible to more staff than necessary, stored without encryption, or transferred to third parties without documented agreements, this is a high-priority remediation item.

Third-party data sharing. Nigerian fintechs routinely share customer data with credit bureaux (CRC, FirstCentral, XDS), analytics vendors, and marketing platforms. Each data sharing relationship requires a documented Data Processing Agreement under NDPA. Most organisations have not audited their third-party sharing against this requirement.

Cross-border data transfers. A large portion of Nigerian fintechs use AWS, Google Cloud, or Azure—predominantly in US or EU regions. Transferring Nigerian personal data to these jurisdictions requires either NDPC approval, a binding adequacy assessment, or standard contractual clauses adapted to the NDPA framework. The assumption that GDPR-compliant SCCs satisfy the NDPA is not legally validated.

The compliance baseline

This is the minimum programme that would withstand an NDPC audit without significant findings.

Data inventory

  • Record of all personal data categories collected, with lawful basis for each
  • Data flow map showing where data goes (internal systems, third-party processors, cross-border)
  • Retention schedule with automated enforcement
  • Third-party processor register with current DPAs

Consent management

  • Granular consent capture at onboarding with clear purpose statements
  • Consent withdrawal mechanism that works and triggers downstream deletion
  • Consent records stored with timestamp, purpose version, and user identifier

Data subject rights

  • Functional process for access requests (response within 21 days under NDPA)
  • Deletion request handling that verifies cross-system erasure
  • Correction request workflow with documented outcome

Security controls

  • Encryption at rest and in transit for all personal data
  • Access controls with least-privilege for all systems containing personal data
  • Access logs retained and searchable
  • BVN/NIN access restricted to role-justified users with logged access

Incident response

  • Breach identification procedure with NDPC notification trigger
  • Breach register maintained with outcome records
  • 72-hour notification procedure documented and tested

Governance

  • Data Protection Officer designated and registered with NDPC
  • Annual data protection audit conducted by an NDPC-licensed auditor (required for organisations processing data of more than 10,000 Nigerians)
  • Staff training on NDPA obligations

The auditor registration requirement

One requirement that catches many organisations off guard: organisations that process personal data of more than 10,000 data subjects are required to register with the NDPC as a Data Controller of Major Importance (DCMI) and submit to annual data protection audits conducted by NDPC-licensed Data Protection Compliance Organisations (DPCOs).

For a Nigerian fintech with 50,000 active users, this is not optional. The registration requirement, the audit obligation, and the DPCO engagement all need to be in place. NDPC has published the DCMI register and is actively pursuing organisations that should be on it but are not.

Building for enforcement, not just compliance

The NDPC’s enforcement posture in 2025 and 2026 has made clear that it is not interested in organisations that have a data protection policy and not much else. It is auditing operational controls—whether consent records actually exist, whether data subject requests are actually processed, whether the DPO has actual authority or is a job title on a policy document.

The organisations that are navigating this well have built data protection into their operational infrastructure. Consent is captured in a system. Data subject requests generate structured tickets with audit trails. Retention policies execute automatically against defined schedules. Third-party sharing is logged with the DPA reference and the data transferred.

This is achievable for a fintech of any size. The question is whether to build it before the NDPC comes or after.