NDPR in 2026: The Ten Things Most Businesses Are Still Getting Wrong

nigeria's data protection landscape has matured significantly since the introduction of the Nigeria Data Protection Regulation (NDPR) in 2019. we now have the Nigeria Data Protection Act (NDPA) 2023, an active regulatory commission, and a series of enforcement actions that prove the rules are not merely suggestions. yet, despite this evolution, the vast majority of businesses are repeating a specific set of foundational errors.

in my practice, i review compliance frameworks across startups, established SMEs, and institutional bodies. consistently, the gaps are the same. here are the ten things most businesses are still getting wrong, and exactly how to fix them.

1. treating the NDPR as the only applicable framework

   the NDPA 2023 supersedes the NDPR where there are inconsistencies. the act introduced new obligations—such as the DCMI designation and altered breach notification parameters—that are completely absent from the 2019 regulation. relying solely on a 2019 NDPR checklist guarantees non-compliance.

   the fix: audit your practices against the NDPA 2023. update all internal policies to reflect the statutory language of the act, not just the regulation.

2. copying privacy policies from foreign company websites

   this is the most visible sin. taking a privacy policy from a european startup and doing a find-and-replace on the company name creates immediate legal risk. you end up promising users rights under the california consumer privacy act (CCPA) or citing gdpr articles that govern entirely different regulatory mechanisms.

   the fix: draft a privacy notice specific to your actual operations, citing the relevant sections of the NDPA and detailing precisely how you handle data.

3. having a consent tick-box that does not actually record consent

   putting a checkbox on a signup form is visually reassuring, but legally useless if the backend database does not timestamp and log that specific user's consent action. if the NDPC asks you to prove that user #405 consented to marketing emails on august 12th, the checkbox cannot save you.

   the fix: log consent events in your database with a timestamp and the exact wording the user agreed to at that specific time.

4. not having a documented lawful basis for each processing activity

   consent is only one lawful basis. many businesses struggle because they attempt to use consent for processing that is actually necessary for the performance of a contract, or compliance with a legal obligation. if you don't map every single data point you collect to a specific lawful basis, your data processing is arbitrary and illegal.

   the fix: build a comprehensive record of processing activities (ROPA) that specifies the lawful basis for every category of data you touch.

5. no process for handling data subject access requests (DSARs)

   when a user requests a copy of all the data you hold on them, or demands deletion, you have a statutory timeline (usually 30 days) to comply. a surprising number of companies treat this as an unprecedented crisis every time it happens, routing emails between support, engineering, and legal with no systemic approach.

   the fix: establish a standard operating procedure for DSARs. engineering should already have scripts ready to pull a user's entire footprint securely.

6. sending data to foreign processors without transfer safeguards

   if you use AWS (hosted in ireland), mailchimp (us), or stripe, you are engaged in cross-border data transfers. the NDPA restricts transferring nigerian citizens' data out of the country unless adequacy decisions or specific contractual safeguards (like standard contractual clauses) are in place.

   the fix: conduct a transfer impact assessment and ensure you have signed data processing agreements containing standard contractual clauses with all foreign vendors.

7. not knowing whether they qualify as a DCMI

   as discussed in previous notes, the data controller of major importance (DCMI) designation comes with mandatory registration and annual audit requirements. waiting for the NDPC to inform you that you are a DCMI is a terrible strategy that invites maximum fines.

   the fix: assess your transaction volume and data categories against the NDPC's DCMI guidance immediately.

8. using third-party tools without a data processing agreement

   integrating google analytics, hubspot, or hotjar onto your website effectively makes them your data processors. if they misuse the data, you, as the controller, are strictly liable. acting without a negotiated data processing agreement (DPA) leaves you entirely exposed.

   the fix: sign the standard DPA provided by reputable enterprise vendors, and refuse to use vendors who will not provide one.

9. not having a breach response plan that meets the 72-hour notification window

   when a database is compromised, the clock starts. the NDPA requires controllers to notify the commission within 72 hours of becoming aware of a qualifying breach. if you spend 48 hours figuring out who to call, you will miss the statutory window.

   the fix: draft an incident response plan. identify the breach response team. draft the notification templates before you need them.

10. treating compliance as a one-time project

    the most profound error is viewing data protection as a box to be checked once. companies pay for an audit, receive a certificate, and then fundamentally change their product architecture three months later without ever consulting their privacy counsel. compliance is an ongoing operational posture, not a destination.

    the fix: integrate privacy reviews into your normal sprint planning and quarterly risk assessments. it must be iterative.