Your app started small, then real people started signing up — and now you are holding their names, emails, maybe their phone numbers or payment details. The honest question is: does Nigeria’s data-protection law apply to you, and do you have to register with the NDPC? This page is a plain-English self-check to help you understand the basics and know when to get proper help.
The terms sound heavy, but the idea is simple: if you hold people’s data, you owe them honesty and care. Here is the ground you are standing on.
The Nigeria Data Protection Act (NDPA) 2023 is the country's main data-protection law. It is enforced by the Nigeria Data Protection Commission (the NDPC). If your app handles personal data of people in Nigeria, this law most likely applies to you — even if you are a one-person project.
Any information that can identify a living person: name, phone number, email, photo, location, BVN or NIN, account details, even an IP address tied to a user. If your sign-up form or database holds it, treat it as personal data.
If you decide why and how that data is collected, you are a data controller. If you only process it on someone else's instructions (say you built a tool another business uses), you may be a data processor. Both have duties, but controllers carry the most.
Obligations do not wait until you are big. The moment real users give you real data, you are expected to protect it, be honest about how you use it, and let people exercise their rights. Building this in from day one is far cheaper than fixing it after a breach or a complaint.
No single line in this list is a verdict — they are signals. The more of them describe you, the more seriously you should treat NDPA duties and possible registration.
Walk these six questions honestly. They will not give you a legal answer, but they will tell you how exposed you are and what to fix before you ship more.
List every place users hand you data: forms, logins, payments, support chats, cookies, analytics. If any of it can identify a person, the answer is yes — and the rest of this checklist is for you.
A hobby site with three signups is very different from an app holding thousands of records or sensitive data (health, money, BVN/NIN, biometrics). The more you hold and the more sensitive it is, the more likely you cross thresholds that trigger registration and extra duties.
Users must be told, in plain language, what you collect, why, who you share it with, and how long you keep it. A simple, honest privacy policy page is the baseline — not legal theatre, but a real description of what you actually do.
You need a valid reason to process data — often the user's clear, freely-given consent, or another lawful basis like performing a contract. Pre-ticked boxes and buried terms are not real consent. Make it specific and easy to refuse or withdraw.
Can you secure the data (access control, encryption, no secrets in code), delete or export a user's data on request, and report a serious breach? People have rights to see, correct, and delete their data, and you are expected to be able to act on them.
Beyond a certain scale or sensitivity, the NDPA expects data controllers and processors of significance to register with the NDPC and meet extra duties — which can include filing and, in some cases, appointing a data protection officer. Whether you cross that line depends on your specifics, so this is exactly where you stop guessing and confirm.
None of these is the same as legal compliance, but they are good practice and they make the real conversation with a lawyer shorter and cheaper.