You have 21 Days to Prove Compliance: NDPC Launches Sector-Wide Data Protection Probe

The Nigeria Data Protection Commission (NDPC) has set the stage for one of the most sweeping enforcement actions since the passage of the Nigeria Data Protection Act (NDPA) in 2023. On August 25, 2025, the Commission issued a public notice targeting 1,368 organizations across key industries for suspected non-compliance. Affected entities now have just 21 days to submit evidence of compliance—or face severe consequences.

Who is under the spotlight?

The probe zeroes in on sectors that process large volumes of sensitive personal data, including:

• Financial services: 795 institutions, spanning banks and fintechs like Moniepoint Microfinance Bank and Abeg Technologies.
• Insurance: 35 insurance companies (e.g., Leadway Assurance, Coronation Insurance) and 392 brokers.
• Gaming: 136 companies.
• Pensions: 10 pension firms.

Together, these organizations form the backbone of Nigeria’s digital economy, handling millions of citizens’ personal and financial data daily.

What must organizations prove?

Within the 21-day deadline, organizations are required to submit the following:

1. 2024 Compliance Audit Returns – proof that they filed their mandatory annual audit returns.
2. Details of Appointed Data Protection Officer (DPO) – including contact information.
3. Evidence of Data Protection Measures – technical and organizational safeguards in place.
4. Registration Status – proof of registration with NDPC as a “Data Controller or Processor of Major Importance.”

Why this matters

This probe represents a major shift in regulatory posture:

• Proactive enforcement: The NDPC is moving from silent compliance oversight to visible, sector-wide enforcement.
• Alignment with GAID: The investigation coincides with the September 2025 effective date of the NDPA General Application and Implementation Directive (GAID).

Risks of non-compliance

The consequences of failing to respond within the 21-day period are significant:

• Administrative fines – up to ₦10 million or 2% of annual gross revenue.
• Enforcement orders – including corrective measures and restrictions.
• Criminal prosecution – in cases of severe breaches.
• Reputational damage – loss of trust among customers, investors, and the public.

Broader implications for Nigerian businesses

The NDPC’s action is not just a warning to the targeted organizations—it’s a wake-up call to the entire Nigerian business ecosystem:

• Other sectors must take note: Aviation, healthcare, and e-commerce companies should expect increased regulatory scrutiny.
• Investor confidence at stake: For fintechs and startups seeking foreign investment, demonstrable compliance is now a critical credibility factor.
• New era of accountability: The probe signals a stronger culture of public accountability, with compliance becoming central to corporate reputation in Nigeria’s digital economy.

Final word

The NDPC’s sector-wide probe is more than just an enforcement action—it is a signal that Nigeria is moving toward a data governance culture where compliance is non-negotiable. Organizations must respond decisively, not only to avoid penalties but also to build trust in an increasingly data-driven economy.