Skip to main content
ASIRI
Resources/Default notice playbook

The NDPC just sent a default notice. Now what?

A 21-day playbook for responding to NDPC default notices — triage, evidence, remediation and a clean written reply.

Request DPCO help Enforcement tracker
Why this matters

The 21-day clock starts the day the notice arrives.

Under the Nigeria Data Protection Act 2023, the NDPC may issue a default notice when it believes a data controller or processor has failed to comply with the Act. The notice sets out the alleged contravention and the remediation expected — and it gives you a fixed statutory window, typically 21 days, to reply in writing with evidence.

Treat the clock as immovable. Late or incomplete responses materially raise the risk of an enforcement order, an administrative fine, or a public reprimand on the NDPC’s register. Most teams that miss the window did not need extra time — they simply did not start on day one.

The 21-day plan

What to do, day by day.

  1. Day 0–1

    Acknowledge and triage

    Log the notice in the audit trail the moment it arrives. Identify the controller, the alleged breach of NDPA 2023, and the specific remediation the NDPC is demanding. Spin up an incident channel and assign a single accountable owner.

  2. Day 2–5

    Establish the facts

    Pull RoPA records, audit-log evidence, consent ledger snapshots and any DPIA or breach reports relevant to the allegation. Interview the engineering and operations leads who own the affected processing activity. Preserve evidence to a separate retention bucket.

  3. Day 6–14

    Remediate where possible

    If the allegation is well-founded — even partially — start fixing it now rather than at the end of the window. Update controls, retire stale data, push policy changes through your audit log, and document every step with timestamps and approvals.

  4. Day 15–20

    Draft the response

    Prepare a written reply that addresses each item in the notice point-by-point: facts, applicable lawful basis, remediation already taken, and any disagreement with the NDPC’s reading of the law. Attach evidence as numbered exhibits.

  5. Day 21

    File before the deadline

    File the response with the NDPC through the official channel before the 21-day clock expires. Keep a delivery receipt. Confirm internal stakeholders (board, legal, DPO, affected business unit) have copies.

Checklist

Six things to confirm before you file.

  • Identify the data controller, processor and DPO of record.
  • Map the allegation to NDPA 2023 sections and the relevant principle.
  • Snapshot the audit log, consent ledger and RoPA at the time of the notice.
  • Confirm whether the issue is closed, ongoing or recurring before replying.
  • Have outside counsel review the response if penalties or fines are likely.
  • Track the matter to closure — the NDPC may follow up with a compliance order.

Need help drafting the response? Request access and we will route the matter to the right privacy operator during scoping.