NDPA 2023 Compliance Checklist

The Nigeria Data Protection Act (NDPA) 2023, signed into law on 12 June 2023, established the Nigeria Data Protection Commission (NDPC) as the primary regulator and created a comprehensive legal framework for data protection in Nigeria. For financial institutions — which process vast volumes of personal and sensitive financial data daily — compliance is not optional. It is a legal obligation with significant penalties for failure.

This practical checklist will help compliance teams assess their readiness and identify gaps that need immediate attention.

Background: Why NDPA 2023 Matters for Banks

Prior to the NDPA, Nigeria's data protection landscape was governed by the NDPR 2019 (a regulation, not an act of the National Assembly), which many institutions treated as advisory rather than mandatory. The NDPA changes this fundamentally:

• It is an Act of the National Assembly — carrying the full force of law
• It establishes the NDPC as an independent commission with enforcement powers
• It introduces significant penalties including fines of up to ₦10 million or 2% of annual gross revenue
• It applies to all organisations processing personal data of individuals in Nigeria

NDPA 2023 Compliance Checklist

1. Governance & Accountability

• Appoint a Data Protection Officer (DPO) — Section 29 requires organisations of a prescribed class to designate a qualified DPO. For financial institutions processing sensitive data at scale, this is effectively mandatory.
• Register with the NDPC — Data controllers and processors of major importance must register with the Commission.
• Conduct a Data Protection Impact Assessment (DPIA) — Required for high-risk processing activities, which includes most financial data processing.
• Maintain records of processing activities — Document what data you collect, why, how it is processed, who has access, and how long it is retained.

2. Lawful Basis for Processing

• Identify the lawful basis for each category of data processing — consent, contract, legal obligation, vital interest, public interest, or legitimate interest.
• Obtain valid consent where consent is the lawful basis — must be freely given, specific, informed, and unambiguous.
• Document the lawful basis for each processing activity and ensure it is defensible under examination.

3. Data Subject Rights

The NDPA grants data subjects extensive rights that institutions must operationalise:

• Right of access — Respond to subject access requests within the prescribed period
• Right to rectification — Enable correction of inaccurate personal data
• Right to erasure — Delete personal data when the processing basis no longer applies (subject to regulatory retention requirements)
• Right to data portability — Provide data in a structured, commonly used format
• Right to object — Allow individuals to object to processing based on legitimate interest or direct marketing
• Right regarding automated decision-making — Provide human review of decisions made solely by automated processing that significantly affect data subjects

4. Data Security

• Implement appropriate technical measures — encryption at rest and in transit, access controls, intrusion detection, regular vulnerability assessments
• Implement organisational measures — security policies, staff training, access management procedures, incident response plans
• Conduct regular security audits — test the effectiveness of your security measures at least annually
• Manage third-party processor security — ensure data processing agreements are in place and processors maintain adequate security standards

5. Data Transfer

• Identify all cross-border data transfers — map where personal data flows outside Nigeria
• Ensure adequate protection — transfers are only permitted to countries with adequate data protection or where appropriate safeguards are in place
• Review cloud and SaaS arrangements — determine where your vendors store and process data, and whether this constitutes a cross-border transfer
• Consider data localisation — for sensitive financial data, consider using cloud regions within Nigeria (e.g., AWS Lagos af-south-1) to avoid transfer complexities

6. Breach Notification

• Establish a breach detection mechanism — automated monitoring to identify potential data breaches promptly
• Define a breach response procedure — clear escalation path, roles, and responsibilities
• Notify the NDPC — report breaches that pose a risk to data subjects within the prescribed timeframe
• Notify affected data subjects — when the breach is likely to result in high risk to their rights and freedoms

7. Privacy by Design

• Embed privacy into new projects — conduct DPIAs for new products, services, and systems before launch
• Apply data minimisation — only collect personal data that is necessary for the specified purpose
• Implement purpose limitation — do not use data collected for one purpose for an unrelated purpose without fresh consent or a new lawful basis
• Set retention schedules — define how long each category of personal data is retained and ensure automated deletion when retention periods expire

Priority Actions for Financial Institutions

If you have not started your NDPA compliance journey, here are the three highest-priority actions:

1. Appoint a DPO (or designate an existing compliance officer) and register with the NDPC
2. Complete a data mapping exercise — you cannot protect what you do not know about
3. Conduct a gap analysis against the checklist above and prioritise remediation by risk level

How Atheris Helps

Atheris' Compliance Management platform includes pre-loaded NDPA 2023 requirements with automated gap analysis, obligation tracking, and evidence management. Our platform helps Nigerian financial institutions demonstrate NDPA compliance through structured documentation, automated deadline alerts, and board-ready reporting.

Further Reading

• Full text of NDPA 2023 — Nigeria Data Protection Commission (PDF)
• Nigeria Data Protection Commission — Official Website
• Overview of NDPA 2023 — Mondaq Legal Analysis
• NDPA 2023: What You Need to Know — IAPP (International Association of Privacy Professionals)

This article is for informational purposes only and does not constitute legal advice. Financial institutions should consult with legal counsel and the NDPC's official guidance for compliance obligations specific to their operations.