2025 is shaping up to be the most intense year for the Nigeria Data Protection Commission (NDPC). With an average of three loan shark–related data breaches reported daily, the NDPC is at the centre of Nigeria’s digital economy, enforcing a law designed not just to protect citizens’ privacy but also to stimulate growth, jobs, and investment.
Signed into law in June 2023, the Nigeria Data Protection Act is described as a “developmental law” by Vincent Olatunji, the NPDC Director General, who is tasked with enforcing it.
“It [the Act] will safeguard the rights of Nigerians, create jobs, empower the economy, improve global competitiveness, and reshape Nigeria’s reputation as a safe place for foreign investment,” he told in an interview on Tuesday.
However, such laws require time to take effect: The EU’s General Data Protection Regulation (GDPR) took two years before enforcement began. NDPC focused its first year on awareness and capacity building. This foundation has now given way to what Olatunji calls “the era of enforcement.”
In 2025, the Commission launched investigations into 1,369 organisations across the banking, insurance, pensions, and gaming sectors. Some cases have already led to fines, others to remediation, while minor breaches—such as privacy disputes in WhatsApp groups—have been resolved through mediation. The Commission also issued its largest fine yet: ₦766.2 million ($508,000) against MultiChoice, citing a lack of transparency in its privacy policies and non-compliance among its agents.
Loan sharks are the biggest problem
The sheer volume of loan shark cases has stood out for the agency. “On digital lending companies alone, or what we call loan sharks, we receive an average of three every day,” Olatunji said. “That’s almost 100 in a month.”
These complaints range from intrusive debt collection practices to unlawful sharing of personal data. For the NDPC, each case requires careful investigation, often beginning with a Pre-Action Conference (PAC), where organisations are presented with alleged breaches and given a chance to respond.
If companies show willingness to comply, the Commission imposes remediation fees and monitors them for six months. Only when firms resist correction does NDPC escalate to heavy fines. This measured approach, Olatunji argues, ensures fairness and encourages organisations to take compliance seriously rather than viewing fines as just another cost of doing business.
Beyond enforcement, NDPC is trying to fix systemic weaknesses in Nigeria’s data ecosystem. Capacity was an early bottleneck: when the law took effect on June 12, 2023, the country had fewer than 1,000 certified data protection officers. It currently has over 7,000 DPOs. The VPA uses case-based learning—sometimes in the form of dramatised scenarios—to help both professionals and ordinary Nigerians understand the meaning of consent, transparency, and responsible data use.
“This is the first of its kind globally,” Olatunji said proudly. “It is one of our innovative ways of promoting privacy.”
The results are beginning to show. From just 630 registered data processors at inception, Nigeria now has more than 36,000 registered data processing companies. Over 4,800 data controllers of major importance have filed annual audit reports. The compliance ecosystem has grown into a small industry of its own, with 275 licenced Data Protection and Compliance Organisations (DPCOs) employing tens of thousands.
By NDPC’s estimates, 23,000 people now work in the data privacy ecosystem, a sector that generated more than $1.5 million in revenue for the government through registrations and fines in 2024, according to Olatunji.
Consent violations remain widespread
Despite the progress made in two years, several challenges remain. Transparency is still weak: many companies misrepresent the type of data they collect or conceal how it is used. Consent is often ignored, from unmarked CCTV cameras to apps harvesting personal information without permission.
“These are the kinds of daily violations we are tackling,” Olatunji said. Even the financial sector, with its advanced digital infrastructure, has been found wanting in transparency and compliance.
Still, he believes the Commission has reached an important milestone. “People are more aware of their rights now as data subjects,” he said. “Controllers and processors are more aware of their obligations.” Internationally, Nigeria is emerging as a model. Regulators from six African countries—including South Africa, Tanzania, and Mozambique—are currently in Nigeria learning from NDPC’s experience in moving quickly from legislation to enforcement, according to Olatunji.
For Olatunji, success will be measured not just in fines or investigations but in trust. “Nigeria is now being seen as a country that is serious about digital business and where your rights will be protected because of the law we have in place and an independent data protection authority,” he said.
As data becomes the fuel of the digital economy, NDPC is betting that protecting Nigerians’ rights will also power growth. With daily breaches to contend with, the Commission’s work is far from done, but 2025 has already cemented its role as a cornerstone of Nigeria’s digital future.
Mark your calendars! Moonshot by returns to Lagos, Oct 15–16. Dr Vincent Olatunji will be at Moonshot. Meet him there and learn from Africa’s top founders, creatives & tech leaders for 2 days filled with keynotes, mixers, and future-forward ideas. Get your tickets now: moonshot..com
