Legislation & Policy

The 72-Hour Rule: What NDPA and GDPR Say About Data Breaches

Ikeh James Certified Data Protection Officer (CDPO) | NDPC-Accredited · 2025-10-24T09:23:09+00:00

how to handle data breaches under NDPA and GDPR, timelines, reporting steps, authority notifications, and how to stay compliant after an incident.

Ikeh James Certified Data Protection Officer (CDPO) | NDPC-Accredited October 24, 2025

In today’s data-driven world, data breaches are no longer rare—they’re inevitable. From phishing attacks to insider mistakes, personal data can easily fall into the wrong hands. When that happens, how an organization handles breach notifications can mean the difference between swift recovery and serious legal or reputational damage.

Both the Nigeria Data Protection Act (NDPA 2023) and the European Union’s General Data Protection Regulation (GDPR) have strict obligations on how and when data controllers and processors must report data breaches.

This article breaks down, step-by-step, how to handle data breach notifications under NDPA and GDPR, with real-world insights, compliance best practices, and key differences between both frameworks.

What Is a Data Breach?

A data breach occurs when personal data is accessed, disclosed, altered, or destroyed without proper authorization — whether intentionally or accidentally.

Common Examples

Type	Description	Example
Unauthorized Access	When someone gains access without permission.	Hacker infiltrates customer database.
Accidental Disclosure	Data is shared with the wrong recipient.	Employee emails client list to the wrong person.
Data Loss	Information is lost or destroyed.	Laptop containing personal files is stolen.
System Intrusion	Attackers exploit software vulnerabilities.	Malware steals users’ financial information.

Even minor incidents can trigger breach notification requirements if personal data is involved.

Why Data Breach Notification Matters

Timely and transparent notification is vital for:

Protecting affected individuals from identity theft, fraud, or harm.
Maintaining public trust and transparency.
Meeting legal obligations under privacy laws.
Avoiding heavy penalties — under GDPR, fines can reach €20 million or 4% of annual global turnover, while NDPA sanctions can include financial penalties and enforcement orders.

1. Notification Timeline

Under Article 33 of the GDPR, data controllers must:

Notify the supervisory authority within 72 hours of becoming aware of a personal data breach.
If notification is delayed, reasons must be provided.
If the breach is likely to result in high risk to individuals, notify affected persons without undue delay.

2. Content of the Notification

The report to the supervisory authority must include:

Nature of the breach (including data categories and records affected).
Contact details of the Data Protection Officer (DPO).
Likely consequences of the breach.
Measures taken or proposed to address the breach.

3. When You Don’t Need to Notify Individuals

If the breached data was encrypted or rendered unintelligible to unauthorized parties, or if the risk to individuals is low, direct notification may not be required.

Data Breach Notification Under NDPA

The Nigeria Data Protection Act (NDPA 2023) establishes similar obligations, with contextual differences for Nigerian organizations.

1. Notification Timeline

According to Section 40 of the NDPA, data controllers and processors must:

Notify the Nigeria Data Protection Commission (NDPC) of a breach within 72 hours after becoming aware.
Notify affected data subjects if the breach poses a real risk of harm.

2. Content of Notification

The NDPC expects the notification to include:

Description of the nature of the breach.
Type and volume of data affected.
Contact information of the organization or DPO.
Likely impact and risk assessment.
Measures taken or planned to mitigate the impact.

3. Affected Individuals Notification

Data subjects should be informed in clear and plain language, explaining:

What happened.
What information was affected.
Steps they can take to protect themselves.
How the organization is responding.

Requirement	GDPR	NDPA (Nigeria)
Supervisory Authority Notification	To local Data Protection Authority (e.g., ICO, CNIL, etc.)	To the Nigeria Data Protection Commission (NDPC)
Timeline	Within 72 hours of awareness	Within 72 hours of awareness
Individual Notification	Required if breach likely to cause high risk	Required if breach poses a real risk of harm
Exemption	Encrypted or low-risk data	Encrypted or low-risk data
Penalty for Non-Compliance	Up to €20 million or 4% of global turnover	Fines, enforcement orders, and potential prosecution
Reporting Language	Country-specific DPA language	English (official NDPC format)

How to Handle a Data Breach Step-by-Step

Step 1: Detect and Contain

Isolate affected systems.
Disable compromised accounts or credentials.
Activate your incident response plan immediately.

Step 2: Assess the Breach

Identify what data was affected.
Determine the scope, cause, and risk of the breach.
Classify severity (e.g., low, medium, high).

Step 3: Notify the Appropriate Authorities

Report to the supervisory authority (GDPR) or NDPC (NDPA) within 72 hours.
Maintain proof of submission and details of communication.

Step 4: Notify Affected Data Subjects

If there’s a high risk of harm, communicate clearly with the affected individuals:

Be honest and transparent.
Provide advice on how they can protect themselves.
Offer support channels or dedicated help lines.

Step 5: Document Everything

Keep detailed records of:

The breach timeline and response.
Decisions made and justifications.
Follow-up actions and mitigation efforts.

Step 6: Review and Prevent Future Incidents

Conduct post-incident analysis.
Update security measures and employee training.
Review data retention and protection policies.

Real-Life Example: British Airways Data Breach

In 2018, British Airways suffered a cyberattack affecting over 400,000 customers. The UK Information Commissioner’s Office (ICO) fined the airline £20 million for failing to protect personal data.

The case underscored a vital lesson — early detection, transparent communication, and timely reporting are non-negotiable for compliance under both GDPR and NDPA frameworks.

FAQs

Q1. Who must report a data breach under NDPA or GDPR?
The data controller bears primary responsibility for notifying the authority and affected individuals. Processors must inform controllers promptly.

Q2. What happens if I fail to report within 72 hours?
Late or non-reporting can result in fines, enforcement orders, and reputational damage.

Q3. Do small organizations have to report breaches?
Yes. All entities processing personal data are required to report breaches that pose risks to data subjects.

Q4. What if the breach only affects a few individuals?
If the risk is low, documentation is still mandatory — but public or individual notification may not be required.

Q5. Can NDPC or EU authorities publish details of my breach?
Yes. For public accountability, regulators may disclose major breaches or enforcement actions.

Conclusion

Data breaches are not just IT problems — they are legal and reputational challenges that demand immediate, transparent action.

Under both NDPA and GDPR, organizations must act quickly: detect, assess, report, and mitigate. By establishing robust response procedures and understanding notification requirements, you protect not only your organization but also the trust of your customers.

In privacy compliance, speed, honesty, and preparedness are your best defenses.