When the Nigeria Data Protection Commission (NDPC) published names of universities and other organisations in the national dailies on 19 February 2026, it was not seeking publicity but compliance. The commission’s notice demanded evidence that each institution had filed its 2024 data‑protection audit, appointed a data‑protection officer (DPO) with contact details, documented the technical and organisational measures used to safeguard personal data, and registered as a data controller or processor of major importance. Organisations have just 21 days to respond; those that miss the deadline face enforcement orders, administrative fines or criminal prosecution. A similar notice issued in August 2025 covered 1,368 companies across financial, insurance, gaming and pension sectors. The NDPC is signalling that data compliance is not optional; boards that treat it as a technical back‑office issue risk severe financial shocks.
Understanding the obligations
The Nigeria Data Protection Act 2023 and its General Application and Implementation Directive (GAID) spell out the duties of data controllers and processors. Entities that process large volumes of personal data must register with the commission as data controllers or processors of major importance (DCPMI). They are also required to conduct periodic risk‑based audits of their data‑processing activities, identify and address points of risk, and file annual compliance audit returns using a standard template. Organisations established before 12 June 2023 must file by 31 March each year, and late filers pay an additional penalty equal to half of the filing fee.
Boards must also designate a DPO with sufficient expertise and independence; the DPO’s contact details must be communicated to the commission. Senior management is obliged to involve the DPO in all decisions relating to personal data, provide adequate resources, and ensure that the DPO reports directly to the management level. These measures are not bureaucratic box‑ticking; they are risk‑mitigation tools designed to prevent data breaches and build trust in digital services.
Enforcement is real — and costly
The NDPC’s notices are not idle threats. In July 2025 the commission fined MultiChoice Nigeria ₦766 million for unlawful data processing and illegal cross‑border data transfers. Regulators found the company’s handling of subscriber data “intrusive, unfair, unnecessary and disproportionate”. A month earlier the commission imposed a ₦555.8 million penalty on Fidelity Bank for breaches uncovered during an investigation started in April 2023; fines under the Act can range from ₦10 million up to two percent (2%) of an organisation’s annual gross income. The national commissioner emphasised that fines take account of the scale of the breach, the number of affected data subjects and the organisation’s level of co‑operation.
These figures should make finance directors sit up. A penalty equal to two percent of gross income could wipe out a year’s profit for a mid‑size firm; even “modest” fines in the hundreds of millions of naira have immediate cash‑flow implications. The GAID also mandates that companies failing to file their audit returns on time pay a 50 percent surcharge on the filing fee. Beyond fines, a compliance notice may lead to enforcement orders that halt certain data‑processing activities. Litigation, reputational damage and loss of customer trust can depress revenue and increase borrowing costs. Auditors will expect boards to recognise these contingencies in their statements of profit or loss and other comprehensive income (P/L), and to disclose material risks and provisions in the annual report and accounts.
How non‑compliance disrupts the business plan
Ignoring data‑protection obligations can affect more than a line item for “fines and penalties.” Cash flow suffers when the regulator imposes a penalty payable within days; this may force the organisation to divert funds earmarked for operations or capital projects. When the commission issues an enforcement order stopping certain data‑processing activities, the business may lose the ability to use customer data for marketing or analytics, undermining revenue streams and skewing forecast assumptions. Investors scrutinise these developments: a company under investigation for data breaches may see a higher risk premium applied to its debt, increasing financing costs. Multinationals may refuse to partner with an organisation lacking demonstrable data compliance, cutting off cross‑border revenue opportunities. Strategic business planning must therefore integrate data‑protection compliance into enterprise risk management, budgeting and cash‑flow forecasting.
There are operational repercussions too. The GAID requires organisations to develop or adopt privacy audit controls and identify every point of risk. That means reviewing information systems, processes and third‑party interfaces. Boards that have been content to rely on outdated, unencrypted systems will find that the cost of upgrading is lower than the cost of rectifying a breach. The Dentons ACAS‑Law 2025 corporate governance outlook notes that boards will be expected to have clear frameworks for data privacy and data protection in order to comply with the NDPA, and to demand regular reports on the detection of data breaches and cyber‑security measures. In other words, privacy governance is moving from the IT department to the boardroom agenda.
Stepping up: a strategic approach for directors
Data protection is now a core element of environmental, social and governance (ESG) performance. The NDPC’s sector‑wide investigations demonstrate that regulators will not hesitate to “name and shame” laggards. Boards should respond by treating personal data as a strategic asset rather than a regulatory burden. This starts with mapping the personal data processed across the business, identifying high‑risk activities and ensuring that lawful bases for processing exist. Appointing a competent DPO is essential, but directors must also empower that officer with direct access to the board and sufficient resources. Training programmes should cover not only the technical staff but also customer‑facing teams and executives; culture change begins at the top.
Budgeting for compliance is more cost‑effective than paying fines. Investing in secure cloud infrastructures, encryption, access controls and robust vendor management will reduce the likelihood of breaches and demonstrate due diligence. Boards should insist on annual compliance audits and demand evidence that technical and organisational measures are actually deployed — as the NDPC notice requires. The company secretary and chief finance officer should ensure that audit returns are filed by 31 March each year to avoid penalties. For groups with multiple subsidiaries, centralised oversight is crucial: a breach in one entity can taint the entire brand.
Directors should also view compliance as an enabler. Demonstrating conformity with the NDPA can enhance customer trust, attract investors who prioritise ESG metrics and open doors to cross‑border data flows within regional trade agreements. Conversely, non‑compliance can derail strategic partnerships; international partners will perform diligence on data governance before signing joint‑venture or outsourcing agreements.
A subtle invitation
As data‑protection consultants, we recognise that compliance can seem daunting. Yet our experience shows that proactive engagement pays dividends: companies that embed privacy by design not only avoid regulatory wrath but unlock new efficiencies and customer goodwill. The NDPC’s recent notices and the substantial fines already levied are a clarion call. Directors who still regard privacy as an afterthought must realise that the cost of complacency will show up in the cash‑flow statement long before the regulator issues a press release. A seasoned adviser can help you interpret the GAID, map your data flows, implement risk‑based controls and file the mandatory audit returns — without turning your compliance journey into a sales pitch.
The boardroom agenda in 2026 must therefore include privacy risk as a standing item. There is no “tech problem” here; it is a governance challenge with direct implications for revenue, profit and reputation. Failing to act is no longer an option. The NDPC has shown its teeth; it is time for directors to show leadership.
- business a.m. commits to publishing a diversity of views, opinions and comments. It, therefore, welcomes your reaction to this and any of our articles via email: comment@businessamlive.com
Michael Irene, CIPM, CIPP(E) certification, is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
