Banwo & Ighodalo Logo

Compliance Notice From The Nigeria Data Protection Bureau


The Nigeria Data Protection Bureau (the “NDPB”) recently established the National Data Protection Adequacy Programme (the “NaDPAP”) Whitelist pursuant to section 37 of the 1999 Constitution of the Federal Republic of Nigeria (the “CFRN”). The Whitelist contains a list of organisations deemed to have taken steps to comply with the standard duty of care required in ensuring data protection. The NaDPAP Whitelist will be published on NDPB website, in major newspapers and in addition, shared with local and international establishments to serve as a reference for compliant organisations in relevant transactions and proceedings.

In a compliance notice on the NaDPAP Whitelist (the “Notice”) recently published by NDPB, organisations were directed to take the following steps on or before November 25, 2022 to be included on the NaDPAP Whitelist:

  1. To read and understand the Nigeria Data Protection Regulation (the “NDPR”) 2019, because it applies to various situations and persons involved in data processing;
  2. To develop and implement a Privacy Policy that is consistent with the NDPR;
  3. To notify employees, customers and online visitors of the Privacy Policy;
  4. To designate at least one or two members of staff as Data Protection Contacts (“DPC”). The Names of the DPCs (not more than 3) should be forwarded to NDPB for a free Induction Course in Data Protection Regulation Compliance, following which any one of them may be appointed as the organisation’s Data Protection Officer (“DPO”);
  5. Where there is subsisting DPO, his contact should be forwarded to the NDPB; and
  6. To mandate service providers (agents, licensees and contactors) to comply with the NDPR.

The Notice also reminds the public that adequate technical and organizational measures for data protection are obligatory for every organization (as data

controllers/processors) in Nigeria and that the penalty for breach by an organization of this obligation is, in the case of a Data Controller dealing with more than 10,000 data subjects, 2% of annual gross revenue of the preceding year or payment of the sum of 10 million naira (whichever is greater), and in the case of a Data Controller dealing with less than 10,000 data subjects, payment of the fine of 1% of the annual gross revenue of the preceding year or payment of the sum of 2 million naira (whichever is higher).

This newsletter is only intended to provide general information on the subject matter and does not by itself create a client/attorney relationship between readers and our Law Firm or serve as legal advice. We are available to provide specialist legal advice on the readers’ specific circumstances when they arise.

For further enquiries, kindly reach out to your usual B&I contact or any of the contact persons.