Joy Agwunobi
The Nigeria Data Protection Commission (NDPC) has launched a sector-wide investigation into banks, insurance companies, pension fund administrators, insurance brokers, and gaming operators suspected of violating the Nigeria Data Protection Act (NDPA) 2023.
In a statement, the Commission announced a 21-day compliance notice to the affected organisations, directing them to provide evidence of compliance or risk stiff sanctions.
“The Nigeria Data Protection Commission, in furtherance of its mandate under the Nigeria Data Protection Act, 2023, has commenced a sector-by-sector investigation of organisations suspected of non-compliance with the provisions of the Act,” the statement read.
In the circular signed by Babatunde Bamigboye, NDPC’s Head of Legal, Enforcement and Regulations, invoked sections 5(i), 6(a), 6(c), 46(3), and 47(1)-(2) of the Act. According to the Commission, each organisation is required, within the 21-day window, to submit evidence of filing its NDP Act Compliance Audit Returns for 2024, proof of the designation or appointment of a Data Protection Officer, a summary of the technical and organisational measures it has in place for data protection, as well as evidence of registration as a Data Controller or Processor of Major Importance.
The NDPC warned that failure to comply with the notice would trigger enforcement actions, including administrative fines, enforcement orders, and possible criminal prosecution.
“Failure to comply with this Compliance Notice may result in enforcement actions, including the issuance of an Enforcement Order, administrative fines, and/or criminal prosecution in accordance with the NDP Act, 2023,” the Commission warned.
The agency underscored that its move was part of efforts to safeguard Nigerians’ digital rights, entrench accountability in data handling, and boost investor confidence in the nation’s digital economy.
“The NDPC remains committed to ensuring a culture of accountability and trust in Nigeria’s data protection and privacy ecosystem, while safeguarding the rights of data subjects and strengthening the nation’s digital economy,” it stated.
The Commission has in recent months ramped up enforcement, imposing some of the heaviest fines yet in Nigeria’s data privacy landscape. Multichoice Nigeria was fined ₦766.2 million for what regulators described as “patently intrusive, unfair, unnecessary and disproportionate data practices,” including unauthorised cross-border transfers of subscriber information. Fidelity Bank was similarly penalised ₦555.8 million.
