NDPC Launches Probe Into 1,369 Organisations Over Alleged Breach of Data Protection Act

The Nigeria Data Protection Commission (NDPC) has opened a sweeping sector-wide investigation into 1,369 organisations suspected of breaching provisions of the Nigeria Data Protection Act (NDPA) 2023.

In a statement on Monday, the Head of Legal, Enforcement and Regulations at the NDPC, Mr. Babatunde Bamigboye, said the probe targets companies in sensitive industries including banking, insurance, pensions, gaming, and insurance brokerage.

According to the Commission, the organisations — which include 795 financial institutions, 392 insurance brokers, 35 insurance companies, 10 pension firms, and 136 gaming companies — have been given 21 days to show evidence of compliance or face sanctions.

Compliance Checks Underway

Bamigboye explained that the exercise is part of the Commission’s mandate to protect the data rights and freedoms of Nigerians under the 1999 Constitution, while also enhancing confidence in the nation’s growing digital economy.

“These organisations are required to, within 21 days, provide evidence of filing NDPA compliance audit returns for 2024, proof of designation of a Data Protection Officer (including full contact details), a summary of technical and organisational data protection measures in place, and evidence of registration as a data controller or processor of major importance,” the statement read.

He stressed that responsible use of personal data was critical to Nigeria’s ability to build trust in regional and global markets.

Enforcement and Sanctions

The NDPC has already issued compliance notices to the organisations, demanding proof that they are adhering to the Act.
Failure to do so, the Commission warned, will result in sanctions, which may include fines and other regulatory penalties.

This move follows the Commission’s recent landmark enforcement action against Multichoice Nigeria, which was fined ?766.2 million for violating provisions of the NDPA — the largest single fine imposed since the Act came into effect in 2023.

Remediation Over Sanctions

However, NDPC National Commissioner, Dr. Vincent Olatunji, said the Commission is prioritising a remediation-first approach to enforcement.

“Usually, when we investigate and find a breach, if the organisation is ready to comply with the law, what is the point of making noise? It’s only when an organisation is unwilling to comply that we are forced to impose sanctions,” he explained in a recent interview.

Dr. Olatunji added that the NDPC was mindful of the wider economy and sought to strike a balance between enforcing compliance and sustaining investor confidence.

The Bigger Picture

The Commission’s latest move underscores its determination to institutionalise data protection in Nigeria and ensure organisations adopt global best practices in managing sensitive personal data.
Stakeholders say the probe could serve as a wake-up call for companies yet to align with the NDPA, especially as Nigeria deepens its participation in the regional and global digital economy.