The news:
- Over 1,300 Nigerian firms are under investigation by the NDPC for failing to comply with data protection laws
- Affected businesses include banks, pension firms, insurers, and gaming operators
- Companies have 21 days to prove compliance or face sanctions under the Nigeria Data Protection Act
The Nigeria Data Protection Commission (NDPC) has launched a large-scale probe into 1,369 companies over suspected breaches of data privacy regulations.
This marks the Commission’s most aggressive enforcement move since the Nigeria Data Protection Act (NDPA) was signed into law in 2023.
Targeting companies across key sectors—including banking, insurance, pensions, and gaming—the NDPC is demanding urgent proof of compliance with national data protection standards.
Companies now have just 21 days to submit their 2024 audit reports, evidence of technical safeguards, the appointment of a Data Protection Officer (DPO), and registration as a Data Controller or Processor of Major Importance (DCPMI).
This investigation follows recent high-profile enforcement actions. In July 2025, Multichoice Nigeria was fined ₦766.2 million for failing to obtain user consent and illegally transferring personal data outside the country. That case highlighted the NDPC’s readiness to apply the full weight of the NDPA—something this latest probe now expands sector-wide.
The focus on financial and data-heavy industries is intentional. These sectors handle large volumes of sensitive customer information, making them prime targets for scrutiny. For example, banks and pension administrators process identity, financial, and contact data, while gaming companies collect user profiles, payment details, and sometimes location data.
For businesses, this probe is more than a legal risk; it’s a call to reform internal data governance practices. Those who fail to act risk financial penalties, reputational damage, and even being locked out of international partnerships that require data compliance.
Firms should also prepare for the General Application and Implementation Directive (GAID), which takes effect on September 19, 2025. It will serve as the key framework for implementing the NDPA.
The NDPC estimates that compliance services provided by licensed Data Protection Compliance Organisations (DPCOs) could generate ₦13.8 billion in industry revenue by 2025.
