The Nigeria Data Protection Commission has issued a 21-day compliance notice to banks, insurance firms, pension companies, gaming operators and insurance brokers suspected of violating the provisions of the Nigeria Data Protection Act, 2023.

The compliance notice, the commission said, forms part of a sector-by-sector investigation to enforce adherence to the law, which came into effect last year to safeguard citizens’ rights and strengthen Nigeria’s participation in the global digital economy.

“The Nigeria Data Protection Commission, in furtherance of its mandate under the Nigeria Data Protection Act, 2023, has commenced a sector-by-sector investigation of organisations suspected of non-compliance with the provisions of the Act,” the commission said in a statement on Sunday.

The statement, signed by the Head of Legal, Enforcement and Regulations at the NDPC, Babatunde Bamigboye, explained that the notice was issued pursuant to sections 5(i), 6(a), 6(c), 46(3), and 47(1)-(2) of the Act.

According to the statement, the list of affected organisations would be published in national newspapers on Monday, August 25, 2025.

“These organisations are required to, within 21 days of issuance, provide the following: evidence of filing NDP Act Compliance Audit Returns for 2024, evidence of designation or appointment of a Data Protection Officer, summary of technical and organisational measures for data protection within the organisation, and evidence of registration as a Data Controller or Processor of Major Importance,” the statement continued.

The commission warned that any organisation that failed to comply with the notice risked facing serious regulatory sanctions.

“Failure to comply with this Compliance Notice may result in enforcement actions, including the issuance of an Enforcement Order, administrative fines, and/or criminal prosecution in accordance with the NDP Act, 2023,” the statement added.

The NDPC stressed that its actions were designed not only to enforce compliance but also to protect Nigerians’ data rights.

It said the NDP Act was enacted to “safeguard the fundamental rights, freedoms, and interests of data subjects as guaranteed under the Constitution of the Federal Republic of Nigeria, 1999,” while also providing a legal framework to ensure Nigeria’s “trusted and beneficial participation in regional and global economies through responsible use of personal data.”

The Commission further reaffirmed its resolve to entrench accountability in the country’s data protection ecosystem.

“The NDPC remains committed to ensuring a culture of accountability and trust in Nigeria’s data protection and privacy ecosystem, while safeguarding the rights of data subjects and strengthening the nation’s digital economy,” the statement added.

The commission has so far demonstrated its readiness to enforce the law by slamming heavy penalties on erring organisations.

Multichoice Nigeria was fined N766.2m for what the commission described as patently intrusive, unfair, unnecessary and disproportionate data practices, including illegal cross-border transfers of subscriber information.

Fidelity Bank was also handed a fine of N555.8m, representing 0.1 per cent of its 2023 revenue, for processing personal data without informed consent. (Sunday PUNCH, excluding headline)