The Nigerian Data Protection Bureau (NDPB) had earlier in October 2022 issued a directive mandating all organizations that process personal data in relation to health, security, property, finance, employment etc. to comply with the provisions of the Nigeria Data Protection Regulation. The directive as contained in a circular referenced VOL.1/NDPB.CN/1/22 mandated Organizations to comply with the requirements for inclusion on the whitelist on or before 25th November 2022.

The Federal Government has extended the deadline for data controllers and processors to comply with the requirements for inclusion in the whitelist from 25th November 2022 to 20thJanuary 2023 to enable adequate time for compliance. The National Commissioner of the NDPB, Dr. Vincent Olatunjiexplained that the need for data controllers and data processors to comply with the earlier notice on National Data Protection Adequacy Programme Whitelist resulted in the Federal Government approval of an extension of the deadline. The development was a fall out of the guideline on Personal Information Technology Devices Provision and usage in Ministries, Departments and Agencies issued by the Head of Civil Service of the Federation.

Organizations that are yet to comply with this directive are urged to comply within the deadline, for eligibility for inclusion on the Nigerian Data Protection Adequacy Programme Whitelist. The National Commissioner also disclosed that Data Controllers and Processors who submitted before the deadline of November 25, 2022, have been awarded full marks of 10 points under the Accountability Metrics and Responsiveness to Regulatory Processes and this represents 10% of the total number of scores to be awarded in order to be eligible for inclusion on the NaDPAP Whitelist.

Data controllers and processors will also be evaluated on other performance metrics including but not limited to Implementation of NDPR Compliant Privacy Policy; Sensitization of Data Subjects Rights; Filing of Annual Compliance Audit Returns and Availability of Globally Acceptable Information Security Certifications.

Asides from being excluded from the Nigerian Data Protection Adequacy Programme Whitelist, organizations who do not comply with the requirements under the NDPR, as already stated in our previous Newsletter, would be at risk of being penalized. For a Data Controller dealing with more than 10,000 data subjects, it would be required to pay a sum equivalent to 2% of annual gross revenue for the preceding year or payment of the sum of 10 million Naira (whichever is greater), and in the case of a Data Controller dealing with less than 10,000 data subjects, payment of the fine of 1% of the annual gross revenue for the preceding year or payment of the sum of 2 million Naira (whichever is higher).

 NaDPAP Extention of Deadline Newsletter

Who We Are

Stren and Blan Partners (formerly Bridgeforte Attorneys) is an innovative and dynamic law firm with a compelling blend of experienced lawyers and energetic talents. Our lawyers are available to assist your firm to comply with the requirements of the bureau within the stipulated timeframe. We operate from our Head Office in Lagos, with operational branches in Abuja and Enugu.

For more information about the firm and its practice areas, please visit You can also contact us via or call +234(0) 7025580053.