Nigeria: Data Protection Commission's annual report on implementation of Data Protection Act and enforcement expansion

On 1 January 2026, the Nigeria Data Protection Commission (NDPC) adopted a report focusing on the implementation of the Nigeria Data Protection Act 2023, including strengthening enforcement mechanisms, expanding sector-wide compliance monitoring, and issuing the General Application and Implementation Directive (GAID) 2025. The Directive mandates semi-annual reporting and credential assessments for Data Protection Officers, strengthens lawful basis and consent requirements, imposes privacy notice and cookie obligations, expands mandatory Data Protection Impact Assessments, and establishes structured pathways for cross-border data transfers. It was highlighted that the Commission increased the number of investigations to 230, recorded compliance revenue of NGN 7.2 billion, and expanded the number of verified data protection officers to 10,662 and licensed data protection compliance organisations to 310. It was also stated that enforcement priorities focused on unlawful cross-border transfers, inadequate privacy notices, behavioural profiling, automated decision-making without human intervention, and failure to conduct mandatory data privacy impact assessments.