NDPR & NDPA 2023 Compliance: A Practical Guide for Nigerian HR Professionals
How to operationalise Nigeria's data protection framework — from lawful bases and employee rights to annual audits, cross-border transfers, and choosing compliant HR software.
Nigeria is home to one of Africa's largest and most dynamic workforces. As organisations scale and digitise their HR operations, the personal data of employees is collected, stored, transferred, and processed at an unprecedented rate. That reality comes with a legal obligation: compliance with Nigeria's data protection framework. For HR professionals, understanding and operationalising this framework is no longer optional. It is a board-level risk and a day-to-day HR responsibility.
What the NDPR and NDPA 2023 Are — and Who They Apply To
Nigeria's data protection journey began with the Nigeria Data Protection Regulation (NDPR), issued by the National Information Technology Development Agency (NITDA) in January 2019. The NDPR established the first comprehensive data protection framework in Nigeria, modelled closely on the EU General Data Protection Regulation (GDPR).
In June 2023, the Nigeria Data Protection Act (NDPA 2023) was signed into law, elevating data protection to a statutory footing and creating the Nigeria Data Protection Commission (NDPC) as the independent supervisory authority. The NDPA supersedes the NDPR where they conflict but the NDPR remains a key operational reference for organisations that built compliance programmes before the Act commenced.
The framework applies to any organisation that processes the personal data of individuals located in Nigeria — regardless of whether the organisation itself is based in Nigeria. If your company employs Nigerian workers, engages Nigerian contractors, or processes data of Nigerian residents in any capacity, you are in scope. This includes multinationals, SMEs, NGOs, and government agencies.
The Six Lawful Bases for Processing Employee Data
Before your HR team collects a single data point, you must identify a lawful basis. The NDPA 2023 recognises six lawful bases for processing personal data:
- Consent — The data subject has given a freely given, specific, informed, and unambiguous indication of agreement. Note that consent is rarely the right basis for employment data because of the power imbalance between employer and employee.
- Contract performance — Processing is necessary to perform the employment contract or to take pre-contractual steps at the employee's request (e.g., payroll, benefits administration).
- Legal obligation — Processing is required to comply with a Nigerian law (e.g., pension contributions under the Pension Reform Act, tax deductions under PITA).
- Vital interests — Processing is necessary to protect life (relevant in medical or emergency scenarios).
- Public task — Processing is carried out in the public interest or in exercise of official authority.
- Legitimate interests — Processing is necessary for the legitimate interests of the organisation or a third party, provided those interests are not overridden by the rights of the data subject. This is the most commonly relied-upon basis for HR analytics, fraud prevention, and internal investigations.
What Employee Data You Can Legitimately Collect
The principle of data minimisation is central to the NDPA: collect only what you actually need. Typical legitimate HR data categories include:
- Identity data: full name, date of birth, NIN, passport or national ID
- Contact data: home address, phone number, personal email
- Employment data: job title, department, start date, salary, contract type
- Payroll and tax data: bank account details, PIT number, pension RSA PIN
- Performance data: appraisal records, disciplinary history, training completion
- Health data (special category): only where strictly necessary, e.g., for sick leave management or workplace adjustments — requires explicit consent or a specific legal basis
- Emergency contact information
- Right-to-work documentation
You should not collect data that is disproportionate to the employment relationship — for example, detailed social media profiles, personal financial history beyond what is needed for role vetting, or biometric data without a clear necessity and documented basis.
The Annual Compliance Audit Requirement
One of the most operationally demanding requirements under the NDPR (and carried forward in NDPC guidance) is the mandatory annual data protection audit. Organisations that process personal data of more than 1,000 data subjects in a 12-month period must file an annual data protection audit report with the NDPC. The audit must be conducted by a licensed Data Protection Compliance Organisation (DPCO) — a firm accredited by the NDPC.
The audit report covers your data inventory, processing activities, security measures, incident history, and compliance gaps. Failure to file is itself a regulatory violation and can trigger enforcement action independently of any data breach.
The Data Protection Officer Requirement
Organisations that carry out large-scale or systematic processing of personal data are required to designate a Data Protection Officer (DPO). For most employers of any meaningful scale, this threshold is met by routine HR processing alone. The DPO can be an internal employee or an external consultant, but must have demonstrable knowledge of data protection law and practice.
The DPO's role includes advising on compliance obligations, monitoring internal data protection practices, acting as the point of contact for the NDPC, and managing data subject requests. Critically, the DPO must report directly to senior management and must not be penalised for performing their duties.
Employee Rights Under the NDPA
Your employees are data subjects with enforceable rights. HR teams must have processes in place to honour these within the timeframes set by the NDPC (generally one month from receipt of a valid request):
- Right of access: Employees can request a copy of all personal data you hold about them, along with information about how it is processed.
- Right to rectification: Employees can request correction of inaccurate or incomplete data — for example, a misspelled name or a wrong bank account number.
- Right to erasure: Where data is no longer necessary, was processed unlawfully, or consent has been withdrawn, employees can request deletion. Statutory retention periods (e.g., payroll records under PAYE rules) override this right.
- Right to object: Employees can object to processing carried out on the basis of legitimate interests, including profiling.
- Right to restriction: Processing can be restricted while a dispute over accuracy or lawful basis is resolved.
- Right to data portability: Where processing is based on consent or contract and carried out by automated means, employees can request their data in a machine-readable format.
Cross-Border Data Transfer Rules
Many organisations transfer HR data outside Nigeria — to global HRIS platforms, payroll processors, or parent company systems. The NDPA imposes strict conditions on such transfers. Personal data may only leave Nigeria where:
- The receiving country has been designated as having an adequate level of data protection by the NDPC;
- Appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs); or
- A specific derogation applies, such as explicit consent from the data subject or necessity for contract performance.
If your HR software vendor is based outside Nigeria, you must ensure a valid transfer mechanism is documented in your Data Processing Agreement (DPA) with that vendor.
Penalties for Non-Compliance: NITDA and NDPC Enforcement
Non-compliance carries real financial and reputational consequences. Under the NDPA 2023, the NDPC can impose administrative fines of up to 2% of annual gross revenue or 10 million naira, whichever is higher, for general violations. For more serious breaches, fines can reach 2% of global annual turnover. The NDPC can also issue compliance orders, require remediation, and publish enforcement notices — a reputational risk that HR leaders should take seriously when advising the C-suite.
How to Audit Your Current HR Data Practices
A practical HR data audit should cover the following steps:
- Map your data flows. Identify every category of personal data you collect, where it comes from, where it is stored, who has access, and whether it leaves Nigeria.
- Assess lawful bases. For each processing activity, confirm you have a documented, valid lawful basis under the NDPA.
- Review retention schedules. Ensure you are not holding data longer than necessary and that you have a process for secure deletion.
- Test your data subject request process. Can your HR team respond to an access request within one month? Do they know who to escalate to?
- Check your vendor contracts. Every third-party processor handling employee data must have a signed DPA in place.
- Review security controls. Encryption at rest and in transit, access controls, and incident response procedures should all be documented.
- Engage a licensed DPCO to validate your audit findings and file your annual report with the NDPC.
Choosing Compliant HR Software
Your choice of HR technology is a data protection decision. When evaluating platforms, HR professionals should ask vendors for:
- A signed Data Processing Agreement (DPA) that covers NDPA obligations
- Evidence of data residency options or transfer safeguards if servers are outside Nigeria
- Role-based access controls and audit logs
- Documented security certifications (ISO 27001 or SOC 2 Type II)
- A clear data deletion and portability process at contract termination
Platforms built with GDPR alignment — such as HR Onboarding — offer a strong foundation for NDPA compliance. HR Onboarding provides a Data Processing Agreement, role-based access controls, employee data export, and structured retention controls, giving Nigerian HR teams a compliant infrastructure to build on from day one.
Practical Compliance Checklist
Use this checklist to assess where your organisation stands today:
- Privacy notice provided to all employees at the point of data collection
- Record of Processing Activities (RoPA) documented and maintained
- Lawful basis identified and recorded for every HR processing activity
- Data Protection Officer designated and accessible to employees
- Annual data protection audit filed with the NDPC via a licensed DPCO
- Data Processing Agreements signed with all third-party HR vendors
- Cross-border transfer mechanisms documented for any overseas data flows
- Data subject request procedure in place with a tracked response workflow
- Data breach response plan tested and assigned to a named owner
- Employee data retention schedule defined and enforced by the HR system
- Special category data (health, biometrics) isolated with heightened controls
- Staff trained on data protection obligations annually
Data protection is not a one-time project. It is a continuous practice embedded in how your HR function operates every day. The NDPA gives employees meaningful rights and gives the NDPC real tools to enforce them. For Nigerian HR professionals, the question is no longer whether to comply — it is how quickly and how thoroughly you can get there.
HR Onboarding · Automate your onboarding process
Ready to try it yourself?
Set up your AI-powered onboarding bot in under 15 minutes. No credit card required.
Start free 14-day trial