NDPC: Rebuilding trust in Nigeria’s digital space

Nigeria’s digital ecosystem is expanding more rapidly than many appreciate. Rising internet access, driven largely by mobile phone adoption, has embedded digital services such as banking, e-commerce and social networking into daily life. By November 2025, internet penetration had surpassed 50 per cent, reaching 50.58 per cent, up from 45.61 per cent in January of the same year, according to industry data from the Nigerian Communications Commission. This represents an increase of nearly five percentage points within a year.

With more than 100 million Nigerians now online, and mobile internet accounting for most access, digital penetration has boosted economic activity across several sectors. At the same time, it has transferred unprecedented volumes of personal information into digital systems. Every interaction opening a mobile bank account, registering on a health platform, joining social media or ordering goods online generates personal data. While this data enables convenience and efficiency, it also introduces vulnerability. Digital growth without adequate safeguards exposes individuals to significant risk.

Between 2019 and mid-2023, data privacy regulation was overseen by the National Information Technology Development Agency. That framework was widely viewed as limited in both scope and enforcement. A major shift occurred in June 2023 with the enactment of the Nigeria Data Protection Act. The law established the Nigeria Data Protection Commission (NDPC) as an independent authority with powers to regulate how personal data is collected, processed, stored and shared. The Commission is mandated to protect personal information, enforce privacy standards and promote responsible data practices across public and private institutions. Reporting to the Presidency, it derives its authority directly from the Act, including the power to issue binding rules and take enforcement action.

This institutional change goes beyond regulatory formality. It reflects an understanding that weak data governance undermines trust in digital systems. Nigerians increasingly face identity theft, unauthorised data access and opaque data usage. These harms carry economic, social and psychological consequences, ranging from financial loss and reputational damage to exclusion from essential services and prolonged recovery efforts. For younger, digitally native populations, constant exposure to unchecked data collection risks normalising surveillance and eroding expectations of privacy. The NDPC’s mandate is to counter this trend by making trust a cornerstone of Nigeria’s digital economy.

At the heart of the Nigeria Data Protection Act is the principle that personal data belongs to the individual, not the platform or institution that collects it. The law grants citizens specific rights, including access to their data, correction of inaccuracies, objection to certain forms of processing, restriction of use and, in defined circumstances, deletion. These rights align with international best practices and embed individual control within Nigeria’s legal framework, compelling organisations to treat privacy as a core responsibility rather than an optional add-on.

Translating legal provisions into effective protection remains challenging. Many small and medium-sized enterprises lack the technical capacity and financial resources needed to meet compliance requirements. In addition, public awareness of how personal data is collected and used remains low. Many Nigerians rarely consider privacy implications when downloading applications, completing online forms or engaging on digital platforms. This gap between the law and public understanding is one of the major obstacles to making data protection a lived reality.

How the law works in practice

The Nigeria Data Protection Act took effect on 12 June 2023, replacing the previous regulatory regime with a more comprehensive statutory framework aligned with global standards such as the European Union’s General Data Protection Regulation. It applies to any organisation that processes personal data in Nigeria, including foreign entities that target Nigerian residents or handle their personal information. This extraterritorial scope is particularly significant given the dominance of multinational digital platforms in Nigeria’s online space.

Under the Act, organisations classified as Data Controllers or Data Processors of Major Importance are required to register with the NDPC, appoint Data Protection Officers, conduct regular compliance audits and submit annual audit reports. They must ensure that data processing is lawful, transparent and limited to clearly defined purposes. Informed and freely given consent is a central requirement, and the responsibility for proving consent rests with the organisation, not the individual.

The enforcement framework empowers the NDPC to investigate suspected breaches, issue compliance directives and impose sanctions, including substantial fines designed to deter violations. The Commission has issued sector-wide compliance notices to organisations across banking, insurance, pensions, gaming and related industries, warning that failure to comply could result in penalties, enforcement orders or, in extreme cases, criminal proceedings.

The NDPC has demonstrated its willingness to exercise these powers. Major organisations have been fined hundreds of millions of naira for practices deemed intrusive, unfair or unlawful, including processing personal data without informed consent and carrying out unauthorised cross-border data transfers. While legal challenges and appeals will shape future interpretations of the law, these actions signal a more assertive regulatory posture.

Data protection compliance has also begun to contribute measurably to the economy. Registration fees and related processes have generated significant government revenue, while the sector itself has supported job creation, with tens of thousands of roles emerging in recent years. This growth indicates that data protection is becoming an established part of Nigeria’s formal economic structure.

To support implementation, the NDPC has issued guidance documents clarifying compliance expectations. In early 2025, it released a General Application and Implementation Directive outlining how the Act should be interpreted across sectors. The directive addresses data inventory requirements, classification of controllers and processors, and routine internal compliance reporting. According to the Commission, these guidelines are intended to help organisations adapt to a fast-changing digital environment shaped by emerging technologies.

Real-world harms and what is at stake

For many Nigerians, data protection becomes tangible only when things go wrong. Identity theft remains one of the most common harms, with stolen personal information used to open financial accounts or carry out fraud. Industry reports indicate that hundreds of millions of naira are lost annually through accounts created with stolen identities. Nigeria has also recorded one of the highest identity fraud rates in Africa, reflecting a broader regional surge driven by increasingly accessible digital tools.

Privacy breaches extend beyond financial crime. Exposure of sensitive information such as health records, location data or communication metadata can lead to stigma, discrimination and intrusive monitoring. Behavioural profiling by digital platforms may result in targeted advertising or exclusion from opportunities without individuals’ clear understanding. These effects tend to weigh most heavily on those with limited awareness of their digital rights or few resources to seek redress.

Risks are not confined to private platforms. Public institutions that collect and centralise personal data also face significant security and governance challenges. Investigations into alleged breaches at major public databases underscore the need for robust oversight, even in foundational national systems.

The scale of the problem is reflected in the volume of complaints received by the NDPC. In 2024 alone, the Commission investigated more than 200 reports involving privacy violations, unauthorised data sharing and non-compliance. This rise mirrors global trends but also highlights pressures unique to Nigeria’s rapidly digitising economy.

Despite these developments, general awareness of data rights remains low. Experts note that limited public understanding weakens accountability, as individuals are less likely to challenge misuse of their information or demand compliance. Without widespread knowledge of rights and obligations, the protective power of the law is diluted.

Building a trustworthy digital future

Enforcement of the Nigeria Data Protection Act is only one element of building lasting digital trust. Sustained progress will require public education, institutional cooperation and private-sector commitment. Citizens need accessible information about their rights, while organisations require practical guidance and skilled professionals to implement privacy-by-design systems. Investment in training and capacity-building can help close current skill gaps.

Experts emphasise that data protection is a shared responsibility. Organisations must allocate sufficient resources to compliance, adopt strong technical and organisational safeguards, and treat privacy as integral to their operations. At the same time, regulators are encouraged to expand awareness campaigns and proactive governance initiatives to ensure individuals understand and can exercise their rights.

Rebuilding trust in Nigeria’s digital space will depend not only on laws and penalties, but on collective commitment to making privacy a normal, expected part of everyday digital life.