Skip to main content
ASIRI

NDPA 2023, translated for product teams.

Skip the legalese. Practical chapters, real examples, and the citations your DPO will recognise.

Request the guide Book a walkthrough
What's inside

Seven chapters every Nigerian privacy program needs.

NDPA §2–§3
01
Scope & definitions

Who the NDPA 2023 applies to, what counts as personal data, and the controller/processor split — in plain English.

NDPA §24
02
Principles of processing

The seven principles every Nigerian data controller must satisfy, with worked examples from fintech and health.

NDPA §25–§27
03
Lawful bases

When you can rely on consent vs legitimate interest, contract, vital interest, public interest, or legal obligation.

NDPA §28–§38
04
Data subject rights

Access, rectification, erasure, portability, objection — and the 30-day clock you must answer them on.

NDPA §40
05
Breach notification

When the 72-hour clock starts, what to file with the NDPC, and what to tell affected subjects.

NDPA §41–§43
06
Cross-border transfers

Adequacy decisions, SCCs, and the supplementary measures you need for non-adequate jurisdictions.

NDPA §44–§45
07
DPIAs & accountability

When a DPIA is mandatory, when prior consultation is needed, and how to evidence the rest of §44.

Use the guide

How teams ship from this PDF.

  1. 01Share with engineering — they need it more than you think.
  2. 02Map your processing activities against chapters 03 and 07 first.
  3. 03Run the chapter 04 checklist against your DSR portal today.
  4. 04Schedule a quarterly re-read; the NDPC’s guidance evolves quickly.
Chapter index

Read the practical NDPA chapters.

01

Scope and definitions under the NDPA

Understand who the NDPA applies to, what counts as personal data, and how controllers, processors, and DPCMIs fit together.

Open chapter
02

NDPA processing principles

Translate fairness, transparency, purpose limitation, minimisation, accuracy, storage limitation, security, and accountability into working controls.

Open chapter
03

Lawful bases under the NDPA

Choose and document the legal basis for each processing purpose before consent, policy, retention, and DSR workflows drift apart.

Open chapter
04

Consent and privacy notices

Build clear consent, cookie, and notice workflows with versioning, withdrawal, and proof for each data subject.

Open chapter
05

Data subject rights and DSR operations

Run access, erasure, rectification, objection, portability, and consent withdrawal requests with identity checks and evidence.

Open chapter
06

DPIAs and high-risk processing

Know when to run a DPIA, what to assess, who must review it, and how to keep mitigations connected to owners.

Open chapter
07

Breach notification and incident evidence

Prepare a 72-hour breach workflow with severity scoring, NDPC-ready reports, affected-subject communication, and post-incident review.

Open chapter
08

Cross-border transfers and processors

Track processors, sub-processors, countries, transfer mechanisms, SCCs, adequacy decisions, and supplementary measures.

Open chapter
09

Audit evidence and compliance returns

Prepare regulator, DPCO, board, and buyer evidence without rebuilding the program from folders and spreadsheets.

Open chapter
10

Trust Centers and buyer assurance

Turn NDPA readiness, global framework status, controls, incidents, documents, and sub-processors into buyer-facing trust.

Open chapter