Nigeria Data Protection Act 2023 - Cloud Compliance Guide
The Nigeria Data Protection Act 2023 (NDPA) replaced the NDPR and established the Nigeria Data Protection Commission as the primary enforcement authority. For financial institutions, the CBN goes further with explicit requirements for in-country data storage. Cloud infrastructure for Nigerian enterprises must be designed with both frameworks in mind.
Regulation
Nigeria NDPA
Authority
Nigeria Data Protection Commission (NDPC)
In effect
June 2023
Who this regulation applies to
Banks, fintechs, telecoms, health organisations, government agencies, and any organisation processing personal data of Nigerian residents.
Enforced by: Nigeria Data Protection Commission (NDPC) and the Central Bank of Nigeria (CBN)
Key requirements - and how Gewape Cloud Infrastructure addresses them
What the Nigeria NDPA mandates, and the specific infrastructure controls Gewape Cloud Infrastructure provides in response.
Data localisation for critical national infrastructure
The NDPA and the CBN Regulation on IT Standards require that data related to critical national information infrastructure be stored within Nigeria. CBN-licensed institutions are required to maintain primary infrastructure within Nigeria for financial transaction data.
How Gewape Cloud addresses this
For Nigeria private cloud engagements, Gewape Cloud Infrastructure scopes dedicated in-country infrastructure and operating controls so personal data, regulated records, backups, logs, and support access rules can be contractually mapped to NDPA and CBN expectations.
Registration of data controllers of major importance
Under the NDPA, organisations that process personal data on a large scale are classified as Data Controllers of Major Importance (DCMI) and must register with the NDPC. This includes most banks, telecoms, and health platforms operating in Nigeria.
How Gewape Cloud addresses this
Gewape Cloud's Data Processing Agreement and security documentation support your DCMI registration submission. We provide evidence of technical and organisational measures as required by the NDPC.
Cross-border transfer restrictions
The NDPA restricts transfers of personal data outside Nigeria unless the recipient country has adequate data protection standards, or appropriate safeguards are in place. CBN additionally restricts Nigerian banking data from leaving the country.
How Gewape Cloud addresses this
Gewape Cloud Infrastructure treats Nigeria as a custom private cloud market. Residency boundaries, network routing, backup locations, support workflows, and permitted access paths are documented in the private cloud scope before deployment.
Security safeguards and breach notification
Data controllers must implement appropriate technical and organisational security safeguards. Breaches affecting personal data must be reported to the NDPC and, for financial institutions, to the CBN.
How Gewape Cloud addresses this
Gewape Cloud Infrastructure provides encryption at rest and in transit, access controls, audit logging, and 24/7 security monitoring. Our incident response procedures support your regulatory notification obligations to the NDPC and CBN.
Frequently asked questions
Ready to start your Nigeria NDPA compliance review?
Our team works with regulated enterprises through their cloud procurement and compliance process. We provide the documentation, contractual terms, and infrastructure evidence you need.