Back to Blog Compliance

NDPA Compliance for Nigerian Businesses: What You Need in 2026

Pejji Team 4 April 2026 7 min read

The Nigeria Data Protection Act (NDPA) 2023 replaced the older NDPR regulations and gave the Nigeria Data Protection Commission (NDPC) real enforcement power. This is not theoretical - companies are already paying hundreds of millions in fines.

If your business collects customer data through a website, app, or even a WhatsApp form, you need to understand what the NDPA requires and how to comply.

₦7.2 Billion

Collected by the NDPC in data protection fines so far

What Is the NDPA?

The Nigeria Data Protection Act 2023 is Nigeria's comprehensive data protection law. It was signed into law in June 2023 and is enforced by the Nigeria Data Protection Commission (NDPC), headed by Dr. Vincent Olatunji.

The NDPA governs how businesses collect, store, process, and share personal data of individuals in Nigeria. It applies to any organization that handles the personal data of people in Nigeria, regardless of where the organization is based.

In plain language: if your business collects names, phone numbers, email addresses, or any other personal information from Nigerian customers, the NDPA applies to you.

Who Must Comply?

The short answer: almost every business with a digital presence.

The NDPA categorizes organizations as either Data Controllers (you decide what data to collect and why) or Data Processors (you process data on behalf of someone else). Most businesses are controllers.

Organizations that process the data of more than 200 individuals must register with the NDPC and comply with the full set of requirements. Given that most businesses with websites collect data from more than 200 people over the course of a year, this threshold effectively covers all but the smallest operations.

1,368

Companies investigated by the NDPC for data protection violations

What Your Business Needs to Comply

1. A Privacy Policy

Every website must have a clear, accessible privacy policy that explains:

  • What personal data you collect
  • Why you collect it (the legal basis)
  • How you store and protect it
  • Who you share it with (if anyone)
  • How long you keep it
  • How users can request deletion of their data

The policy must be written in plain language - not legal jargon that nobody reads. It should be linked from every page on your website, typically in the footer.

2. Cookie Consent

If your website uses cookies (and almost all do - Google Analytics alone sets cookies), you must get explicit consent before setting non-essential cookies. This means a proper cookie consent banner that:

  • Appears before any tracking cookies are set
  • Gives users a real choice (not just "Accept")
  • Explains what cookies you use and why
  • Allows users to change their preferences later

A small banner that says "We use cookies" with only an "OK" button does not count as proper consent under the NDPA.

3. Data Protection Officer (DPO)

Organizations that process large volumes of personal data must appoint a Data Protection Officer. The DPO is responsible for:

  • Monitoring compliance with the NDPA
  • Training staff on data protection
  • Conducting regular audits
  • Acting as the contact point for the NDPC

For smaller businesses, the DPO role can be filled by an existing team member or outsourced to a compliance consultant.

4. Data Processing Registration

Businesses processing data of 200 or more individuals must file a data processing registration with the NDPC. This is done annually and includes details about what data you process, how, and why.

5. Security Measures

The NDPA requires "appropriate technical and organizational measures" to protect personal data. For websites, this means at minimum:

  • SSL/TLS encryption: Your site must use HTTPS, not HTTP
  • Security headers: Proper headers to prevent cross-site scripting (XSS), clickjacking, and other attacks
  • Access controls: Only authorized people can access customer data
  • Regular updates: Your CMS, plugins, and server software must be kept up to date
  • Backup procedures: Regular backups so data is not lost

6. Data Breach Notification

If your business experiences a data breach, you must notify the NDPC within 72 hours and inform affected individuals "without undue delay." Having an incident response plan before a breach happens is not just good practice - it is a legal requirement.

7. Annual Audit

Organizations processing significant volumes of data must conduct annual data protection audits. These audits assess whether your data processing practices comply with the NDPA and identify areas for improvement.

Key Takeaway

What you need: a privacy policy, cookie consent, a Data Protection Officer, NDPC registration, proper security measures, breach notification plan, and an annual audit.

The Real Cost of Non-Compliance

The NDPC has already collected over ₦7.2 billion in fines. Here are some of the highest-profile penalties:

₦766 Million

MultiChoice Nigeria - fined for unauthorized data processing and failing to obtain proper consent

  • Fidelity Bank: ₦555 million for exposing customer data through inadequate security measures
  • Multiple telecom companies: Hundreds of millions in combined fines for data handling violations

The maximum fine under the NDPA is 2% of annual gross revenue or ₦10 million (whichever is higher) for each violation. For repeat offenders, penalties increase significantly.

NDPA compliance is not optional. The NDPC is investigating sector by sector - and fines are in the hundreds of millions.

These are not just fines for big corporations. The NDPC has investigated complaints against businesses of all sizes, and the trend is toward stricter enforcement, not less.

How Pejji Helps You Stay Compliant

Compliance should not be an afterthought or an expensive add-on. At Pejji, every website we build - from the ₦60,000 Card package up - includes NDPA compliance as standard:

  • Privacy policy page: Written in plain language, covering all NDPA requirements, customized for your business
  • Cookie consent banner: Proper consent mechanism that blocks tracking until the user agrees
  • SSL/TLS encryption: Every site runs on HTTPS with a valid certificate
  • Security headers: Full suite of security headers (Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, and more)
  • Secure contact forms: Data transmitted through forms is encrypted in transit
  • Terms of service: Included with every site

We do not charge extra for compliance because we believe it should be built in from the start, not bolted on later.

What You Should Do Today

If your business has a website, here is a quick checklist:

  1. Check if you have a privacy policy. If not, you are already non-compliant.
  2. Check if your site uses HTTPS. If the URL starts with http:// (no "s"), fix this immediately.
  3. Check your cookie consent. Does your site set tracking cookies before the user agrees? That is a violation.
  4. Review who has access to your customer data. Limit it to people who actually need it.
  5. If you process data from 200+ people, register with the NDPC.

If your website does not meet these requirements, it is time for an upgrade. Visit pejji.com to get a website that is compliant from day one - no extra fees, no legal headaches.

Share this article
Post Share
Get started

Ready to get your business online?

Pejji builds fast, secure, NDPA-compliant websites for Nigerian businesses - starting from ₦60,000.

Get Started Today

More articles

Pricing

How Much Does a Website Cost in Nigeria in 2026?

A transparent breakdown of website pricing in Nigeria - from DIY builders to full agencies.

6 min read
Read
Business

Why Your Nigerian Business Needs a Website in 2026

39.4 million MSMEs operate without a website. Here is why that is costing them.

5 min read
Read