Nigeria Data Protection Act (NDPA)

For years, digital lending in Nigeria operated in a data grey zone. Platforms collected more borrower information than they needed, shared it with third parties under vague terms, and used it for purposes borrowers never agreed to. Debt recovery sometimes crossed into harassment, with lenders accessing contact lists and sending messages to borrowers’ family members. The regulatory response to all of this is the Nigeria Data Protection Act, 2023, commonly referred to as the NDPA.

The NDPA replaces the Nigeria Data Protection Regulation (NDPR) of 2019, which, while a meaningful first step, lacked the statutory force to drive meaningful enforcement. The NDPA is a full Act of the National Assembly. That distinction matters because it gives the law direct legal authority that no agency directive or subsidiary regulation can match.

If you operate a lending platform, work in credit infrastructure, or process borrower data in any capacity within or connected to Nigeria, this law applies to you. And if your operation touches Nigerians from outside the country, it still applies.

What the law covers

The NDPA governs how personal data is collected, used, stored, shared, and eventually deleted. It defines personal data broadly enough to cover nearly everything a lender touches during a loan application, including names, phone numbers, email addresses, bank account details, BVN, NIN, credit history, repayment records, device identifiers, IP addresses, and location data.

The law establishes two main categories of regulated entities. Data Controllers are organisations that decide why and how personal data gets processed. Data Processors are organisations that process data on behalf of controllers. Many lending platforms function as both, depending on the workflow and the third parties involved.

The law also draws a sharper line around sensitive personal data. Under Section 30, categories like financial data, biometric identifiers, health records, and data related to criminal records require a higher standard of handling. For a lender, this covers bank statements, BVN-linked records, biometric verification data, and credit bureau reports. Explicit consent or a narrowly defined lawful basis is required before any of this gets processed.

The principles that govern processing

Section 24 of the Act lays out seven principles that apply to every instance of personal data processing. These are not aspirational guidelines. They are mandatory legal requirements.

The first is lawfulness, fairness, and transparency, meaning borrowers must know what data you collect and why. The second is purpose limitation, which means data collected for loan assessment cannot later be repurposed for unrelated marketing. The third is data minimisation, which requires you to collect only what is necessary for the specific purpose at hand. Accuracy requires that data be kept current and correctable. Storage limitation means you cannot hold data indefinitely. Integrity and confidentiality require that appropriate security measures protect the data. Finally, accountability requires organisations to demonstrate compliance, not just claim it.

That last principle deserves attention. The NDPA operates on a demonstrable accountability model. The Nigeria Data Protection Commission (NDPC), which the Act establishes as the independent regulator, can ask for evidence of compliance at any time. Policies that exist only on paper, or that describe practices the organisation does not actually follow, will not satisfy this standard.

Recommended read: Nigeria’s Banks and Other Financial Institutions Act

Lawful bases for processing borrower data

Before processing any personal data, a lender must identify a lawful basis for doing so. The Act provides six options under Sections 25 and 26. In lending, three are most commonly relied upon.

Consent covers situations where the borrower has freely agreed to a specific use of their data. The Act sets a high bar here.

Consent must be freely given, specific, informed, and unambiguous. It must also be as easy to withdraw as it was to give. Bundling consent into long terms and conditions that borrowers scroll past does not meet this standard. Consent obtained under pressure or as a condition of service where the condition is not genuinely necessary also fails.

Contractual necessity covers processing that is required to fulfil or enter into an agreement with the borrower. Running a credit assessment to determine whether to offer a loan, for instance, falls here.

Legal obligation covers processing required by Nigerian law, such as KYC and AML requirements that regulated lenders must satisfy.

Legitimate interest is available as a basis but requires a documented balancing assessment showing that the organisation’s interest outweighs any potential impact on the borrower’s rights. This basis is frequently misunderstood or overused. The NDPC has indicated it will scrutinise reliance on legitimate interest closely, particularly where it is used to justify data sharing or profiling.

What borrowers can demand

The NDPA gives data subjects a set of enforceable rights that lenders must operationalise, not just acknowledge in privacy policies.

Borrowers can request access to the personal data a lender holds about them. They can request correction of inaccurate data. Under defined circumstances, they can request deletion. They can restrict how their data is used, object to certain types of processing, and request that their data be transferred to another service provider. For lenders relying on automated decision-making systems in credit scoring, there are additional obligations around transparency and the right to human review.

These rights come with timelines. Organisations must respond within statutory deadlines. Building the internal workflows to receive, assess, and action these requests is a compliance requirement, not an optional improvement.

Data breaches and what the law requires

Section 40 of the NDPA sets out breach notification obligations. Where a breach is likely to result in risk to the rights and freedoms of individuals, the controller must notify the NDPC without undue delay. Where the risk is assessed as high, the affected individuals must also be notified directly.

This requirement demands that organisations have breach detection capabilities in place before a breach occurs. Discovering a breach weeks after it happened, then spending further time deciding whether to report it, puts organisations in a difficult position with the regulator. The NDPC has been explicit that delayed or concealed breach reporting will attract enforcement attention.

Cross-border data transfers

For lenders using foreign cloud infrastructure, overseas analytics vendors, or international credit data providers, Sections 41 to 43 of the Act are directly relevant. Personal data can only leave Nigeria where adequate protection exists in the destination country, appropriate safeguards have been implemented, explicit consent has been obtained, or the transfer is necessary for contractual performance.

This provision has practical implications for any lender whose technology stack routes borrower data through servers or services located outside Nigeria. Standard contracts or data transfer agreements with such vendors are not optional extras. They are legal requirements under the Act.

Recommended read: Federal Competition and Consumer Protection Act

Penalties for getting it wrong

The NDPC has enforcement tools that range from compliance orders and investigations to administrative fines, suspension of data processing activities, and public naming of violators. In severe cases, the Act provides for criminal liability.

Administrative fines are calculated on a risk basis, either as a percentage of annual gross revenue or as fixed amounts depending on the severity of the violation. Beyond the fines, suspension of processing activities is a particularly sharp consequence for a lending platform. The ability to onboard borrowers, run credit assessments, and disburse loans depends entirely on data processing.

An order restricting that processing effectively pauses operations.

The reputational dimension matters too. The NDPC has the power to publicly name organisations found in violation. In a market where borrower trust is already fragile given the history of data misuse by some lenders, public enforcement action carries consequences that outlast any fine.

What compliance looks like in reality

The NDPA is the product of years of documented misuse, weak enforcement, and eroding public trust in how organisations handle personal data. It pulls together principles, obligations, rights, and enforcement mechanisms into one coherent legal framework, backed by a regulator with both the mandate and the tools to act.

What the law demands is that organisations treat data protection as an operational reality. Data flows need to be documented. Consent mechanisms need to reflect what the law requires. Vendor relationships need proper agreements. Security controls need to match the sensitivity of the data being processed. And when things go wrong, there need to be procedures in place to respond the way the law prescribes.

Nigeria joining the ranks of countries with comprehensive, enforceable data protection legislation changes the operating environment for any organisation that processes the personal data of Nigerians, whether from within the country or outside it.