Data protection: Nigeria flags 1,368 companies over non-compliance

Nigeria has flagged 1,368 organisations across diverse sectors of the economy for alleged breaches of the Nigeria Data Protection Act (NDPA), 2023, marking the most sweeping enforcement action yet under the country’s new data privacy regime.

The Nigeria Data Protection Commission (NDPC), the statutory agency enforcing the law, says the affected organisations failed to comply with key provisions of the NDPA, ranging from filing mandatory compliance audit returns, to appointing Data Protection Officers (DPOs), and registering as major data controllers or processors.

The sanction list, seen by Technology Times, cuts across banks, pension fund administrators, insurers, gaming operators, microfinance institutions, and insurance brokers, reflecting the breadth of the compliance gap in Nigeria’s data protection landscape.

The Nigeria Data Protection Commission (NDPC), the statutory agency enforcing the law, says the affected organisations failed to comply with key provisions of the NDPA, ranging from filing mandatory compliance audit returns, to appointing Data Protection Officers (DPOs), and registering as major data controllers or processors.

“This is a clear signal that data protection is not an optional extra for Nigerian organisations. It is a legal duty, and failure to comply carries real consequences,” the NDPC says in its notice.

The law behind the crackdown

The Nigeria Data Protection Act, 2023 (NDPA), signed into law last year, is Nigeria’s first comprehensive data protection legislation.

Its objectives, according to the NDPC, include:

• Safeguarding the fundamental rights and freedoms of Nigerians as enshrined in the 1999 Constitution.
  
• Providing a legal foundation for Nigeria’s digital economy.
  
• Building trust to enable Nigeria’s participation in regional and global digital markets.
  

The NDPC is empowered under Sections 5(a), 6(b), 6(c), 46(3), and 47(1-2) of the NDPA to investigate organisations, enforce compliance, and impose sanctions, including administrative fines and prosecution.

Under Section 32, organisations must designate a Data Protection Officer (DPO). Section 39 mandates that they adopt organisational and technical measures to protect data. Section 40 requires the registration of major controllers and processors, while Section 6(d) compels annual filing of compliance audit returns.

Data protection: The scale of non-compliance

The Commission’s August 25, 2023 notice signed by Babatunde Bamgboye, NDPC’s Head, Legal, Enforcement and Regulations, lists 1,391 organisations for failing to meet one or more of these requirements.

Here is a breakdown of the flagged entities:

• Pensions Companies: 10
• Insurance Companies: 35
• Gaming Companies: 136
• Financial Institutions: 795
• Insurance Brokers: 392

The overwhelming majority — over 80% of the flagged organisations — are microfinance banks and insurance brokers, two segments of Nigeria’s financial services industry that handle massive volumes of sensitive customer information.

For industry analysts, the size and profile of the flagged list highlights both the urgency and difficulty of enforcing data protection compliance in an economy where digital adoption has outpaced regulatory maturity.

NDPC: Why the companies were flagged

The NDPC says the organisations were listed for failing to demonstrate compliance in four critical areas:

1. Failure to File Audit Returns
   Organisations must file annual NDPA compliance audit returns with the Commission. Many on the list had no evidence of having done so for 2024. 
2. No Designated Data Protection Officer (DPO)
   The law mandates that companies formally appoint a DPO to oversee compliance and serve as the point of contact with regulators. 
3. Weak or Unproven Technical Safeguards
   Firms are required to outline their technical and organisational measures for data security — from encryption and firewalls to access control policies. 
4. Failure to Register as Data Controllers/Processors of Major Importance
   Large data-driven entities must register with the NDPC. Evidence of this registration was missing for many companies.
   

The affected organisations now have 21 days from the notice to rectify their breaches. If they fail to comply, the Commission says it will issue Enforcement Orders, levy administrative fines, and, if necessary, initiate legal prosecution.

Sector by sector breakdown

Pensions

Nigeria’s pension industry manages over ₦17 trillion in assets. Yet, 10 Pension Fund Administrators (PFAs) were flagged for failing to comply, including:

• Citizens Pensions Ltd
• Legacy Pension Managers Ltd
• NLPC Pension Fund Administrators Ltd
  

For pension contributors, this raises questions about whether PFAs are adequately protecting personal data such as retirement savings account details.

Insurance companies

Insurance firms rely heavily on personal data for underwriting, claims, and policy management. 36 firms were listed, among them:

• Alliance & General Insurance Plc
• Consolidated Hallmark Insurance Plc
• Crown Trust Insurance Brokers Ltd

The breach of compliance here is critical because insurers routinely process highly sensitive health and financial data.

Gaming operators

The gaming sector, which has grown rapidly in Nigeria, recorded 136 flagged companies. They include:

• Klay Gaming Technologies Ltd
• Winners Golden Chance Lotto
• Bazarabet
  

Gaming firms collect significant amounts of identity and financial data from customers. Their inclusion on the non-compliance list suggests the industry is lagging in embedding robust governance frameworks.

Financial institutions

Traditional banks, mortgage institutions, and fintech lenders also appeared. Examples include:

• Moniepoint Microfinance Bank Ltd
• SunTrust Mortgage Bank

Though smaller in number, the prominence of financial institutions on the list is notable because these firms are core custodians of Nigerians’ personal and financial data.

Microfinance Banks

At 795 flagged entities, microfinance banks represent the largest category by far. These banks provide credit and savings to millions of low-income Nigerians, often relying on basic IT infrastructure.

The sheer number on the list raises questions about sector readiness to meet NDPA obligations. Many microfinance banks lack the compliance budgets of larger banks, but the law does not exempt them.

Insurance brokers

With 398 firms flagged, insurance brokerage is another major gap. Brokers routinely collect personal, health, and financial data from clients, making compliance non-negotiable.

What non-compliance means for customers

The NDPA is meant to protect Nigerians from the misuse of their personal information. Non-compliance therefore carries real risks for customers:

• Data Breaches: Weak security could expose personal data to hackers.
• Identity Theft: Without safeguards, criminals could exploit exposed data.
• Financial Losses: Customers could lose money through fraud linked to compromised data.
• Loss of Trust: Institutions that fail to comply risk eroding public confidence.

The NDPC insists its enforcement drive is meant to prevent such harms by compelling organisations to take their responsibilities seriously.

NDPC’s warning

In its notice, the NDPC gave all 1,368 organisations a 21-day ultimatum to comply.

“Failure to comply within this timeframe may lead to an Enforcement Order, imposition of administrative fines, and/or legal prosecution,” the Commission warns.

Under the Act, fines can range from ₦10 million or 2% of gross annual revenue for serious breaches. For organisations handling massive customer datasets — like banks, PFAs, and telecoms — fines could run into billions of naira.

Broader Implications

For Nigeria’s digital economy, the crackdown carries several implications:

1. Signal to Global Markets
   By enforcing its law, Nigeria signals seriousness about data protection, which may encourage international investment and data processing partnerships.
   
2. Challenge of Enforcement at Scale
   Policing nearly 1,400 firms highlights both NDPC’s ambition and the scale of Nigeria’s compliance challenge.
3. Costs for Organisations
   Compliance requires investment in people (DPOs), processes, and technology. Smaller firms may struggle with the financial burden.
4. Potential for Industry Shakeout
   Firms unable or unwilling to comply could face fines or exit the market, reshaping sectors like microfinance and gaming.

The NDPC insists that the NDPA is not a paper tiger but a binding law with teeth.