NDPC Launches Probe Into 1,369 Organisations Over Data Protection Breaches

LAGOS – The Nigeria Data Protection Commission (NDPC) has opened investigations into 1,369 organ­isations accused of breaching the Nigeria Data Protection Act (NDPA) 2023, in what is now the largest enforcement drive since the law came into effect.

The companies under investi­gation cut across some of Nige­ria’s most sensitive industries. They include 795 financial insti­tutions, 392 insurance brokers, 35 insurance companies, 10 pension firms, and 136 gaming operators. Each has been given 21 days to prove compliance or risk sanc­tions.

According to a statement signed by Babatunde Bamigboye, head of Legal, Enforcement and Regulations at the NDPC, the affected organisations must present evidence of their 2024 compliance audit returns, the appointment of a Data Protection Officer with full contact details, as well as technical and organisa­tional safeguards they have put in place.

They are also expected to confirm registration as a “data controller or processor of major importance.”

“These organisations are re­quired to within 21 days of issu­ance provide evidence of filing NDP Act Compliance Audit Re­turns for 2024, evidence of desig­nation or appointment of a Data Protection Officer, including name and contact details.

“They are also to provide a summary of technical and or­ganisational measures for data protection within the organisa­tion and evidence of registration as a data controller or processor of major importance,” the Com­mission stated.

The Commission argues that such enforcement is necessary to secure citizens’ rights under the 1999 Constitution and to strength­en trust in Nigeria’s digital econ­omy. The NDPC says that failure to comply could trigger fines, en­forcement orders, or even crim­inal prosecution as stipulated under the NDPA.

This latest development comes weeks after Multichoice Nigeria was fined N766.2 million for data protection violations, the biggest penalty imposed so far.

The pay-TV operator was found guilty of intrusive data practices, unauthorised cross-border trans­fers, and processing subscriber and non-subscriber data without proper consent.

National Commissioner, Dr Vincent Olatunji, explained that the Commission operates a reme­diation-first approach to enforce­ment. He noted that businesses willing to correct violations are given an opportunity to do so be­fore penalties are applied.

“Usually, when we investi­gate and find a breach, if they are ready to comply with the law, what is the point of making noise? It’s only when an organisa­tion is unwilling to comply with the law that we are forced to im­pose sanctions,” he said.

Experts believe the Commis­sion’s growing assertiveness shows a turning point. For years, compliance was largely volun­tary, but this change shows that regulators are no longer content with awareness campaigns.

The NDPA, modelled after global standards such as the GDPR, is designed both to protect Nigerians’ personal data and also to give local firms credibility in regional and international mar­kets.