The Nigeria Data Protection Commission (NDPC) has given organisations in banking, insurance, pensions, and gaming 21 days to show proof of compliance with the Nigeria Data Protection Act (NDP Act), 2023, or face sanctions.
In a statement issued in Abuja, Babatunde Bamigboye, Head of Legal, Enforcement and Regulations at the NDPC, said the notice follows the launch of an investigation into organisations suspected of failing to meet their obligations under the Act.
According to the Commission, Compliance Notices have been sent to several organisations, requiring them to submit within 21 days evidence of filing their 2024 Compliance Audit Returns, proof of appointment of a Data Protection Officer (with contact details), a summary of data protection measures in place, and evidence of registration as a Data Controller or Processor of Major Importance.
Relevant provisions of the Act include Sections 6(d), 32, 39 and 44, which outline the responsibilities of data controllers and processors. The Commission is acting under its enforcement powers provided in Sections 5, 6, 46 and 47.
Sanctions for non-compliance may include enforcement orders, administrative fines, or criminal prosecution.
The list of organisations under investigation published by the NDPC on Monday, August 25, 2025 is attached:
