TL;DR. The Nigeria Data Protection Act 2023 (and its predecessor framework NDPR) gives individuals statutory rights over their personal data, requires every regulated organisation to appoint a Data Protection Officer, and imposes a 72-hour breach notification deadline to NDPC following discovery of a personal-data breach.
The regulation in brief
The NDPA 2023 enumerates data-subject rights at §§34–38 — access, rectification, erasure, restriction of processing, objection, and data portability. §40 imposes the 72-hour breach-notification deadline to the Commission. §32 requires appointment of a Data Protection Officer, and §44 requires data controllers and processors of major importance to register with the NDPC. Documentation of third-party processors flows from the Act's data-processor obligations and the GAID. (As of 19 September 2025 the NDPR 2019 ceased to operate as a standalone instrument; data protection is now governed by the NDPA 2023 read together with its General Application and Implementation Directive — the GAID.)
For a Nigerian financial institution, the regulatory exposure is wider than most other sectors because almost every customer interaction generates personal data, and a breach involving customer financial records draws scrutiny from both NDPC and the CBN.
How FinovaMax handles it
- NDPA §§34–38 data-subject rights workflows. When a customer files a subject-access, restriction, or objection request, the platform routes it through a dedicated workflow with SLA tracking and DPO sign-off. The customer's full data inventory is assembled programmatically from across the platform's 540+ data entities.
- NDPA §40 breach incident registry with the 72-hour clock. The moment an incident is logged, the platform starts a deadline timer for NDPC notification. The clock is visible to the DPO and surfaces as a critical alert as the deadline approaches.
- NDPA §32 / §44 DPO & registration records. The platform stores the appointed DPO's details, the institution's NDPC registration, appointment date, and current status as a structured record — not in a separate spreadsheet.
- Sub-processor registry (NDPA data-processor obligations / GAID). Every third-party processor (KYC verifier, payment gateway, credit bureau, etc.) is tracked with the data category it processes, the contractual basis, and the renewal date.
- PII log sanitiser. BVN, NIN, PAN, JWT tokens, and other sensitive identifiers are automatically masked in every log line produced by the platform — preventing accidental disclosure through log files.
- NDPA-aligned biometric purge. Biometric capture for KYC purposes is purged from the device after submission, in line with the NDPA's data-minimisation principles.
Practical implication for your institution
The DPO does not have to reinvent the data-subject-rights process every time a customer files a request. The platform's workflow handles it. The 72-hour breach clock does not depend on someone remembering to set a calendar reminder — it is enforced by the platform. NDPC examinations have an evidence trail.
Talk to us about your institution
We'll walk through your specific exposure under this regulation and how the platform responds.
Apex Grid Technologies Ltd · RC 9108833 · Lagos & Abuja, Nigeria