Nigeria Democratises Data Privacy Breach Remediation Process: NDPC

The Nigeria Data Protection Commission (NDPC) announced on Thursday that it has fully democratised the process for addressing privacy breach remediation for data subjects.

The Nigeria Data Protection Commission (NDPC) has issued the Nigeria Data Protection Act – General Application and Implementation Directive (NDP Act GAID) to help every individual and organisation covered by the Nigeria Data Protection Act (NDP Act) understand the provisions of pic.twitter.com/JHhXKOgxBr

— NDPC Nigeria (@ndpcngr) March 20, 2025

Dr Vincent Olatunji (blue jacket), National Commissioner of NDPC with his management staff at the issuing of the Nigeria Data Protection Act-General Application and Implementation Directive

Dr. Vincent Olatunji, the National Commissioner, stated during a news conference in Abuja that this development will eliminate bureaucratic delays in achieving remediation.

He highlighted that the initiative is part of the commission’s broader efforts to uphold Section 37 of the 1999 Constitution, which guarantees the privacy rights of citizens.

The conference focused on the issuance of the Nigeria Data Protection Act-General Application and Implementation Directive (NDP ACT-GAID), which includes provisions for redress under the newly inaugurated framework.

Dr. Olatunji confirmed that the full implementation of the NDP Act will begin in September 2025, six months after the issuance of the directive, with fee-related provisions set to take effect in January 2026.

“In line with Federal Government’s policy on Enabling Business Environment, the full implementation of the NDP Act will commence in September 2025, that is after six months.

“All provisions relating to fees will commence in January 2026. Going forward, we shall be providing guidance notices and advisories to illustrate the requirements of law towards deepening the culture of data privacy and protection,” he explained.

He stressed that no organisation can claim ignorance of its legal obligations now that the directive has been issued.

He recalled that in September 2023, the commission had established a committee of technical experts to draft the framework, which addresses key areas such as data protection principles, lawful bases for data processing, rights of data subjects, compliance audits, cross-border data transfers, and training for data protection officers.

The directive also includes mechanisms for alternative dispute resolution and grievance redress.

To simplify the redress process for data subjects, the commission introduced the Standard Notice to Address Grievance (SNAG), an automated system enabling individuals to demand remedial action directly from data controllers and processors.

“We have fully democratised privacy breach remediation process for data subjects. We achieved this by introducing data subjects’ Standard Notice to Address Grievance (SNAG).

“SNAG empowers data subjects to use the instrumentality of the commission to demand remedial action from data controllers and processors without first writing to the commission.

“This process makes over 230 million Nigerians our immediate and direct partners in ensuring adequacy of data protection in Nigeria.

“Through automation, the SNAG will be accessible anywhere in all nooks and crannies of Nigeria and around the world,” Olatunji stated.

He reaffirmed the commission’s commitment to fostering accountability, economic growth, and public trust in Nigeria’s data protection ecosystem.

NAN