Data Breach Notification in Nigeria: The NDPA Process

A data breach is when personal data is accidentally or unlawfully accessed, disclosed, altered, lost, or destroyed. It doesn't just mean a hacker stole your database. A staff member emailing customer records to the wrong person is a breach. A lost laptop with unencrypted client data is a breach. An AI system exposing personal data in its outputs is a breach.

When it happens — and at some point, it will happen — you need to know what to do, who to tell, and how fast.

What the NDPA requires

The Nigeria Data Protection Act 2023 requires data controllers to notify the NDPC and affected individuals when a breach is likely to result in a risk to the rights and freedoms of data subjects.

The key elements:

Notification to NDPC. When a breach occurs that poses a risk to data subjects, you must notify the Nigeria Data Protection Commission. The notification should include:

The nature of the breach
Categories and approximate number of affected data subjects
Likely consequences of the breach
Measures taken or proposed to address the breach

Notification to data subjects. If the breach is likely to result in a high risk to individuals, you must also notify the affected data subjects directly. This notification should:

Describe the breach in clear, plain language
Explain the likely consequences
Describe what you're doing about it
Provide contact details for further information
Advise on steps they can take to protect themselves

Documentation. Even if a breach doesn't require NDPC notification, you must document it internally — what happened, what data was affected, what you did about it. NDPC or your DPCO may ask to see this record.

Breach assessment: do I need to notify?

Not every breach requires NDPC notification. The test is whether the breach is "likely to result in a risk" to affected individuals.

Likely requires notification:

Customer financial data exposed (bank details, payment info)
Health or biometric data accessed by unauthorised parties
Login credentials leaked (email + password combinations)
Large-scale exposure of personal contact details
Data used for identity theft or fraud
Children's data involved
Data of vulnerable individuals compromised

May not require notification:

Encrypted data breached where the encryption key wasn't compromised
Internal access by an authorised employee who viewed data outside their role (minor, contained)
Data that's already publicly available was accessed

Always document, even if you don't notify. The assessment itself — why you decided notification wasn't required — needs to be recorded.

The first 72 hours

When you discover a breach, the clock starts. Here's what to do:

Hour 0-4: Contain and assess

Stop the breach. If data is still leaking, close the vulnerability. Revoke access. Take the compromised system offline if necessary.
Preserve evidence. Don't wipe logs or modify the breached system. You'll need the evidence for investigation and potentially for NDPC.
Identify what data was affected. What categories of personal data? How many data subjects? How sensitive is the data?
Alert your DPO. If you have a Data Protection Officer, they need to know immediately. They'll lead the assessment and notification process.

Hour 4-24: Full assessment

Determine the cause. How did the breach happen? Was it a cyberattack, human error, system failure, or insider action?
Assess the risk to data subjects. Based on the type of data and circumstances, what's the likely impact on affected individuals?
Decide on NDPC notification. Based on the risk assessment, determine whether NDPC notification is required.
Prepare notification content. If notifying, draft the NDPC notification and data subject communications.

Hour 24-72: Notify and remediate

Submit NDPC notification. If required, notify NDPC with the information outlined above.
Notify affected individuals. If high risk, inform data subjects directly with clear, actionable guidance.
Implement remediation. Fix the vulnerability that caused the breach. Enhance controls to prevent recurrence.
Brief leadership. Ensure the board and senior management understand what happened and what's being done.

If you also serve EU customers

If the breach affects EU data subjects' data, you have a separate GDPR notification obligation:

72-hour notification to the relevant EU Data Protection Authority
"Without undue delay" notification to affected individuals if high risk
Separate assessment criteria and notification content

You may need to notify both NDPC and an EU DPA for the same breach. The assessments are separate — a breach that doesn't meet NDPA notification thresholds might still require GDPR notification, or vice versa.

Preparing before a breach happens

The worst time to figure out your breach notification process is during a breach. Prepare now:

1. Incident response plan

Document your breach response process:

Who is the first point of contact when a breach is discovered?
Who makes the notification decision? (Usually the DPO)
Who communicates with NDPC?
Who drafts and sends data subject notifications?
Who handles media enquiries?
What's the escalation path for different severity levels?

2. Breach register

Create a template for recording breaches. Include:

Date and time of discovery
Date and time of the breach itself (if different)
Description of what happened
Categories and volume of data affected
Risk assessment
Notification decision and reasoning
Actions taken
Lessons learned

3. Notification templates

Pre-draft notification templates:

NDPC notification template (fill in the specifics when a breach occurs)
Data subject notification template (in clear, plain language — not legal jargon)
Internal escalation template

Having templates ready saves precious hours during an incident.

4. Contact information

Know who to contact:

NDPC breach notification channel
Your DPCO (for ongoing reporting)
Your DPO (if outsourced, ensure 24/7 reachability)
Legal counsel
IT/security team leads
Insurance provider (if you have cyber insurance)
Communications/PR team

5. Regular testing

Run tabletop exercises. Present a hypothetical breach scenario and walk through your response process. You'll find gaps before a real breach exposes them.

Common breach scenarios in Nigerian businesses

Phishing attack on staff email. An employee clicks a malicious link, giving an attacker access to their email account containing customer correspondence and attachments with personal data.

Unencrypted device lost or stolen. A laptop, phone, or USB drive containing customer records or employee data is lost or stolen without encryption.

Misconfigured cloud storage. A database or file storage bucket is left publicly accessible, exposing personal data to anyone with the URL.

Insider access. A current or former employee accesses personal data they're not authorised to see, or takes customer data when leaving the company.

API vulnerability. An API endpoint exposes personal data without proper authentication, allowing unauthorised access to customer records.

WhatsApp data leak. Customer conversation data shared in a staff WhatsApp group, or WhatsApp Business account accessed by an unauthorised person.

For each scenario, the response is the same framework: contain, assess, decide on notification, remediate, document.

What NDPC expects

NDPC wants to see that your organisation:

Has a documented incident response process
Assesses breaches promptly
Notifies when required
Takes remediation action
Learns from incidents and improves controls

They don't expect zero breaches — that's unrealistic. They expect a mature, documented response when breaches occur. The organisations that get in trouble are the ones that didn't know they had a breach, took weeks to respond, or tried to cover it up.

Need help building your breach response framework? We design incident response plans, create notification templates, and provide on-demand breach response support. Talk to us.