Type to search

Consultation & Enquiries

Email: info@privacyneedle.com

Contact Us
Legislation & Policy

Data Privacy Laws You Can’t Ignore: NDPA, GDPR & Beyond

ikeh James October 4, 2025
Share
data_privacy laws

Explained

Exhaustive comparison, plain-English explanations, practical compliance steps, rights, obligations, penalties, and checklists for organisations and data subjects.

  • GDPR (EU) is the global benchmark — comprehensive, prescriptive, with strong extraterritorial reach and high fines (up to €20M or 4% of global turnover). EUR-Lex+1
  • NDPA (Nigeria Data Protection Act, 2023) modernises Nigeria’s privacy law, establishes the Nigeria Data Protection Commission (NDPC), adopts GDPR-like data subject rights and lawful bases (including legitimate interest), requires breach notification within 72 hours and sets a tiered fine regime (N2M–N10M or ~2% of turnover depending on size). PLACNG+1
  • Both frameworks share the same policy goals: protect personal data, empower individuals, and require accountability from controllers/processors — but they differ on certification/registration, enforcement scale, and certain procedural details. GDPR+1

1. Why compare NDPA and GDPR?

Organisations operating in or with customers in the EU and Nigeria need to understand both regimes to avoid legal risk, meet cross-border transfer rules, and build trust. Many concepts overlap (data subject rights, lawful bases, DPIAs, DPOs), so mapping them makes compliance efficient.

2. Short legal profiles (authoritative sources)

  • GDPR (Regulation (EU) 2016/679) — EU Regulation that harmonises data protection across EU/EEA; applies to controllers/processors established in the EU and, in certain circumstances, to entities outside the EU processing data of people in the EU. EUR-Lex+1
  • Nigeria Data Protection Act (NDPA), 2023 — Nigerian Act that replaced NDPR (2019) and created the NDPC as the regulator; applies to controllers/processors domiciled, resident, operating in Nigeria or processing Nigerians’ data. PLACNG+1

3. Core principles — what rules guide both laws?

GDPR core principles (Article 5; short list)

  1. Lawfulness, fairness and transparency.
  2. Purpose limitation.
  3. Data minimisation.
  4. Accuracy.
  5. Storage limitation.
  6. Integrity and confidentiality (security).
  7. Accountability (controllers must demonstrate compliance). GDPR

NDPA core principles

NDPA mirrors many GDPR principles (transparency, purpose limitation, data minimisation, security, accountability) and places emphasis on national digital economy interests and protections adapted to Nigeria’s context (e.g., registration/compliance regimes administered by the NDPC). cert.gov.ng+1

4. Lawful bases for processing (what makes processing lawful)

GDPR — six lawful bases (Article 6)

  1. Consent (freely given, specific, informed, unambiguous).
  2. Contract (necessary for contract performance).
  3. Legal obligation (compliance with law).
  4. Vital interests (protect life).
  5. Public task (official authority tasks).
  6. Legitimate interests (balanced test). GDPR

NDPA — lawful bases

NDPA provides similar lawful bases and explicitly includes legitimate interests (with restrictions and guidance). Controllers must pick and document an appropriate basis and respect data subject expectations. The NDPA also requires additional compliance steps (e.g., registration/notifications) for certain organisations. DLA Piper Data Protection+1

5. Data subject rights — what individuals can demand

Below is a combined, comprehensive list of rights present in GDPR and the NDPA (most rights overlap):

  1. Right to be informed — transparency about processing. GDPR+1
  2. Right of access — copy of personal data and processing details. GDPR
  3. Right to rectification — correct inaccurate data. GDPR
  4. Right to erasure (Right to be forgotten) — delete data in certain circumstances (GDPR Art.17). GDPR
  5. Right to restrict processing — suspend processing while a dispute is resolved. GDPR
  6. Right to data portability — receive data in a structured, machine-readable form. GDPR
  7. Right to object — object to processing (including direct marketing, profiling). GDPR
  8. Rights related to automated decision-making & profiling — safeguards where significant consequences arise. GDPR
  9. Withdrawal of consent — ability to withdraw consent as easily as it was given (NDPA/ GDPR). cert.gov.ng+1

Practical note: The NDPA places these rights in Part VI and sets out mechanisms and timelines for responding (see section references and NDPC guidance). cert.gov.ng

6. Obligations of controllers and processors (practical checklist)

Both frameworks require organisations to:

  • Document processing activities (records of processing).
  • Implement appropriate technical and organisational measures (encryption, access controls, backups).
  • Carry out DPIAs (Data Protection Impact Assessments) for high-risk processing. The NDPA specifically mandates DPIAs when required and empowers the NDPC to direct when DPIAs are needed. GDPR+1
  • Appoint a Data Protection Officer (DPO) in specific cases. GDPR requires a DPO for certain public bodies and large-scale processing; NDPA mandates DPOs for controllers/processors of major importance. GDPR+1
  • Notify breaches — both laws require timely breach notifications (GDPR: notify supervisory authority within 72 hours where feasible; NDPA also requires notification to the NDPC within 72 hours where a breach risks data subject rights). European Data Protection Board+1

7. Cross-border transfers (moving data outside the jurisdiction

  • GDPR: Transfers are permitted only if the destination provides an adequate level of protection (European Commission adequacy decision) or when appropriate safeguards are in place (Standard Contractual Clauses — SCCs, Binding Corporate Rules — BCRs, codes of conduct, or approved certification). Transfers can also rely on derogations in narrow cases. European Data Protection Board
  • NDPA: NDPA requires a legal basis for transfers (adequacy, consent, contracts, etc.) and the NDPC may issue guidance/GAID on cross-border requirements. The NDPA includes provisions on adequacy and transfer safeguards; controllers should check NDPC directives and GAID for operational rules. cert.gov.ng+1

8. Enforcement & penalties — how regulators punish non-compliance

GDPR (EU)

  • Administrative fines under Article 83: up to €20 million or 4% of annual global turnover (for the most serious infringements); lower tiers exist for less severe breaches (up to €10M / 2%). Supervisory authorities (national DPAs) enforce penalties and corrective measures. GDPR

NDPA (Nigeria)

  • The NDPC can impose tiered penalties. For controllers/processors of major importance the higher amount is the greater of ₦10,000,000 (≈USD value varies) or 2% of annual gross revenue; for non-major controllers/processors, the standard maximum is the greater of ₦2,000,000 or 2% of annual gross revenue. Orders can also include remedial fees, disgorgement of profits, and imprisonment up to one year for certain offences. Recent enforcement actions (Meta, Fidelity Bank, Multichoice) demonstrate active regulatory enforcement in Nigeria. DLA Piper Data Protection+2KPMG Assets+2

9. Regulatory bodies and cooperation

  • GDPR: Each EU Member State has a supervisory authority (e.g., ICO in the UK pre-Brexit; CNIL in France). The European Data Protection Board (EDPB) coordinates enforcement and issues guidelines. The one-stop-shop mechanism centralises cross-border complaints via the lead supervisory authority. European Data Protection Board
  • NDPA / NDPC: The Nigeria Data Protection Commission (NDPC) is the regulator — powers include issuing regulations (GAID), registration requirements, audits, fines, and guidance. The NDPC has issued the GAID (General Application & Implementation Directive) 2025 to operationalize NDPA provisions. The NDPC co-operates with other Nigerian regulators and international authorities as required. Nigeria Data Protection Commission+1

10. Special rules & notable NDPA features (how NDPA differs / local flavour)

  • Mandatory registration & DPCO regime: NDPA creates requirements for who must register and sets up Data Protection Compliance Organisations (DPCOs) for audit/compliance support. Future of Privacy Forum
  • Legitimate interest included: NDPA adds legitimate interest as an explicit lawful basis (with safeguards), bringing it closer to GDPR practice. DLA Piper Data Protection
  • Tailored penalties & prison terms: NDPA couples fines with the possibility of imprisonment for serious offences — a deterrent feature differing from GDPR where administrative fines are the primary remedy (criminal sanctions depend on Member States). cert.gov.ng+1
  • GAID & NDPR transition: NDPC issued GAID 2025 to guide the NDPA’s operation and timetable; NDPR (2019) is being phased out in favour of NDPA + GAID. Organisations must track NDPC guidance closely. Nigeria Data Protection Commission+1

11. Practical, comprehensive policy list — what your organisation must have/document

Below is a long checklist of policies/procedures that map to both GDPR and NDPA obligations. Treat this as a master policy inventory; each item should be documented, owned, and versioned.

  1. Privacy / Data Protection Policy — public statement of processing principles & rights.
  2. Privacy Notice(s) / Transparency Notices — for customers, employees, website visitors (clear purpose, lawful basis, retention).
  3. Records of Processing Activities (RoPA) — internal register (GDPR Art.30; NDPA similar record obligations).
  4. Data Retention & Deletion Policy — retention schedules and secure disposal procedures.
  5. Data Classification Policy — categorize personal/sensitive/pseudonymous/anonymous data.
  6. Data Minimisation & Purpose Limitation Policy — ensure only necessary data is collected.
  7. Lawful Basis Assessment Templates — document legal basis for each processing activity.
  8. Data Protection Impact Assessment (DPIA) Policy & Templates — threshold tests, approval flow, remediation tracking. GDPR
  9. Breach Response & Notification Plan — 72-hour timeline triggers, internal roles, sample notification letters. European Data Protection Board+1
  10. Access Control & Identity Management Policy — least privilege, role definitions, privileged access review.
  11. Encryption & Cryptography Policy — in-transit and at-rest requirements, key management.
  12. Third-Party / Vendor Management Policy — DPA clauses, SCCs, DPIAs for vendors, audit rights.
  13. Data Transfer & Cross-Border Transfer Policy — adequacy checks, SCCs, transfer logs. European Data Protection Board
  14. Data Subject Rights Handling Procedure — request intake, verification, response times, appeals.
  15. Data Protection by Design & Default Policy — embedded in development lifecycles (Privacy-by-Design).
  16. Employee Privacy & Acceptable Use Policy — BYOD rules, monitoring notices.
  17. Consent Management Framework — cookie banners, consent records, withdrawal mechanisms.
  18. DPO Terms of Reference / Role Description — responsibilities, reporting lines. KPMG Assets
  19. Training & Awareness Program — onboarding, annual refreshers, phishing tests.
  20. Records Retention & Archival Policy — legal holds, archival procedures.
  21. Data Disposal & Sanitisation Procedures — secure erase, physical destruction logs.
  22. Auditing & Compliance Monitoring Policy — internal audit schedule, metrics, dashboards.
  23. Incident Forensics & Evidence Preservation SOP — chain of custody, forensic collection.
  24. Data Protection Compliance Organisation (DPCO) Engagement Plan (for NDPA) — where applicable, engagement procedures with certified DPCOs. Future of Privacy Forum
  25. Customer / Employee Data Access Request Templates — standardized responses for access/erasure/portability.
  26. Policy for Minors & Special Categories — protections for children’s data and sensitive categories (biometrics, health).
  27. Marketing & Direct Messaging Consent Procedure — opt-ins, suppression lists, revocation logs.
  28. Risk Assessment & Third-Party Due Diligence Checklists — SOC2, ISO27001, or other certification checks.
  29. Data Processing Agreement (DPA) Template — compliant with GDPR Art.28 and NDPA DPA expectations.
  30. Records of Transfers & Inventory of Data Flows — mapping who holds what, where it flows, and legal bases.

Tip: Convert these into a single “Data Protection Management System (DPMS)” manual and assign owners for each item. Many of these are mandatory under GDPR/NDPA accountability.

12. Implementation roadmap — how an SME should operationalise both laws (step-by-step)

Phase 0 — Discovery & governance

  • Appoint an accountable executive (CPO/DPO or external DPO).
  • Map data flows and build RoPA.
  • Classify data.

Phase 1 — Legal & policies

  • Write privacy notice(s) and internal policies from the checklist above.
  • Choose lawful bases and document decisions.

Phase 2 — Technical controls

  • Implement encryption, RBAC, logging, backups.
  • Enforce MFA and patch management.

Phase 3 — DPIAs & vendors

  • Run DPIAs on high-risk systems.
  • Contractually bind vendors with DPAs and audit rights.

Phase 4 — People & process

  • Train staff, set reporting lines, and run tabletop breach exercises.
  • Create a rights-request workflow and tech to manage requests.

Phase 5 — Test & certify

  • Run penetration tests and security audits.
  • For NDPA: consider registration/DPCO engagement as required; for GDPR: pursue certifications if helpful (ISO 27701, SOC2) and implement SCCs if transferring data.

Phase 6 — Continuous improvement

13. In-depth: Breach notification mechanics (practical template)

  • Trigger: actual or suspected personal data breach.
  • Triage score: low / medium / high (based on number of data subjects, sensitivity, likelihood of harm).
  • 72-hour rule: Notify NDPC (NDPA) and EU supervisory authority (GDPR) within 72 hours of becoming aware where required; if you cannot provide full info, provide updates as you investigate. Securiti+1
  • Content of notification: nature of breach, categories of data, likely consequences, mitigations taken, contact point, steps for data subjects.
  • Notify data subjects: where breach likely to result in high risk to individuals’ rights & freedoms, notify without undue delay (GDPR) / NDPA requires notifying affected subjects without undue delay (NDPA may not set a strict timeframe but requires prompt notice). European Data Protection Board+1

14. Data Protection Impact Assessment (DPIA) — when & how

  • When required: large-scale processing, systematic profiling, processing of special categories, new technologies, or when likely to result in high risk to rights/freedoms. Both GDPR and NDPA emphasise DPIAs; NDPA explicitly empowers the NDPC to require/guide DPIAs. GDPR+1
  • Core elements of DPIA: description of processing; necessity & proportionality; risk assessment; mitigation plan; residual risk & decision; consult NDPC/SA as required.
  • Record DPIA approvals and keep for audits.

15. DPO: duties, skills, and reporting lines

  • Role: advise on compliance, monitor DPMS, be contact point for supervisory authorities/data subjects, provide training.
  • Appointment: mandatory for public authorities, large-scale processing, processing of special categories (GDPR). NDPA requires DPOs for “controllers/processors of major importance.” GDPR+1
  • Independence: Should report to highest management level and not receive instructions that compromise duties.

16. Cross-reference table — GDPR vs NDPA (quick mapping)

TopicGDPR (EU)NDPA (Nigeria)
RegulatorNational DPAs + EDPBNDPC
Territorial scopeEU + extraterritorial criteria (Article 3)Nigeria citizens/residents & processing linked to Nigeria
Lawful basesConsent, contract, legal obligation, vital interests, public task, legitimate interestSimilar bases; NDPA explicitly includes legitimate interest
DPO requiredYes in many casesYes for major controllers/processors
DPIARequired for high-risk processingRequired when NDPA or NDPC directs
Breach notification72 hours (supervisory authority)72 hours to NDPC where risk to rights
Data subject rightsAccess, erase, rectify, portability, object, restrict, automated decisionsSame suite of rights (Part VI)
Cross-border transfersAdequacy, SCCs, BCRs, derogationsAdequacy & safeguards; NDPC GAID provides detail
FinesUp to €20M / 4% global turnoverTiered: up to ₦10M or 2% turnover (major) / ₦2M or 2% turnover (standard); possible imprisonment
CertificationVoluntary; ISO/IEC, EU codes existNDPC to provide registration/guidance (GAID)

(Sources: GDPR legal text and NDPA/NDPC publications). EUR-Lex+1

17. Real-world enforcement examples (learning from others)

  • EU/GDPR: Clearview AI fined €30M+ by Dutch DPA for mass biometric scraping (example of biometric/sensitive data enforcement). The Verge
  • Nigeria/NDPA: NDPC & FCCPC fined Meta $220M (consumer/data law breach) and fined Fidelity Bank for unlawful processing — demonstrates active enforcement and willingness to levy meaningful sanctions locally. Data Protection Africa | ALT Advisory+1

18. Common compliance pitfalls and how to fix them

  1. Relying solely on non-explicit consent — fix: map lawful basis for each processing and document it. Medium
  2. Poor vendor management — fix: sign DPAs, require evidence of security, run audits.
  3. No RoPA — fix: create a records register and update it quarterly.
  4. Failure to test breach plans — fix: conduct tabletop exercises and post-mortem reviews.
  5. Ignoring cross-border transfer risks — fix: implement SCCs or verify adequacy and update contracts. European Data Protection Board

19. Templates & sample clauses (short examples)

Sample DPA clause (vendor):

“The Processor shall process personal data only on documented instructions of the Controller, implement appropriate technical and organisational measures, assist the Controller in responding to data subject requests, and on termination return or delete personal data.”
(Use this as a short skeleton — full Art.28/NDPA-aligned clauses are larger.)

Sample breach notification checklist (quick):

  • Date/time discovered
  • Scope (systems, records, categories)
  • Number of data subjects affected
  • Types of personal data involved
  • Containment steps taken
  • Planned corrective actions
  • Notification status (NDPC, DPA, affected subjects)

20. FAQ — quick answers to likely questions

Q: Does GDPR apply to Nigerian companies?
A: Yes — if they offer goods/services to people in the EU or monitor behavior of people in the EU (extraterritorial scope). They must comply or face fines. GDPR

Q: Is NDPA just a copy of GDPR?
A: No — NDPA is inspired by GDPR (many shared principles/rights), but it includes Nigeria-specific features (registration, DPCOs, NDPC governance, tailored penalties and prison provisions). cert.gov.ng+1

Q: What is the timeline for breach notification?
A: Both require notifying the regulator within 72 hours when required; NDPA also expects notification to data subjects without undue delay in many cases. European Data Protection Board+1

Q: Which is more punitive — GDPR or NDPA?
A: GDPR can impose larger monetary fines (percentage of global turnover). NDPA uses tiered fines that may be smaller in absolute value but includes criminal penalties and strong local enforcement, so both are serious. GDPR+1

21. Long checklist for auditors (detailed, printable)

(Use this as an auditor’s master test; answer Yes / No / Action required.)

  1. RoPA exists and is updated.
  2. All processing activities have a lawful basis recorded.
  3. Privacy notices published & accurate.
  4. DPIAs performed for high-risk processing.
  5. DPO appointed or documented why not required.
  6. Breach playbook with 72-hour procedure.
  7. Vendor DPAs signed and vendor audit logs available.
  8. Cross-border transfers assessed and safeguards in place.
  9. Employee training logs maintained.
  10. Access controls and MFA enforced.
  11. Encryption at rest & in transit for sensitive data.
  12. Data minimisation enforced in forms and collection points.
  13. Retention schedule documented and enforced.
  14. Regular security testing (pen tests) performed.
  15. Records of data subject requests and responses kept.
  16. Evidence of NDPC/DPA registration or required filings. Nigeria Data Protection Commission+1

22. Practical sample timeline to reach baseline compliance (90 days)

  • Days 1–15: Governance (appoint DPO/owner), map critical processing, start RoPA.
  • Days 16–45: Draft & publish privacy notice, prepare DPIA templates, vendor DPA template.
  • Days 46–75: Implement technical controls (MFA, backups, encryption), start staff training.
  • Days 76–90: Test breach plan, run a tabletop exercise, close high-priority remediation items, schedule audits.

23. Further reading & official sources (primary/legal — read these first)

  • GDPR (EU) legal text (EUR-Lex) — Regulation (EU) 2016/679. EUR-Lex
  • GDPR reference site (gdpr-info.eu) — article summaries & text. GDPR
  • ICO guidance (UK) — principles, DPIAs, lawful bases (practical guidance). ICO
  • Nigeria Data Protection Act, 2023 (official PDF) — full Act (NDPA). PLACNG+1
  • NDPC GAID 2025 — General Application & Implementation Directive (operational NDPA guidance). Nigeria Data Protection Commission

24. Closing recommendations (actionable, prioritized)

  1. If you process EU data: Map your GDPR obligations now — appoint a lead DPA contact, ensure lawful bases, and check transfer mechanisms. GDPR
  2. If you operate in Nigeria or process Nigerian data: Register/engage NDPC guidance, appoint DPO if applicable, comply with 72-hour breach notification, and prepare for NDPC audits and GAID directives. Nigeria Data Protection Commission+1
  3. Small orgs / SMEs: Start with RoPA, privacy notice, MFA, backups, and a breach playbook. Scale DPIAs, vendor audits and DPO functions as you grow.
  4. Large orgs / multinationals: Implement a harmonised DPMS that maps GDPR → NDPA → other local laws; leverage SCCs/BCRs for transfers and invest in compliance automation.

Key citations (most load-bearing sources used)

  1. GDPR legal text — Regulation (EU) 2016/679 (EUR-Lex). EUR-Lex
  2. GDPR Article 17 (Right to erasure) — gdpr-info / gdpr-text references. GDPR+1
  3. Nigeria Data Protection Act, 2023 — official PDF & NDPC resources. PLACNG+1
  4. NDPC GAID 2025 — implementation directive / guidance. Nigeria Data Protection Commission
  5. NDPA enforcement & penalties (NDPA sections / KPMG & Reuters reporting on enforcement). cert.gov.ng+2KPMG Assets+2
Tags:
ikeh James

Ikeh Ifeanyichukwu James is a Certified Data Protection Officer (CDPO) accredited by the Institute of Information Management (IIM) in collaboration with the Nigeria Data Protection Commission (NDPC). With years of experience supporting organizations in data protection compliance, privacy risk management, and NDPA implementation, he is committed to advancing responsible data governance and building digital trust in Africa and beyond. In addition to his privacy and compliance expertise, James is a Certified IT Expert, Data Analyst, and Web Developer, with proven skills in programming, digital marketing, and cybersecurity awareness. He has a background in Statistics (Yabatech) and has earned multiple certifications in Python, PHP, SEO, Digital Marketing, and Information Security from recognized local and international institutions. James has been recognized for his contributions to technology and data protection, including the Best Employee Award at DKIPPI (2021) and the Outstanding Student Award at GIZ/LSETF Skills & Mentorship Training (2019). At Privacy Needle, he leverages his diverse expertise to break down complex data privacy and cybersecurity issues into clear, actionable insights for businesses, professionals, and individuals navigating today’s digital world.

    • 1
Previous Article
Next Article

You Might also Like

Encryption and cybersecurity
How Encryption Protects Your Business from Data Breaches and Cyber Threats
ikeh James October 31, 2025
POS data privacy Nigeria
How POS Shops, Cybercafes, and Online Forms Leak Your Info
ikeh James October 31, 2025
Login with Facebook
Why You Should Stop Logging Into Everything with Facebook
ikeh James October 31, 2025
Voice recognition privacy risks
Privacy at Home: How Smart TVs Record Your Conversations
ikeh James October 30, 2025

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Popular Posts

privacy_by_design_2025
How to Integrate Privacy by Design Into Your Tech Stack in 2025 | (Download The PDF Checklist)
ikeh James September 29, 2025
NIST Cybersecurity Framework Explained
ikeh James September 25, 2025
iso27001_privacy
ISO 27001 & Data Privacy: What You Must Know
ikeh James September 25, 2025
nhs data breach
NHS Data Breach Exposes 100,000 Patient Records
ikeh James September 27, 2025
Advertise
Here

Related Stories

Encryption and cybersecurity
How Encryption Protects Your Business from Data Breaches and Cyber Threats
POS data privacy Nigeria
How POS Shops, Cybercafes, and Online Forms Leak Your Info
Login with Facebook
Why You Should Stop Logging Into Everything with Facebook
Voice recognition privacy risks
Privacy at Home: How Smart TVs Record Your Conversations

Next Up

Privacy by Default Explained: The Global Standard Every Business Must Follow
ikeh James October 4, 2025
Made by Privacy Needle ©All rights reservd.

Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None