Abuja — Nigeria’s data protection regulator has launched its largest enforcement action since the passage of the Nigeria Data Protection Act (NDP Act) in 2023, placing more than 1,300 organisations under investigation and giving them 21 days to demonstrate compliance with the law—or face enforcement orders, administrative fines, and possible prosecution.
The Nigeria Data Protection Commission (NDPC) said the investigation, announced on Monday through a public compliance notice, marks the beginning of a sector-by-sector crackdown on firms suspected of violating statutory data protection obligations.
The published list spans a wide swath of the economy: insurance companies, pension fund administrators, microfinance banks, mortgage lenders, gaming operators, and hundreds of insurance brokers. For the first time, the regulator has gone beyond quiet inquiries and moved to name and publicly shame companies it considers laggards.
This exercise is to ensure that organisations are not only aware of their obligations under the NDP Act but are taking steps to comply,” said Babatunde Bamigboye, NDPC’s Head of Legal, Enforcement and Regulations, in the statement accompanying the notice.
What the NDPC is Demanding
Each organisation listed has been directed to submit the following within 21 days:
- Evidence of filing 2024 Compliance Audit Returns.
- Proof of designation or appointment of a Data Protection Officer (DPO), with name and contact details.
- A summary of technical and organisational measures in place to safeguard personal data.
- Evidence of registration as a Data Controller or Processor of Major Importance
Failure to comply, the Commission warned, may trigger enforcement orders, significant fines, and potential criminal liability.
Scope of the Crackdown
The NDPC’s list includes:
- 795 financial institutions, mostly microfinance banks.
- 392 insurance brokers.
- 35 insurance companies.
- 10 pension companies.
- 136 gaming companies.
The names were published in BusinessDay and other national dailies on August 25, 2025.
Screenshots of the official notices show familiar institutions alongside smaller firms, underscoring the Commission’s intent to send a signal across all tiers of the financial and corporate ecosystem.
Why Now?
The enforcement drive comes just weeks before the General Application and Implementation Directive (GAID)—the detailed rulebook that operationalises the NDPA—enters into effect on September 19, 2025.
The GAID resets compliance audit deadlines to March 31 each year, clarifies filing thresholds, and cements the obligations of Data Controllers and Processors of Major Importance (DCPMIs).
A Regulator Flexing Its Muscles
The NDPC has already shown its willingness to impose penalties. In July 2025, it fined MultiChoice Nigeria ₦766.2 million after finding its remedial steps on data handling “unsatisfactory.”
In 2024, Fidelity Bank was hit with a fine equal ₦555.8 million for processing personal data without informed consent. Both cases were widely read as signals that the Commission would not hesitate to sanction well-capitalised firms.
Editor’s Note: Screenshots of the full list of companies under investigation, as published in BusinessDay on August 25, 2025, can be found here for reference.
