72 Hours, Starting From When? The NDPA Breach Clock Most Teams Misread

The pattern shows up in our search data and in client conversations the same way. Every fintech, every SaaS company processing Nigerian customer data, every multinational with a Nigerian arm asks the same question, in different phrasing.

"How long do we have to notify the NDPC after a breach?"

The short answer is on every compliance blog: 72 hours.

The long answer is where most teams get it wrong. The clock doesn't start when the breach happened. It doesn't start when your security team raised the ticket. It doesn't start when legal got the email. Where the clock actually starts changes everything about how you respond.

Get articles like this every Tuesday. Compliance Engineering, practical AI compliance for engineers and founders. Free, weekly, written by a CIPP/E certified practitioner who actually builds these systems.

Need a process-overview view of NDPA breach notification? The shorter Q&A version covers the basics: assessment criteria, notification channels, common scenarios.

Need this built into your incident response process? A ₦500,000 NDPA Readiness Diagnostic covers your specific incident definitions, awareness pipeline, NDPC notification template, and pre-authorised filing rights. Written assessment in one week.

Why people search for both NDPR and NDPA

Search data shows roughly half of breach-notification queries still use "NDPR", the older regulation, even though the law that actually governs is now the NDPA 2023.

Quick history. The Nigeria Data Protection Regulation 2019 (NDPR) was issued by NITDA. It set the early framework. The Nigeria Data Protection Act 2023 (NDPA) replaced it as the primary instrument and established the Nigeria Data Protection Commission (NDPC) as the regulator with formal enforcement power.

The breach notification rule under both was similar in shape: within 72 hours of becoming aware. The NDPA codifies it into statute. Specifically, Section 40(2) of the NDPA 2023 sets the rule:

"A data controller shall, within 72 hours of becoming aware of a breach which is likely to result in a risk to the rights and freedoms of individuals, notify the Commission of the breach..."

So when you're answering "what do I have to do?", you're answering against NDPA Section 40 in 2026. The older NDPR-era guidance still tracks.

Enforcement is real. In July 2025, the NDPC fined Multichoice Nigeria ₦766,242,500 under the NDPA for unauthorised processing of personal data and unlawful cross-border transfers. The investigation, which had begun in 2024, found Multichoice's data processing was "patently intrusive, unfair, unnecessary and disproportionate." This is the largest publicly reported NDPA-era enforcement to date and the clearest signal of NDPC posture.

When the 72-hour clock actually starts

The part most teams misread.

The clock starts when you (the controller) become aware of the breach. Not when the breach happened. Not when your processor told you. The trigger is awareness. The moment someone with authority to act knew or reasonably should have known.

Three real scenarios that show why this matters:

Scenario 1: Your processor discovers the breach. Your CRM vendor has a breach on April 1st. They notify you on April 5th (under their own NDPA Section 40(1) obligation). Your DPO sees the email on April 6th.

The clock starts on April 6th, when the controller's organisation became aware.

Scenario 2: A staff member spots it. A junior support agent sees an email exposed in a customer's account dashboard on May 10th. They mention it to their manager on May 12th. The DPO finds out on May 13th.

The clock arguably started May 10th, at the point a reasonably trained employee should have escalated. Document why if you argue otherwise.

Scenario 3: You discover the breach happened months ago. On July 1st you find that customer records have been accessible publicly since March. The breach started in March; you became aware on July 1st.

The clock starts on July 1st. You then have 72 hours from that moment. The fact that you're reporting a breach that started months earlier is a separate issue, and a worse one. The NDPC will ask what your monitoring missed.

The pattern: awareness, not occurrence. Build awareness mechanisms that surface incidents fast, because every day before awareness is a day you're not reporting. It's also a day where the regulator will ask "why didn't you know?"

What counts as a breach

Wider than most teams assume.

The NDPA captures any security incident causing accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

In practice, this means:

• A hacker accessing your customer database. Obviously.
• A staff member emailing customer records to the wrong person. Yes.
• A laptop with unencrypted customer data left in an Uber. Yes.
• An AI system inadvertently surfacing one user's data in another user's session. Yes.
• A backup tape lost in transit. Yes.
• An admin panel exposed to the public internet for any window of time. Yes.

If personal data was exposed beyond what should have been accessible, it's a breach. The threshold is low. Whether you're then required to notify the NDPC turns on the Section 40(2) test: "likely to result in a risk to the rights and freedoms of individuals."

What the 72-hour notification actually contains

The NDPC expects a structured set of information. If you can't provide all of it within 72 hours, send what you have and update later. Section 40 does not penalise partial reporting; it penalises silence.

The minimum:

• Nature of the breach. What happened, in plain language.
• Categories of data affected. Names? Email addresses? Bank details? Health data? Categories matter because special category data escalates the response under NDPA Section 30.
• Approximate number of data subjects affected. "About 4,500 customers" is fine if you don't have an exact count yet.
• Approximate number of records affected. Different from data subjects. One customer can have many records.
• Likely consequences. What could happen to affected individuals.
• Measures taken or proposed. What you've done to contain the breach and what you're doing next.
• Your DPO's contact details. Or, if you don't have a DPO, the contact person handling the response.

This isn't a form to fill in. It's a structured notification, usually as an email or formal letter to the NDPC. Confirm the receiving channel at time of filing. The NDPC's reporting mechanisms have evolved as the regulator scales up.

If your DPO is external (DPO-as-a-Service), make sure your service agreement covers breach response and that the DPO has standing to file on your behalf. I see this go wrong often: the breach happens, the DPO is reachable, but the company's procurement system slows everything down. Pre-arranged authority matters more than people think.

When you also have to notify the data subjects directly

Section 40(3) requires direct notification to data subjects when the breach is "likely to result in a high risk to the rights and freedoms" of individuals.

What "high risk" looks like:

• Financial fraud potential (bank details, payment information)
• Identity theft potential (name + ID number, name + biometric data)
• Discrimination potential (health data, sexual orientation, political opinions, special category data under Section 30)
• Physical safety risk (location data of vulnerable individuals)
• Children's data (heightened obligation always)

If any of these apply, the affected individuals need to be told. Clearly. In plain language. Customer-facing notifications that bury the impact behind corporate hedging tend to do worse on regulator review than direct, factual emails. Match the tone of a clear public service notice, not a marketing email.

What happens when you miss the 72-hour deadline

Failure to notify within 72 hours is a separate breach of the NDPA. The NDPC has discretion on enforcement, but missing the deadline weakens every other position you'll take.

Two patterns I see go wrong:

"We were still investigating." Regulators don't accept this. Section 40 explicitly contemplates partial reporting. File what you know within 72 hours, update as you learn more.

"We didn't recognise it as a notifiable breach." This raises a worse question: what other breaches are you currently not recognising? Investigation tends to expand from there.

The Multichoice fine is the public marker for current enforcement appetite. Smaller fines are also being issued, though many remain unpublished. The pattern across what's public: the size of the fine reflects severity of the breach and quality of the response, not just severity alone.

Get the structure right before you need it

The teams that handle breach notification well aren't the ones with the best lawyers. They're the ones who built the response process before they needed it.

What that looks like in practice:

• An incident definition. What counts as a notifiable breach for your business. Specific. Named scenarios.
• An awareness pipeline. How incidents get from "someone noticed something" to the DPO inside 24 hours.
• A pre-drafted NDPC notification template. Fillable in minutes, not hours.
• A response team list. Who does what. Containment lead. Communications lead. Legal review. DPO sign-off.
• A pre-authorised filer. Somebody with the authority to send the NDPC notification without escalating to the CEO. (CEO escalations cost hours you don't have.)
• A documented escalation path for affected individuals. When you need to notify them, who does it and how.

I've published the NDPA breach response template in the open-source toolkit. It includes the timeline, the assessment framework, NDPC and data-subject notification templates, and the patterns I've seen go wrong in real responses. CC BY licensed, attribution required, fork it as you need.

If you also serve EU customers

If the breach affects EU data subjects' data, you have a separate GDPR notification obligation under Article 33: 72 hours to the relevant EU Data Protection Authority, and "without undue delay" notification to affected individuals if high risk. The assessments are separate. A breach that doesn't meet NDPA notification thresholds might still require GDPR notification, or vice versa. Document both decisions.

The article on NDPA vs GDPR key differences for Nigerian businesses covers the dual-compliance angle in more depth.

What NDPC expects from your response

NDPC doesn't expect zero breaches; that's unrealistic. They expect a mature, documented response when breaches occur:

• A documented incident response process
• Prompt assessment of breaches
• Notification when required
• Remediation action
• Learning from incidents and improved controls

The organisations that get into trouble are the ones that didn't know they had a breach, took weeks to respond, or tried to cover it up. The Multichoice case is instructive: the investigation began in 2024 and the fine was published in July 2025. The size reflects severity of the underlying processing, but also the quality of the response.

Closing

If you're a Nigerian fintech, a Nigerian SaaS company, or any business processing Nigerian residents' data, this is a structural problem to solve before you need to solve it. The 72-hour clock costs an afternoon of preparation now. It costs days and millions of Naira when something is burning and the documentation isn't ready.

The open-source breach response template is a starting point. The NDPA Readiness Diagnostic is the next step if you want the structure built into your specific incident response process. Written assessment in one week, ₦500,000, deducted from any full programme that follows.

---

Michael K. Onyekwere is a CIPP/E certified data protection professional and the founder of Janus Compliance. Writes Compliance Engineering, the weekly newsletter on practical AI compliance for engineers and founders. For NDPA-specific work, see the Nigeria fintech compliance programme (₦3,500,000) or start with the NDPA Readiness Diagnostic (₦500,000).