ako
The Nigerian Data Protection Compliance Playbook
NDPA 2023 is in force. The NDPC is actively enforcing. Here's how to get compliant
before regulators come knocking — and how modern GRC tools are changing the game.
The Nigeria Data Protection Act 2023 (NDPA) isn't just another regulation gathering dust. It established the Nigeria Data Protection Commission (NDPC) with real teeth — the power to investigate, fine, and suspend data processing operations.
For the first time, Nigerian businesses face enforceable privacy obligations backed by significant financial penalties. And the NDPC is already using them.
This playbook cuts through the noise: what the law actually requires, who's already been caught, and how to get compliant efficiently — whether you're a fintech processing millions of BVN records or a healthcare provider managing patient data.
The General Application and Implementation Directive (GAID 2025), effective 19 September 2025, adds implementation detail to every NDPA requirement. All entities processing personal data must demonstrate compliance by 31 October 2025 — that deadline has passed.
The clock is ticking.
The NDPC hasn't waited to flex its enforcement powers. Major Nigerian businesses have already been hit with penalties that should make every board member pay attention.
| Organisation | Penalty | Violation |
|---|---|---|
| Multichoice Nigeria | ₦766.2M | Inadequate consent & security |
| Fidelity Bank | ₦555.8M | Breach response failures |
These aren't token fines — up to 2% of annual gross revenue.
|
2%
max fine per violation
|
72hrs
breach notification
|
Active
enforcement since Oct 2025
|
|
₦13.8B
revenue 2025
|
256+
licensed DPCOs
|
₦10-20M
per audit
|
15%
YoY growth
|
|
Nigeria's data protection ecosystem generated ₦12 billion in 2024 and is on track for ₦13.8 billion in 2025 — driven by expanding compliance requirements and 256+ licensed DPCOs. For consultancies, every Nigerian business that processes personal data needs professional compliance assessment. The question is whether you have the tools to serve at scale. |
"When you bring together what the organisations and their employees earn, including the support services around compliance, that's how we estimate the ecosystem's revenue."
— Dr. Vincent Olatunji, NDPC
|
Despite the regulatory mandate, most Nigerian businesses are nowhere near compliant:
| Common Gap | Risk | NDPA |
|---|---|---|
| No ROPA | Critical | S.28 |
| Missing DPAs | Critical | S.19 |
| No 72-hr breach notification | Critical | S.24 |
| Cross-border without safeguards | High | S.21-23 |
| No DPIA completed | High | S.32 |
Traditional audits take weeks and cost ₦10-20M. Businesses either pay for an audit they can't repeat, or avoid assessment entirely.
Three assessment paths — from deep policy analysis to rapid self-assessment. Each produces a branded compliance report with actionable remediation steps.
|
1
Upload
Policy |
→ |
2
AI Analyses
vs NDPA |
→ |
3
Gap
Register |
→ |
4
Remediation
Roadmap |
→ |
5
Branded
PDF Report |
Upload your policy — AKO analyses against all 13 NDPA requirements plus sector overlays.
Instant structured scan producing a sector-specific gap register.
Guided questionnaire covering all NDPA requirements with partial compliance detection.
|
The NDPA 2023 establishes 13 core requirements for every Nigerian organisation processing personal data. But real compliance doesn't stop at the horizontal baseline. Different sectors face additional obligations. A fintech processing BVN records must satisfy CBN, NDIC, and SEC requirements. A hospital must comply with the National Health Act. AKO GRC handles this with a modular architecture: the NDPA core forms the foundation, and sector modules attach on top. Adding a new sector is configuration, not code.
The engine and templates don't change — AKO GRC can expand into telecom, education, or public sector without rebuilding. |
🏦 Fintech Module
NDPA core + CBN, NDIC, SEC, FRC
🏥 Healthcare Module
NDPA core + National Health Act — 14 total requirements
Telecom, education, oil & gas, public sector on request.
|
|
AKO GRC is designed as a white-label platform. Every customer-facing element — name, logo, colours, report branding — is controlled by a single configuration layer. Your brand, everywhere
The business model
This isn't about replacing consultants — it's about giving them a tool to serve ten times more clients with the same team. |
The NDPA compliance deadline is approaching. Every day without a clear picture of your compliance posture is a day of unnecessary regulatory risk.
AKO GRC gives you that picture — in minutes, not weeks.