NDPC REGISTRATION AND COMPLIANCE- Everything you need to know

This article provides an overview of NDPC and its significance.

NDPC is known as the Nigeria Data Protection Commission. The Nigeria Data Protection Commission (NDPC) is the primary body responsible for safeguarding individuals’ data privacy and enforcing data protection laws in Nigeria. It was established by the Nigeria Data Protection Act of 2023. The NDPC regulates how both public and private organizations collect, process, and store personal data. In simple terms, it acts as the country’s data watchdog.

For example, when you sign up for a mobile app or open a bank account, you are often required to provide personal information such as your name, phone number, email address, and even your National Identification Number (NIN). If an organization shares your data without your consent, uses it for purposes other than intended, or fails to secure it properly, this could lead to a data breach. In such cases, the NDPC has the authority to intervene. Furthermore, they can investigate the issue, impose penalties on the organization, and ensure that your data is protected.

We will explore the concept of NDPC registration and compliance. Additionally, we will identify who is required to comply, outline the steps organizations must take to achieve compliance, and address common questions regarding data protection obligations under the law.

WHAT NDPC IS ALL ABOUT?

NDPC stands for the Nigeria Data Protection Commission, a public institution established to enforce data protection laws in Nigeria. It serves as the country’s regulatory authority for protecting personal data, ensuring compliance with the Nigeria Data Protection Act. The NDPC oversees data processing activities, promotes privacy rights, and mandates lawful bases for data handling. Its mandate includes enforcing data protection standards across sectors and raising public awareness. In addition, the NDPC handles data breach notifications. As a key player in digital governance, the NDPC supports Nigeria’s commitment to securing personal information in an increasingly digital economy.

WHO NEEDS TO COMPLY WITH NDPC

All organizations, both public and private, that act as data controllers or processors of major importance (DCPMIs) and are known for collecting large volumes of personal information or sensitive data, are required to comply with the provisions of the National Data Protection Commission (NDPC). This means that any organization collecting, storing, or processing personal data of individuals in Nigeria must register with the NDPC. Compliance is mandatory for organizations that process data of more than 200 individuals within six months. Moreover, it applies to organizations that operate in key sectors such as finance, health, education, aviation, electric power, financial services, hospitality, insurance, oil and gas, public service, tourism, e-commerce, export and import, and information and communication technology (ICT).

Furthermore, any foreign organisation processing information of Nigerian citizens is required to register with NDPC.

Beyond large organisations, small businesses, startups, NGOs, and even individuals running digital platforms (such as blogs or apps) are considered as Data Controllers since they collect and decide how personal data is used.

EFFECT OF NON- COMPLIANCE with NDPR

The NDPR is one of several laws that govern all transactions related to the processing of Personal Data

Failure to comply with the Nigeria Data Protection Regulation (NDPR) can lead to serious legal and business consequences, including:

1. Monetary penalties of up to 2% of annual gross revenue or ₦10 million, whichever is higher
2. Suspension or restriction of an organisation’s data processing activities
3. Exposure to civil lawsuits from individuals whose data rights were violated
4. Enforcement actions and sanctions by the National Information Technology Development Agency (NITDA)
5. Damage to business reputation, leading to loss of customer trust and credibility

KEY REQUIREMENTS FOR NDPC COMPLIANCE

To complete registration on the Nigeria Data Protection Commission (NDPC), organisations are required to submit the following information:

1. Business information: Company name, registered address, and Corporate Affairs Commission (CAC) registration number
2. Data Protection Officer (DPO) details: Full name, contact address, and valid contact information of the appointed DPO
3. Personnel documentation: A valid means of identification for a director, as well as qualifications of at least two key staff members
4. Data processing profile: Description of the types of personal data collected, the number of data subjects involved, and the purposes for processing the data
5. Technical and security measures: Overview of the safeguards and systems in place to protect personal data
6. Website compliance: Evidence of an operational website registered under a .ng domain

Practical Steps for NDPC Compliance

The compliance process under the Nigeria Data Protection Commission (NDPC) typically begins with internal preparation, followed by official registration, and then continuous audit and monitoring through a licensed compliance body.

Step 1: Internal Assessment and Documentation

Before any formal registration, organisations are expected to properly assess and organize their data protection structure by:

1. Appointing a Data Protection Officer (DPO) responsible for overseeing compliance and data privacy matters
2. Carrying out a compliance assessment to review existing data processing activities against the requirements of the Nigeria Data Protection Act
3. Developing or updating key compliance documents such as a Data Protection Policy, Record of Processing Activities (RoPA), and a data breach response plan
4. Providing regular staff training on data protection, including onboarding training within six months of employment and periodic refresher sessions

Step 2: Registration with the NDPC

Once internal systems are in place, the organisation proceeds to:

1. Register with the NDPC as either a Data Controller or Data Processor through the official portal
2. Prepare and submit required information, including DPO details and a summary of data processing activities

Step 3: Audit and Ongoing Compliance

After registration, continuous compliance is required through:

1. Engaging a licensed Data Protection Compliance Organisation (DPCO) to support implementation and audit processes
2. Conducting a mandatory compliance audit, which must be completed within 15 months of commencement of operations and repeated annually
3. Submitting the audit report to the NDPC, typically by March 31st each year
4. Updating internal policies and systems based on audit findings to ensure continuous compliance
5. Maintaining a record of data processing activities and reporting to senior management periodically (e.g., every six months)

Consulting a licensed Data Protection Officer (DPO) or a Data Protection and Compliance Organization (DCPO) is crucial for any organization that handles personal data in Nigeria. Ensuring compliance with data protection regulations is not only a legal requirement but also a responsibility. If neglected, this can lead to penalties, investigations, and reputational damage under the framework of the Nigeria Data Protection Commission (NDPC).

A DPO examines how the organisation collects, processes, stores, and shares personal data. This assessment helps to determine whether the organisation’s current practices align with the Nigeria Data Protection Act and the NDPR principles.

CONCLUSION

NDPC compliance is essential for any organization that collects, processes, or stores personal data in Nigeria. It is not just a regulatory formality; it provides a framework for protecting individuals’ privacy, building trust, and ensuring responsible data management. Compliance involves proper registration, internal documentation, audits, and continuous monitoring. It is an ongoing process rather than a one-time activity.

Organisations that comply with the guidelines of the Nigeria Data Protection Commission (NDPC) are better positioned to avoid legal penalties, strengthen customer confidence, and operate with higher credibility in today’s data-driven environment.

For enquiries about Data Protection and Compliance for your organization, you may reach out to us through any of the live chat icons on this page or send an email here, and we’ll respond to you.