← Back to Insights

Nigeria

Nigeria Data Protection Act 2023: The Complete Business Guide

M.K. Onyekwere··9 min read

The Nigeria Data Protection Act 2023 is the law governing how personal data is collected, stored, processed, and shared in Nigeria. If your business touches data belonging to Nigerian residents — customers, employees, website visitors — this is the law you answer to.

Most guides on the NDPA read like they were written for lawyers. This one's written for people who build things. You need to know what the law requires so you can build systems that comply from the start, not retrofit compliance after the regulators come knocking.

What the NDPA covers

The Act applies to the processing of personal data by any person or organisation, where:

  • The data subject is in Nigeria
  • The data controller or processor is in Nigeria
  • The processing relates to offering goods or services to people in Nigeria
  • The processing relates to monitoring the behaviour of people in Nigeria

That last point matters for AI. If you're running analytics, behavioural profiling, or recommendation systems that track how Nigerian users behave, you're in scope even if your servers are in Ireland.

Key principles

The NDPA is built on principles that mirror GDPR but with Nigerian enforcement context:

Lawfulness, fairness, and transparency. You need a legal basis for every piece of personal data you process. You need to tell people what you're doing with their data. No hidden processing.

Purpose limitation. Collect data for a specific reason. Don't use it for something else without telling people and getting appropriate consent or another lawful basis.

Data minimisation. Only collect what you actually need. If your chatbot doesn't need a customer's date of birth to answer support questions, don't ask for it.

Accuracy. Keep data accurate and up to date. If a customer corrects their information, update it promptly.

Storage limitation. Don't keep data longer than you need it. Set retention periods and actually enforce them.

Integrity and confidentiality. Protect the data. Encryption, access controls, secure infrastructure. If you lose it or it gets stolen, there are consequences.

Accountability. You need to demonstrate compliance, not just claim it. Documentation, audit trails, impact assessments — all the evidence that you're doing what you say you're doing.

Lawful bases for processing

You need at least one lawful basis for every processing activity. The NDPA recognises:

Consent. The data subject agrees to the processing. Must be specific, informed, and freely given. Can be withdrawn at any time. This is the basis most people default to, but it's often not the best choice — especially for AI systems where withdrawing consent mid-processing is impractical.

Contract. Processing is necessary to perform a contract with the data subject. If someone signs up for your fintech app, you need to process their data to provide the service. This is usually the strongest basis for customer-facing AI systems.

Legal obligation. You're required by law to process the data. AML/CFT requirements from CBN, for example, mandate transaction monitoring. That's a legal obligation.

Vital interests. Processing is necessary to protect someone's life. Rare outside healthcare.

Public interest. Processing is necessary for a task carried out in the public interest. Mostly relevant to government.

Legitimate interest. You have a legitimate business reason to process the data, and it doesn't override the individual's rights. Fraud detection often falls here — you have a legitimate interest in preventing fraud. But you need to document the balancing test.

For AI systems, the most common bases are contract (providing the service the customer signed up for) and legitimate interest (fraud detection, security, business analytics).

What you need to document

The NDPA isn't just about what you do — it's about proving what you do. Required documentation:

Privacy notices

Every data subject needs to know:

  • Who you are (data controller identity)
  • What data you collect
  • Why you collect it (purpose and lawful basis)
  • Who you share it with
  • How long you keep it
  • Their rights (access, correction, deletion, etc.)
  • How to exercise those rights

If your AI chatbot collects conversation data, the customer needs to know before the conversation starts. If your fraud detection system profiles transactions, the customer needs to know it's happening.

Records of processing

A register of all your processing activities. For each one:

  • Categories of data subjects and personal data
  • Purposes of processing
  • Categories of recipients
  • International transfers (if any)
  • Retention periods
  • Technical and organisational security measures

Data Protection Impact Assessments

Required for processing that's "likely to result in a high risk" to individuals. In practice, most AI systems qualify:

  • AI-powered decision-making about people (credit scoring, fraud flagging, insurance pricing)
  • Large-scale processing of personal data
  • Processing using new technologies (AI counts)
  • Systematic monitoring of public areas

If you're building an AI system that processes personal data, write the DPIA before you deploy. Not after.

Data Processing Agreements

If you share personal data with any third party — AI providers, cloud hosts, analytics services — you need a written DPA covering:

  • What data is processed
  • How and why it's processed
  • Security obligations
  • Sub-processor arrangements
  • What happens to data when the agreement ends

Using ChatGPT API, Claude API, or any external AI? That's a data processing arrangement. You need a DPA.

NDPC — the regulator

The Nigeria Data Protection Commission is the enforcement body. Established under the NDPA, replacing the previous arrangement where NITDA handled data protection alongside its other IT regulatory functions.

NDPC's powers:

  • Investigate complaints and conduct audits
  • Issue compliance orders
  • Impose administrative fines
  • Require remediation
  • Publish enforcement decisions

Fines: Up to 2% of annual gross revenue or ₦10,000,000, whichever is greater. For serious violations, these numbers are not theoretical — NDPC is building enforcement capacity and has political backing.

Compliance Audit Return

All Data Controllers and Processors of Major Importance must file a Compliance Audit Return annually through a licensed DPCO. The 2026 deadline is March 31.

Data Protection Officer

If you're classified as a DCMI/DPMI, you need a Data Protection Officer. This can be an internal hire or an outsourced service.

How the NDPA affects AI systems

This is where it gets specific. If you're building or using AI in Nigeria:

Automated decision-making

If your AI makes or significantly assists decisions about individuals, you need:

  • Transparency — tell people the decision involves AI
  • Explanation — be able to explain the logic involved in meaningful terms
  • Human review — provide a mechanism for human oversight of significant automated decisions
  • Right to object — individuals can challenge automated decisions

This applies to credit scoring, fraud detection flags, loan approvals, insurance pricing, and any other AI system that affects people's lives.

AI training data

If you used personal data to train your AI model, that's processing. You need:

  • A lawful basis for using that data for training
  • Documentation of what training data was used
  • Evidence of data minimisation (did you really need all that personal data to train the model?)

Cross-border transfers

Nigerian personal data sent to AI providers outside Nigeria requires safeguards:

  • Adequacy decisions (few countries qualify)
  • Standard contractual clauses
  • Binding corporate rules
  • Explicit consent for the transfer

Most AI API calls send data internationally. Document every transfer route.

WhatsApp and messaging platforms

Nigeria's dominant communication platform is WhatsApp. If you're building a WhatsApp AI chatbot, the NDPA applies to every conversation. Conversation data is personal data. You need consent or another lawful basis, a privacy notice, and appropriate retention policies.

CBN intersection

If you're in financial services, you've got the NDPA AND CBN requirements. They overlap but don't always align:

CBN requires data retention for AML purposes — typically 5 years. The NDPA says don't keep data longer than necessary. These can conflict. Document your retention justification clearly.

CBN requires automated monitoring — the June 2026 AML deadline mandates automated transaction monitoring. The NDPA requires you to do this in a privacy-respecting way. DPIA required.

CBN customer due diligence — KYC requirements mean collecting significant personal data. The NDPA says minimise collection. Balance: collect what CBN requires, don't collect more, document why.

EU AI Act intersection

If your AI system's output reaches EU users — diaspora customers, European business partners, clients in the EU — the EU AI Act may apply. It has extraterritorial reach.

Key overlaps:

  • AI Act requires risk classification; NDPA requires DPIA. Do both.
  • AI Act requires technical documentation; NDPA requires records of processing. Similar but not identical.
  • AI Act conformity assessments are required for high-risk systems used in the EU.

Nigerian fintechs serving diaspora customers should plan for EU AI Act compliance alongside NDPA.

Building compliant AI from the start

The cheapest and most effective approach: build compliance into the system architecture from day one.

Before you write code:

  • Identify what personal data the system will process
  • Determine your lawful basis for each processing activity
  • Draft the privacy notice
  • Scope the DPIA
  • Review AI provider terms and prepare DPA requirements

During development:

  • Implement data minimisation (only collect and process what's needed)
  • Build audit logging from day one
  • Implement consent mechanisms if consent is your lawful basis
  • Configure data retention and deletion
  • Set up access controls

At deployment:

  • Complete and file the DPIA
  • Publish privacy notices
  • Execute DPAs with all AI providers
  • Register your DPO with NDPC
  • Brief your team on data handling procedures

Ongoing:

  • Annual CAR filing through your DPCO
  • Regular privacy audits
  • DPIA reviews when the system changes
  • Data subject request handling
  • Incident response readiness

What to do right now

If you're a Nigerian business using or building AI:

  1. Map your data — what personal data do you hold, where did it come from, where does it go?
  2. Check your lawful bases — do you have a valid legal basis for each processing activity?
  3. Write your DPIAs — especially for AI systems
  4. Get your DPAs in order — every AI provider, every cloud host
  5. Appoint a DPO — internal or outsourced
  6. Engage a DPCO — for your annual CAR filing
  7. Build compliant from the start — it's cheaper than retrofitting

Need help building NDPA-compliant AI systems? We build AI systems for Nigerian businesses with compliance documentation included. CIPP/E certified, called to the Nigerian Bar, 10+ years in financial services. Get a fixed-price quote.

Need help with this?

We build compliant AI systems and handle the documentation. Tell us what you need.

Get in Touch

Related Articles

Nigeria

Data Protection Officer Nigeria: Do You Need One and What Do They Do?

Who needs a Data Protection Officer in Nigeria, what the role involves under the NDPA, and how outsourced DPO-as-a-Service works for Nigerian businesses building AI systems.

Nigeria

Data Subject Rights Under the NDPA: A Practical Guide for Nigerian Businesses

How to handle data subject rights requests under the Nigeria Data Protection Act 2023. Access, rectification, deletion, objection — with practical implementation steps and response templates.

Nigeria

NDPA vs GDPR: Key Differences Nigerian Businesses Need to Know

A practical comparison of the Nigeria Data Protection Act 2023 and the EU GDPR. Where they align, where they differ, and what matters if your business operates across both jurisdictions.

NDPANigeriaData ProtectionComplianceAI