NDPC Data Protection Compliance for Nigerian Crypto Companies

What is the NDPA 2023?

The Nigerian Data Protection Act 2023 (NDPA) is Nigeria's comprehensive data protection law, replacing the earlier NDPR 2019. It establishes a legal framework for the collection, processing, storage, and transfer of personal data in Nigeria.

The NDPA is enforced by the Nigeria Data Protection Commission (NDPC).

Every crypto and blockchain business that processes personal data of Nigerian individuals must comply — regardless of whether the company is incorporated in Nigeria.

What Counts as "Personal Data" for Crypto Companies?

For blockchain and crypto businesses, personal data typically includes:

Full names, email addresses, phone numbers

BVN, NIN, passport numbers, driver's licence numbers

Wallet addresses (where linked to an identified individual)

Transaction history (where linked to an identified individual)

Face photos and biometric data from KYC processes

IP addresses and device identifiers

Bank account numbers

Your Legal Obligations Under NDPA 2023

1. Register with NDPC

All organisations that process personal data of Nigerians must register with the Nigeria Data Protection Commission. This is mandatory and must be renewed annually.

Registration requires:

Filing a data protection compliance audit

Paying the applicable registration fee

Appointing a Data Protection Officer (DPO) if you are a large-scale processor

2. Have a Legal Basis for Every Processing Activity

You cannot collect or use personal data without a valid legal basis. For crypto companies, the relevant legal bases are:

Contract performance — collecting KYC data to comply with NFIU requirements is necessary for the service contract

Legal obligation — AML/CFT compliance is a legal requirement

Legitimate interests — fraud prevention and security monitoring

Consent — marketing communications require explicit opt-in consent

3. Provide a Privacy Notice

Before collecting any personal data, you must provide users with a clear privacy notice explaining:

What data you collect

Why you collect it

How long you keep it

Who you share it with

How to exercise their rights

This is typically your Privacy Policy, which must be easily accessible and written in plain language.

4. Implement Data Subject Rights

Under NDPA 2023, your users have the right to:

Access — receive a copy of all their personal data

Correction — have inaccurate data corrected

Deletion — have their data deleted (subject to legal retention obligations)

Portability — receive data in a machine-readable format

Objection — object to processing based on legitimate interests

Restriction — restrict processing in certain circumstances

You must be able to respond to these requests within 30 days.

5. Conduct Data Protection Impact Assessments (DPIA)

A DPIA is mandatory before starting any processing activity that is likely to result in a high risk to individuals, including:

Processing biometric data (face verification, fingerprints)

Large-scale processing of sensitive personal data

Automated decision-making that significantly affects individuals

Systematic monitoring of individuals

6. Report Data Breaches

If you experience a data breach that affects personal data, you must:

Notify the NDPC within 72 hours of becoming aware

Notify affected individuals without undue delay if there is a high risk to them

Document all data breaches, even those not reported to NDPC

7. Cross-Border Data Transfers

If you transfer personal data outside Nigeria (e.g., to cloud services or AI providers based abroad), you must ensure adequate protections are in place. This requires either:

An adequacy decision by the NDPC for the destination country

Standard contractual clauses (data processing agreements) with the receiving party

Penalties for Non-Compliance

Non-compliance with NDPA 2023 can result in:

Administrative fines of up to 2% of annual gross revenue or ₦10 million, whichever is higher

Criminal sanctions for deliberate or negligent breaches

NDPC enforcement notices requiring immediate corrective action

Publication of enforcement actions (reputational damage)

Practical Steps for Crypto Companies

Immediate actions (do these now):

1.Write and publish your Privacy Policy on your website

2.Review your KYC data collection to ensure it has a legal basis

3.Implement an easy process for users to request data deletion

Within 3 months:

1.Register with NDPC

2.Appoint a Data Protection Officer if required

3.Conduct a data mapping exercise (document what data you hold, where, and why)

4.Sign Data Processing Agreements with your technology vendors

Ongoing:

1.Annual NDPC compliance audit

2.Staff training on data protection

3.Regular review of privacy notices when your data practices change

RegBridge Can Generate Your Privacy Compliance Documents

RegBridge AI can generate your Privacy Policy, Data Protection Impact Assessment template, Data Subject Rights Procedure, and Data Processing Agreement framework tailored to Nigerian crypto businesses.

Generate your data protection documents →

What is the NDPA 2023?

The NDPA is enforced by the Nigeria Data Protection Commission (NDPC).

Every crypto and blockchain business that processes personal data of Nigerian individuals must comply — regardless of whether the company is incorporated in Nigeria.

What Counts as "Personal Data" for Crypto Companies?

For blockchain and crypto businesses, personal data typically includes:

Full names, email addresses, phone numbers

BVN, NIN, passport numbers, driver's licence numbers

Wallet addresses (where linked to an identified individual)

Transaction history (where linked to an identified individual)

Face photos and biometric data from KYC processes

IP addresses and device identifiers

Bank account numbers

Your Legal Obligations Under NDPA 2023

1. Register with NDPC

All organisations that process personal data of Nigerians must register with the Nigeria Data Protection Commission. This is mandatory and must be renewed annually.

Registration requires:

Filing a data protection compliance audit

Paying the applicable registration fee

Appointing a Data Protection Officer (DPO) if you are a large-scale processor

2. Have a Legal Basis for Every Processing Activity

You cannot collect or use personal data without a valid legal basis. For crypto companies, the relevant legal bases are:

Contract performance — collecting KYC data to comply with NFIU requirements is necessary for the service contract

Legal obligation — AML/CFT compliance is a legal requirement

Legitimate interests — fraud prevention and security monitoring

Consent — marketing communications require explicit opt-in consent

3. Provide a Privacy Notice

Before collecting any personal data, you must provide users with a clear privacy notice explaining:

What data you collect

Why you collect it

How long you keep it

Who you share it with

How to exercise their rights

This is typically your Privacy Policy, which must be easily accessible and written in plain language.

4. Implement Data Subject Rights

Under NDPA 2023, your users have the right to:

Access — receive a copy of all their personal data

Correction — have inaccurate data corrected

Deletion — have their data deleted (subject to legal retention obligations)

Portability — receive data in a machine-readable format

Objection — object to processing based on legitimate interests

Restriction — restrict processing in certain circumstances

You must be able to respond to these requests within 30 days.

5. Conduct Data Protection Impact Assessments (DPIA)

A DPIA is mandatory before starting any processing activity that is likely to result in a high risk to individuals, including:

Processing biometric data (face verification, fingerprints)

Large-scale processing of sensitive personal data

Automated decision-making that significantly affects individuals

Systematic monitoring of individuals

6. Report Data Breaches

If you experience a data breach that affects personal data, you must:

Notify the NDPC within 72 hours of becoming aware

Notify affected individuals without undue delay if there is a high risk to them

Document all data breaches, even those not reported to NDPC

7. Cross-Border Data Transfers

If you transfer personal data outside Nigeria (e.g., to cloud services or AI providers based abroad), you must ensure adequate protections are in place. This requires either:

An adequacy decision by the NDPC for the destination country

Standard contractual clauses (data processing agreements) with the receiving party

Penalties for Non-Compliance

Non-compliance with NDPA 2023 can result in:

Administrative fines of up to 2% of annual gross revenue or ₦10 million, whichever is higher

Criminal sanctions for deliberate or negligent breaches

NDPC enforcement notices requiring immediate corrective action

Publication of enforcement actions (reputational damage)

Practical Steps for Crypto Companies

Immediate actions (do these now):

1.Write and publish your Privacy Policy on your website

2.Review your KYC data collection to ensure it has a legal basis

3.Implement an easy process for users to request data deletion

Within 3 months:

1.Register with NDPC

2.Appoint a Data Protection Officer if required

3.Conduct a data mapping exercise (document what data you hold, where, and why)

4.Sign Data Processing Agreements with your technology vendors

Ongoing:

1.Annual NDPC compliance audit

2.Staff training on data protection

3.Regular review of privacy notices when your data practices change

RegBridge Can Generate Your Privacy Compliance Documents

Generate your data protection documents →

NDPC Data Protection Compliance for Nigerian Crypto Companies

What is the NDPA 2023?

What Counts as "Personal Data" for Crypto Companies?

Your Legal Obligations Under NDPA 2023

1. Register with NDPC

2. Have a Legal Basis for Every Processing Activity

3. Provide a Privacy Notice

4. Implement Data Subject Rights

5. Conduct Data Protection Impact Assessments (DPIA)

6. Report Data Breaches

7. Cross-Border Data Transfers

Penalties for Non-Compliance

Practical Steps for Crypto Companies

RegBridge Can Generate Your Privacy Compliance Documents

Ready to get compliant?

More compliance guides

NDPC Data Protection Compliance for Nigerian Crypto Companies

What is the NDPA 2023?

What Counts as "Personal Data" for Crypto Companies?

Your Legal Obligations Under NDPA 2023

1. Register with NDPC

2. Have a Legal Basis for Every Processing Activity

3. Provide a Privacy Notice

4. Implement Data Subject Rights

5. Conduct Data Protection Impact Assessments (DPIA)

6. Report Data Breaches

7. Cross-Border Data Transfers

Penalties for Non-Compliance

Practical Steps for Crypto Companies

RegBridge Can Generate Your Privacy Compliance Documents

Ready to get compliant?

More compliance guides