NDPC Data Breach Notification (Nigeria)
PERSONAL DATA BREACH NOTIFICATION
Nigeria Data Protection Commission (NDPC)
Nigeria Data Protection Act 2023 (NDPA 2023), Section 40
Date of Notification: [Notification Date]
SECTION 1: DATA CONTROLLER DETAILS
Data Controller: [Controller Name] (RC [CAC Number])
NDPC Registration Number: [NDPC Reg Number]
Registered Address: [Controller Address]
Data Protection Officer: [DPO Name]
DPO Email: [DPO Email]
DPO Phone: [DPO Phone]
SECTION 2: BREACH DETAILS
Date and Time Breach Discovered: [Breach Discovery Date]
Estimated Date Breach Occurred: [Breach Occurrence Date]
Type of Breach: [Breach Type]
2.1 Description of the Breach
[Breach Description]
2.2 Categories of Personal Data Affected
[Affected Data Categories]
Approximate Number of Data Subjects Affected: [Affected Subjects Count]
Approximate Number of Records Compromised: [Affected Records Count]
SECTION 3: CONSEQUENCES AND RISK ASSESSMENT
[Likely Consequences]
SECTION 4: REMEDIATION MEASURES
4.1 Containment Measures Taken
[Containment Measures]
4.2 Measures to Prevent Recurrence
[Prevention Measures]
SECTION 5: DATA SUBJECT NOTIFICATION
Status: [Subject Notification Status]
[Subject Notification Details]
5.1 Reason for Delayed Notification (if applicable)
[Notification Delay Reason]
DECLARATION
[Controller Name] hereby confirms that the information provided in this notification is accurate and complete to the best of its knowledge at the time of submission. [Controller Name] undertakes to submit a supplementary notification to the NDPC if material additional information becomes available as the investigation progresses.
This notification is submitted in compliance with Section 40 of the Nigeria Data Protection Act 2023 (NDPA 2023) and the NDPC Data Breach Management Guidelines.
Data Protection Officer
________________
Signature
Chief Executive Officer / Authorised Representative
________________
Signature
What Is a NDPC Data Breach Notification (Nigeria)?
A NDPC Data Breach Notification in Nigeria records the ndpc data breach notification and the particulars that give it legal effect.
The Nigeria Data Protection Act 2023 was enacted on 14 June 2023 and replaced the Nigeria Data Protection Regulation 2019 (NDPR 2019) as the primary personal data protection law in Nigeria. The NDPA 2023 established the Nigeria Data Protection Commission (NDPC) as an independent statutory body with powers to regulate personal data processing, investigate breaches, and impose administrative sanctions of up to 2% of annual gross revenue (or NGN 10 million, whichever is higher) for violations under Section 48 of the Act.
Under Section 40(1) of the NDPA 2023, a data controller must notify the NDPC of a personal data breach without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where notification cannot be made within 72 hours, the reasons for delay must be provided with the notification. Section 40(2) requires that the notification contain: the nature of the breach; the categories and approximate number of data subjects affected; the categories and approximate number of personal data records affected; the name and contact details of the Data Protection Officer (DPO) or other contact point; the likely consequences of the breach; and the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.
Data controllers must also notify affected data subjects when the breach is likely to result in a high risk to their rights and freedoms, under Section 41 of the NDPA 2023. The subject notification must be communicated to affected individuals directly (by email, SMS, or letter) without undue delay.
The NDPC published its Data Breach Management Guidelines in 2024, providing operational guidance on breach classification (low, medium, high, critical), notification procedures, and post-breach remediation requirements for data controllers registered under the NDPA 2023.
The legal framework governing the NDPC Data Breach Notification (Nigeria) in Nigeria draws on several key statutes and regulatory bodies. Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Parties executing a NDPC Data Breach Notification (Nigeria) in Nigeria should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Companies and Allied Matters Act (CAMA) 2020 sets the foundational requirements.
When Do You Need a NDPC Data Breach Notification (Nigeria)?
An NDPC Data Breach Notification in Nigeria is required whenever a personal data breach occurs that meets the notification threshold under Section 40 of the NDPA 2023.
An NDPC Data Breach Notification is needed when a company's database containing customer personal data (names, phone numbers, BVNs, NINs, account numbers, or medical records) is accessed by an unauthorised party — for example, through a cyberattack, ransomware incident, SQL injection, or data exfiltration by a malicious insider.
An NDPC Data Breach Notification is required when personal data is accidentally exposed — for example, by publishing a file containing personal data on a publicly accessible server, emailing personal data to the wrong recipient, or inadvertently disclosing customer data in a document shared with a third party.
An NDPC Data Breach Notification is needed when a data processor (such as a cloud service provider, payroll company, or outsourced IT service provider) suffers a breach involving the personal data of a Nigerian data controller's data subjects. Under Section 40(3) of the NDPA 2023, the processor must notify the data controller promptly upon discovering the breach, enabling the controller to fulfil its own 72-hour notification obligation.
An NDPC Data Breach Notification is required when physical documents containing personal data (such as printed customer records, employee files, or medical records) are lost, stolen, or destroyed without proper authorisation.
An NDPC Data Breach Notification is needed when a third-party payment processor, fintech partner, or API integration exposes personal data of Nigerian customers through a vulnerability in the shared technology infrastructure.
An NDPC Data Breach Notification is required even if the breach does not yet have confirmed adverse consequences — the 72-hour clock starts from when the data controller becomes aware, not from confirmation of actual harm.
Parties in Nigeria should prepare a NDPC Data Breach Notification (Nigeria) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your NDPC Data Breach Notification (Nigeria)
A valid NDPC Data Breach Notification under Section 40 of the NDPA 2023 must contain the following essential elements.
Data Controller Identity: Full legal name, CAC registration number, NDPC registration number (all data controllers processing personal data of more than 2,000 data subjects annually must register with the NDPC), registered address, and contact details of the Data Protection Officer (DPO) appointed under Section 34 of the NDPA 2023.
Nature of the Breach: A precise description of what happened — the type of security incident (hacking, accidental disclosure, insider breach, physical loss), how the breach occurred, the vulnerability or failure that enabled the breach, and the date and time the breach occurred and was discovered.
Categories of Personal Data Affected: Specification of the types of personal data involved — identifying information (name, NIN, BVN), contact data, financial data, health data, biometric data, or other sensitive categories under Section 30 of the NDPA 2023. Special categories of data (health, biometric, genetic) attract heightened reporting obligations.
Scope of Impact: The approximate number of data subjects affected and the approximate number of personal data records compromised. If the exact number is unknown at time of notification, the best available estimate must be provided with an undertaking to update the NDPC.
Likely Consequences: An assessment of the likely consequences of the breach for data subjects — including risks of identity theft, financial fraud, discrimination, damage to reputation, or physical harm — to enable the NDPC to assess notification priority.
Remediation Measures: A description of the measures already taken to contain the breach (e.g., isolating affected systems, resetting compromised credentials, engaging a cybersecurity incident response firm) and proposed measures to prevent recurrence.
Data Subject Notification: Whether affected data subjects have been or will be notified under Section 41 of the NDPA 2023, including the communication channels and timeline for subject notification.
Additional compliance elements for a NDPC Data Breach Notification (Nigeria) used in Nigeria include: Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Forms-legal.com provides this template as a starting point for Nigeria-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). NDPC Data Breach Notification (Nigeria) (Nigeria) [Legal document template]. Forms Legal. https://forms-legal.com/nigeria/business/policies/ndpc-data-breach-notification-nigeria
"NDPC Data Breach Notification (Nigeria) (Nigeria)." Forms Legal, 2026, https://forms-legal.com/nigeria/business/policies/ndpc-data-breach-notification-nigeria.
@misc{formslegal-ndpc-data-breach-notification-nigeria,
author = {{Forms Legal}},
title = {NDPC Data Breach Notification (Nigeria) (Nigeria)},
year = {2026},
howpublished = {\url{https://forms-legal.com/nigeria/business/policies/ndpc-data-breach-notification-nigeria}},
note = {Free legal document template. Based on Companies and Allied Matters Act (CAMA) 2020}
}Frequently Asked Questions
Under Section 40(1) of the Nigeria Data Protection Act 2023 (NDPA 2023), a data controller must notify the Nigeria Data Protection Commission (NDPC) of a personal data breach without undue delay and, where feasible, within 72 hours of becoming aware of the breach. The 72-hour clock starts when the data controller becomes aware of the breach — not when the breach occurred. Where it is not possible to provide full information within 72 hours (for example, because the investigation is ongoing), the initial notification may be made with the information available at that time, and a supplementary notification containing the remaining information must be submitted as soon as it becomes available. The NDPC's Data Breach Management Guidelines (2024) provide that where notification is not made within 72 hours, the data controller must provide the NDPC with a written explanation of the reasons for the delay alongside the notification. Failure to notify the NDPC within the required timeframe is a violation of the NDPA 2023 and may result in administrative sanctions under Section 48 of the Act.
Failure to report a personal data breach to the Nigeria Data Protection Commission (NDPC) within 72 hours as required by Section 40 of the NDPA 2023 exposes the data controller to administrative sanctions under Section 48 of the Act. The NDPC may impose administrative fines of up to 2% of the data controller's annual gross revenue in the preceding financial year, or NGN 10 million, whichever is higher — for violations of data subject notification obligations. For more serious violations involving intentional or negligent breach of data security obligations under Section 38 of the NDPA 2023, fines may reach up to 2% of annual gross revenue. Repeat violations within 24 months may attract fines of up to 4% of annual gross revenue. In addition to financial sanctions, the NDPC may issue a public reprimand, order the cessation of data processing activities, or refer the matter to the Attorney-General of the Federation for criminal prosecution under the NDPA 2023. Directors and senior officers of the data controller may also be held personally liable in appropriate cases.
Yes. Under Section 41 of the Nigeria Data Protection Act 2023 (NDPA 2023), where a personal data breach is likely to result in a high risk to the rights and freedoms of the affected data subjects, the data controller must communicate the breach to each affected data subject without undue delay. The communication must describe the nature of the breach, provide the name and contact details of the Data Protection Officer, describe the likely consequences of the breach, and describe the measures taken or proposed to address the breach. Data subject notification is not required where: (a) the data controller had implemented appropriate technical and organisational protection measures that render the data unintelligible (e.g., strong encryption); (b) the controller has taken subsequent measures to eliminate the high risk; or (c) individual notification would involve disproportionate effort — in which case a public communication may be used instead. The NDPC may require the data controller to notify affected data subjects even where the controller assessed the risk as low, if the NDPC forms a different view following investigation of the incident.
Under the Nigeria Data Protection Act 2023 (NDPA 2023), the data controller bears the primary obligation to report a personal data breach to the NDPC under Section 40. The data controller is the entity that determines the purposes and means of processing personal data — typically the company that collected the data from customers or employees. Where the breach occurs at a data processor (a service provider processing data on behalf of the controller — such as a cloud provider, payroll company, or third-party IT vendor), Section 40(3) of the NDPA 2023 requires the processor to notify the data controller of the breach without undue delay after becoming aware of it. The data controller then has the obligation to assess the breach and file the NDPC notification within 72 hours of the controller's own awareness. A data processor who fails to promptly notify the data controller of a breach may be in breach of the data processing agreement and liable to the controller for any resulting regulatory sanctions. Both controllers and processors must register with the NDPC if they process personal data of more than 2,000 data subjects per year.
Under Section 65 of the Nigeria Data Protection Act 2023 (NDPA 2023), a personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. Personal data breaches may be classified into three types: confidentiality breaches (unauthorised or accidental disclosure or access to personal data — e.g., hacking, emailing data to wrong recipient); integrity breaches (unauthorised or accidental alteration of personal data); and availability breaches (accidental or unauthorised loss of access to, or destruction of, personal data — e.g., ransomware attack encrypting data, accidental deletion without backup). Not every breach requires notification to the NDPC under Section 40 — only breaches that are likely to result in a risk to the rights and freedoms of natural persons. A breach affecting encrypted, anonymous, or pseudonymous data that cannot be attributed to an identified individual typically does not meet the notification threshold. The NDPC's Data Breach Management Guidelines (2024) provide a risk assessment framework for classifying breach severity.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Data Processing Agreement (Nigeria)
A Data Processing Agreement (DPA) for Nigeria compliant with the Nigeria Data Protection Act (NDPA) 2023 and NDPC requirements. Governs the relationship between data controllers and data processors, covering processing instructions, security obligations, sub-processor controls, data breach notification, and data subject rights support.
NDPC Data Subject Rights Request (Nigeria)
An NDPC Data Subject Rights Request for Nigeria, enabling individuals to exercise rights under the Nigeria Data Protection Act 2023 (NDPA 2023) — including access, rectification, erasure, portability, and objection to processing. Complies with NDPC data subject request procedures and Section 34–39 of the NDPA 2023.
Data Privacy Impact Assessment (Nigeria)
A Data Privacy Impact Assessment (DPIA) template for Nigerian organisations compliant with the Nigeria Data Protection Act (NDPA) 2023 and NDPC guidance. Covers risk identification, mitigation measures, consultation obligations, and documentation requirements for high-risk data processing activities.