Introduction
As organizations in Nigeria increasingly rely on third-party service providers for handling and processing personal data, regulatory expectations around accountability and due diligence have intensified. The Nigeria Data Protection Act (NDPA) 2023 and accompanying guidelines, such as the General Application and Implementation Directives (GAID) 2025 have placed data controllers under legal obligations not just for their internal practices, but also for the conduct of any third-party processor acting on their behalf. In particular, Schedule 7 of the GAID outlines the data processing fees applicable to these relationships and embeds due diligence within the compliance framework.
Legal Basis for Data Processing Fees
Section 6(b) of the NDPA empowers the Nigeria Data Protection Commission (NDPC) to prescribe fees payable by data controllers and processors in line with their data processing activities. For data controllers classified as Major Data Processor–Ultra High Level (MDP-UHL), the law mandates the payment of a Five Thousand Naira (N5,000) fee for each data processor engaged within 12 months. This provision establishes a financial framework that supports regulatory oversight and encourages organizations to take a more strategic and cautious approach in engaging third-party processors.
This fee structure brings a new dimension to third-party due diligence. It incentivizes data controllers to avoid indiscriminate engagement of processors and to instead prioritize vendors that demonstrate strong compliance capabilities and data protection standards. Due diligence, in this context, involves assessing the operational integrity, security posture, and legal compliance of each prospective processor. This shift also encourages better vendor consolidation and efficient processor management, aligning financial responsibility with data protection accountability.
The GAID recognizes operational dynamics in vendor relationships and introduces flexibility to avoid unnecessary financial burdens. If a data controller discontinues the services of one processor and assigns its responsibilities to another within the same 12-month period, no additional fee is required for the new processor. This prevents punitive costs when organizations must adjust their processor relationships due to performance issues, strategic changes, or unforeseen circumstances, especially in fast-paced industries like tech, finance, and telecommunications.
Fee Waivers for Renewals and Existing Registrations
Further reducing the compliance burden, Schedule 7 clarifies that if a data controller pays for the renewal of registration for a processor categorized as Other High-Level (OHL), it is exempted from paying a separate data processing fee for the same processor. This provision prevents double payments and underscores the need for accurate record-keeping. Controllers must be diligent in tracking renewal dates, fee payments, and processor classifications to ensure full compliance and avoid costly oversights.
Operationalizing Third-Party Oversight
Effective oversight involves a combination of legal agreements, technical assessments, and procedural controls. A robust Data Processing Agreement (DPA) must clearly define the scope, duration, and purpose of processing, as well as the processor’s responsibilities in the event of a breach or contract termination. Beyond contract terms, data controllers should implement continuous monitoring through internal audit mechanisms, compliance certifications (such as ISO/IEC 27001), and on-site inspections where necessary.
NDPC’s Oversight Role and Transparency Requirements
The processing fee mechanism not only supports regulatory operations but also gives the NDPC visibility into the ecosystem of third-party data processing. By tracking declared processor relationships, the Commission can identify sectors with high data processing activity, target enforcement actions, and manage systemic risks. Data controllers who fail to declare processors or who engage in underreporting risk enforcement actions, highlighting the importance of transparency in processor management.
Furthermore, organizations must integrate third-party due diligence into broader governance and procurement practices. This includes training staff involved in vendor onboarding, establishing internal checklists for processor assessments, and maintaining detailed records of due diligence activities. Cross-functional collaboration between procurement teams, legal departments, and data protection officers is essential to ensuring consistent compliance with NDPA requirements.
Risk Management and Record Keeping
Given the financial and reputational risks associated with non-compliance, data controllers must ensure meticulous documentation of all processor engagements. Records should reflect not only who the processors are and what services they provide, but also the rationale for selection, risk assessments conducted, and the status of fees paid. These records can serve as evidence of compliance during audits or investigations and also help organizations plan renewals and processor changes strategically.
Section 24 of the NDPA reinforces the overarching principle of accountability. Data controllers are expected to demonstrate compliance with the Act at all times, including through their choice and management of third-party processors. The processing fee requirement further internalizes this principle by imposing a tangible cost for each third-party engagement, thus encouraging deliberate and well-considered decisions.
Conclusion The evolving data protection regime in Nigeria has placed significant emphasis on third-party due diligence as a cornerstone of responsible data governance. The data processing fees introduced through Schedule 7 of the GAID offer a structured, transparent, and equitable mechanism for tracking and regulating third-party relationships. These fees, when viewed alongside the broader obligations under the NDPA, underscore the need for data controllers to adopt a comprehensive and proactive approach to vendor management. By embedding third-party due diligence into organizational processes and aligning financial responsibility with compliance, entities can build resilient, trustworthy data ecosystems that comply with the law and foster stakeholder confidence.
