By Kayode Lawrence-Omole

Introduction: A New Era of Accountability

In 2025, data breaches are not just embarrassing; they are legally dangerous. With the Nigeria Data Protection Act (NDPA) now firmly in force, companies of all sizes face real consequences for failing to secure personal data. Breaches are on the rise, from fintech firms exposing customer records to public agencies leaking sensitive citizen information. The NDPA, enforced by the Nigeria Data Protection Commission (NDPC), does not just demand better data security, it demands transparency. Organisations must report breaches promptly, face investigations, and risk hefty fines or reputational damage.

This article explores how the NDPA changes the game for data breach enforcement in 2025. It unpacks the real risks businesses face, where enforcement is likely to bite hardest, and how companies can prepare before regulators come knocking.

Anatomy of a Breach in 2025: What the NDPA Sees

A data breach is not just a hacker in a hoodie; it is any event where personal data is lost, stolen, leaked, or exposed to the wrong people. In 2025, Nigerian businesses face new realities: cloud misconfigurations, phishing attacks, insider leaks, and even careless WhatsApp forwarding can trigger NDPA obligations.

Under the NDPA, a ‘personal data breach’ is defined broadly. It includes accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to personal data.[1] A fintech app accidentally publishing users’ BVNs online, a hospital database being hacked and patient records stolen, and an employee emailing customer data to the wrong recipient are all examples of personal data breaches.

What happens next? The NDPA sees a clear breach lifecycle:

  • Detection – Spotting the breach quickly is critical. Delays worsen liability.
  • Containment – Stopping the leak, shutting down affected systems, and preventing further damage.
  • Notification – Informing the Nigeria Data Protection Commission (NDPC) and, in some cases, the affected individuals, usually within set timeframes.[2]

Failing at any of these stages can mean penalties, audits, and reputational damage. Understanding this lifecycle is the first step to staying compliant and avoiding enforcement action.

Enforcement: The Sharp Edge of the NDPA

The NDPA is not just a rulebook; it has real teeth. The NDPC is ramping up enforcement to make sure companies respect data rights and handle breaches responsibly. Under the NDPA, organisations must notify the NDPC about qualifying breaches, often within 72 hours. Failure to report, delay, or concealment can lead to significant fines and regulatory scrutiny.

The NDPC has a range of enforcement powers to protect data subjects’ rights:

  1. Investigations and Audits: The NDPC can conduct routine or targeted audits to assess compliance, especially in high-risk sectors. It can also investigate specific complaints from data subjects about breaches of their rights.
  2. Administrative Fines: The Act empowers the Commission to impose hefty administrative fines for breaches of the law, including failure to notify or inadequate security measures.
  3. Corrective Orders: NDPC can order organisations to fix their practices, like improving security, halting unlawful processing, or updating privacy policies.
  4. Public Naming and Shaming: It can publish the names of non-compliant organisations, causing reputational damage that can hurt customer trust and investor confidence.
  5. Suspension or Banning of Processing: For severe violations, the Commission can suspend or ban certain data processing activities altogether.

Beyond breaches, NDPC enforcement also targets other data rights under the NDPA, including the right to be informed about data use, the right of access to one’s personal data, the right to rectification and erasure, and the right to object to processing. When organisations ignore these rights, they risk the same enforcement measures.

Already, there are signs of stricter oversight. NDPC has issued the NDPA General Application and Implementation Directive (“GAID’’),[3] held industry workshops, and warned sectors with high volumes of sensitive data, like fintech, health, education, and telecoms, that they will face closer scrutiny.[4] All these indicate that enforcement is no longer theoretical. Organisations that treat data rights and breach management as afterthoughts risk heavy penalties and the public loss of trust.

Who’s at Risk? A Sectoral Risk Map

Not all businesses face equal scrutiny under the NDPA. The NDPC primarily targets sectors with the highest volumes of personal data, the greatest sensitivity of information, and track records of poor security.

High-Risk Industries include:

  1. Fintech and Financial Services

Fintechs process enormous amounts of personal and financial data, from BVNs to account histories and KYC documents. The sector’s rapid growth often outpaces security investment, leading to misconfigured APIs, poor vendor security, and phishing attacks on customers. NDPC views financial data breaches as particularly damaging due to fraud risks.

  1. Healthtech, Hospitals, and Clinics

Medical data is highly sensitive, covering patient histories, diagnoses, and payment details. Breaches can lead to blackmail, discrimination, or serious reputational harm to patients. Many health providers lack robust digital security, making them soft targets.

  1. Telecom and ICT Providers

Telcos manage huge volumes of subscriber data: call records, SIM registration info, and location data. Even partial leaks can allow profiling or surveillance of customers. NDPC has signaled special interest in telecom providers’ data protection frameworks.

  1. Education and Edtech

Schools and edtech firms often process children’s data, triggering stricter legal obligations under the NDPA. Many lack clear parental consent processes or adequate safeguards for minors’ information.

  1. Public Sector and Government Agencies

Governments hold massive datasets on citizens, NIN, voter records, tax IDs, and social benefits. Past breaches have shown that even state agencies can struggle with security budgets and compliance culture. The NDPC has authority to investigate and sanction public sector entities, despite their unique status.

Strategic Blind Spots: Where Companies Slip

Even well-meaning organisations can fall foul of the NDPA if they do not pay attention to common blind spots. Regulators are watching for systematic gaps that show a company is not taking data protection seriously.

Here are some of the biggest pitfalls companies face:

  1. Underreporting or Late Reporting of Breaches

Many organisations fear reputational damage and try to “quietly” fix breaches without telling the NDPC. But the NDPA requires qualifying breaches to be reported, usually within 72 hours. Failing to notify does not just increase fines; it destroys trust when breaches inevitably come to light.

  1. No Data Protection Officer (DPO) or Poorly Defined Roles

NDPA expects many organisations to appoint a DPO to oversee compliance. Some businesses skip this, or appoint someone without proper training. Without clear mandates, data protection efforts are fragmented and ineffective.

  1. Inadequate Breach Response Plans

Many companies do not have clear procedures for identifying, containing, and reporting breaches. In a crisis, they waste critical hours figuring out who does what. Regulators penalise this kind of unpreparedness harshly.

  1. Weak Vendor Management

Outsourcing data processing does not outsource responsibility. Companies often fail to audit vendors or include strong data protection terms in contracts. Breaches by vendors still land on the controller’s desk for enforcement.

  1. Poor Employee Awareness and Training

Employees are the first line of defence; but often the weakest link. Social engineering, phishing, and human error remain the top causes of breaches. Regulators expect companies to prove they trained staff on data protection and breach response.

Preparing for the Knock: Building Breach-Resilient Compliance

The NDPA makes it clear that companies must prepare for breaches before they happen, and prove it when the regulator comes knocking. Building a breach-resilient compliance culture means moving beyond checklists to embed security and accountability across the organisation. Here is how:

  1. Develop and Test a Breach Response Plan

Have a clear, written plan for identifying, containing, assessing, and reporting breaches. Define roles and responsibilities, including how to notify the NDPC and affected individuals. Run simulations to ensure everyone knows what to do when time is critical.

  1. Appoint a Competent Data Protection Officer (DPO)

The NDPA expects organisations of a certain size or risk level to appoint a DPO.[5] The DPO should understand the law, oversee training, manage audits, and be the point of contact with the NDPC.

  1. Strengthen Technical and Organisational Security

Encrypt sensitive data, enforce strong access controls, and regularly upgrade systems. Monitor systems for suspicious activity and invest in reliable incident detection tools. Remember: the NDPC will ask what security measures you had in place before a breach.

  1. Maintain Detailed Documentation

Keep updated records of processing activities. Document breach investigations, decisions on whether to notify, and communications with the NDPC. Good records are your first line of defence in an audit.

  1. Train Staff Regularly

Employees are often the weakest link in breach prevention. Regular training on phishing, data handling, and breach reporting requirements is essential. Make sure staff know how to spot and escalate a breach quickly.

  1. Audit Vendors and Contracts

Investigate processors to confirm they are compliant with data protection laws. Include strong data protection clauses in contracts, with clear breach notification timelines. Review vendors’ practices periodically, especially if they process sensitive or large volumes of data.

Conclusion: The Cost of Silence in the Age of Data Breach Transparency

Data breaches are no longer rare shocks, they’re an everyday business risk. The NDPA now ensures that ignoring, concealing, or mishandling data breaches carries real consequences. The NDPC is making it clear: organisations must take responsibility for the data they hold, respect data subject rights, and be transparent when things go wrong. Enforcement is no longer theoretical. Fines, audits, public naming, and even litigation are on the table for those who fail to comply. In the end, the real cost of silence, or inaction, is paid in reputational damage, lost business, and regulatory penalties. 2025 is the year to act, not hide. Because in the age of data breach transparency, those who prepare will weather the storm. Those who do not will face the full force of the law.

Contact: Kayode Lawrence-Omole Risk and Compliance Expert

Email: olukayode.lawrence-omole@dentons.com

Tel: +2348077771670

[1] Section 65 NDPA 2023

[2] See section 40 NDPA

[3] Which is to take effect from September 19, 2025

[4] https://tribuneonlineng.com/ndpc-warns-banks-others-against-data-breaches/#:~:text=The%20NDPC’s%20warning%20targets%20sectors,patient%20records%20and%20comply%20with

[5] Section 32 NDP

______________________________________________________________________ Explore Nigeria’s Constitutional System — 17 Chapters, 924 Pages Of Insight By Prof. Hagler Sunny Okorie
“Constitutional Law and Constitutionalism in Nigeria” By Prof. Hagler Sunny Okorie
Call to Order Your Copy: 📞 0803 766 7945 | 0802 863 6615 | 0803 225 3813 ✉️ haglersoco@gmail.com 🏢 Winners Chambers, 135 Ehi Road, Aba, Abia State ______________________________________________________________________ Your Guide To Nigeria’s Competition Law — DOA Handbook (Volumes 1 & 2) Released At ₦20,000
DOA Handbook on Nigerian Competition Law
Available for purchase at ₦20,000 Per copy through LawPavilion’s trusted platform. Search for The DOA Handbook on Nigerian Competition Law or use the direct link: Click here. ______________________________________________________________________ “History of Rivers State Judiciary: A Compendium of Personalities on the Bench.” Authored by Ampim Gogo Blankson, Esq., Deputy Director at the Rivers State Ministry of Justice, in collaboration with the Rivers State Judiciary 💰 Cover Price: ₦20,000.00 (Twenty Thousand Naira) Bukky Law Books, Rivers State High Court Complex, Moscow Road, Port Harcourt – 📞 08034868754📞 08034729738📞 Enquiries: ______________________________________________________________________ Alexander Payne Co. Law Reports

Contact & Orders 📞 0704 444 4777 | 0704 444 4999 | 0818 199 9888 🌐 www.alexandernigeria.com

______________________________________________________________________ The books are available for purchase at: Online: www.educodex.com | www.selar.com | www.amazon.com | www.mikeozekhome.com Enquiries: +234 704 044 9375 | +234 814 813 4773 | +234 816 872 3532 Email: educodexl@gmail.com ______________________________________________________________________

[A MUST HAVE] Evidence Act Demystified With Recent And Contemporary Cases And Materials

“Evidence Act: Complete Annotation” by renowned legal experts Sanni & Etti.
Available now for NGN 40,000 at ASC Publications, 10, Boyle Street, Onikan, Lagos. Beside High Court, TBS. Email publications@ayindesanni.com or WhatsApp +2347056667384. Purchase Link: https://paystack.com/buy/evidence-act-complete-annotation ______________________________________________________________________