Nigeria’s Data Protection Act 2023: Progress or Paper Tiger?

When I moved to the UK, one of the things that struck me was the weight placed on data management. Businesses here live under constant pressure to comply with strict regulations. The UK’s Data Protection Act 2018 and GDPR have reshaped how organisations handle personal data. Fines are real, investigations are swift, and reputational damage is immediate.

Back in Nigeria, that same pressure is missing. During my MSc in Cybersecurity, a course on data security and compliance gave me a clearer view of the gap. We studied frameworks like ISO 27001, which provide structure for managing information securely. It was clear even then, in 2022, that Nigeria lacked the same culture of accountability.

The Nigeria Data Protection Act (NDPA) 2023 has now created a new framework. It replaced the weaker 2019 regulation and established the Nigeria Data Protection Commission (NDPC) as an independent regulator. For the first time, Nigeria has clear rules: mandatory breach reporting within 72 hours, registration of major data controllers and processors, mandatory Data Protection Officers, and financial penalties that can reach ₦10 million or 2% of annual gross revenue.

On paper, this is real progress. But one question lingers: who will be guilty when breaches happen?

In the UK, the answer is clear. The Information Commissioner’s Office (ICO) has fined organisations like British Airways (£20m) and Marriott (£18.4m) for failing to protect customer records. Accountability sits firmly with the organisation, not its IT vendors. Boards and executives are expected to answer for weak controls.

In Nigeria, enforcement is still untested. Will banks, government agencies, and politically connected firms face the same accountability as private companies? Or will regulations be enforced selectively? This is the real test of the NDPC’s independence.

Why Compliance Matters for Business
Compliance is not just about avoiding fines. For Nigerian businesses, aligning with the NDPA and by extension, GDPR principles offers concrete benefits:

• Trust: Customers are more likely to share data with companies that demonstrate strong protection.
• Partnerships: UK and EU firms demand GDPR-level compliance from their partners. Nigerian companies that comply will find it easier to secure contracts.
• Resilience: Clear data governance reduces the impact of breaches, cutting both financial and reputational costs.

What Organisations Must Do

• Map personal data flows: know what you collect, where it goes, and who handles it.
• Appoint a Data Protection Officer: every major controller must designate or outsource this role.
• Prepare for incidents: build a 72-hour breach reporting process to the NDPC and to affected individuals.
• Control vendors: ensure every contract has clear data-processing clauses.
• Align with standards: adopt frameworks like ISO 27001 or NIST for structure and credibility.

The ISP Question
A key issue is how much power governments have over internet service providers and data roaming on the internet. Nigeria’s Cybercrimes Act requires ISPs to retain subscriber and traffic data for two years and provide it to law enforcement when requested. In the UK, the Investigatory Powers Act goes further, requiring internet connection records to be retained for 12 months, but under strict judicial and parliamentary oversight.

The difference is transparency. In the UK, oversight is independent and enforcement is consistent. In Nigeria, rules exist, but trust in their fair and lawful application remains weak. Nigerians need assurance that their retained data is protected from misuse, not only from hackers but from abuse of power.

A Final Word
The NDPA 2023 is a step forward, but enforcement will decide its impact. Nigerian organisations cannot afford to wait. Compliance should not be treated as a formality or “box-ticking.” It must become part of business leadership.