Nigeria: NDPC to Enforce Heavy Fines on Businesses Handling Nigerians’ Data in 2025

The Nigeria Data Protection Commission (NDPC) has outlined plans to implement stringent penalties on businesses handling Nigerians’ data, designated as data controllers and data processors, starting in 2025. This development was announced by the National Commissioner of the NDPC, Dr. Vincent Olatunji, as part of the commission’s strategic outlook for the upcoming year.

Enforcement of the Nigeria Data Protection Act (NDPA)

Dr. Olatunji disclosed that the NDPC is set to intensify the enforcement of the Nigeria Data Protection Act (NDPA). While the commission has not issued fines in the past, this will change as it ramps up regulatory actions.

“For data controllers and processors, there is going to be massive enforcement in 2025. We have never issued any fines, but going forward, you will hear us issuing heavy penalties,” he asserted.

Boosting Job Creation Through Data Protection

The Commissioner highlighted the NDPC’s efforts to foster job creation within the data protection ecosystem. He noted that the commission certified and trained data protection professionals in 2024, who will now contribute to the workforce.

“Numerous data controllers and processors are seeking skilled professionals. The individuals we trained last year are ready to enter the job market and collaborate with these organizations,” Dr. Olatunji stated.

The NDPC also intends to continue its nationwide awareness initiatives to inform Nigerians about their data privacy rights.

Registration and Annual Audit Compliance

To ensure effective enforcement, the NDPC has mandated the registration of all data controllers and processors, including banks, telecom operators, insurance firms, and educational institutions. Dr. Olatunji stressed that registration is essential for proper oversight and compliance.

“Over 500,000 data controllers and processors in Nigeria are required by law to register with the NDPC. We have provided a six-month period for organizations to familiarize themselves with the provisions of the law, with registration to be completed by December 31,” he explained.

Additionally, the NDPC has instructed registered entities to submit their annual audit reports between January 1 and March 31, 2024. These reports must outline the measures taken to safeguard data under their control.

This enforcement phase underscores the NDPC’s commitment to bolstering Nigeria’s data protection framework, enhancing accountability among organizations, and increasing public awareness of data privacy rights.