Reporting a data breach to the NDPC in 72 hours: a clear, fact-based explanation for organisations in Nigeria — with osFoundry as the example and dgm as an independent partner.

dgm is an independent integration partner for osFoundry — it is not affiliated with the maker of osFoundry (OS LLC) and has not yet completed any integration project for a client.

osFoundry is a model-agnostic AI orchestration platform built on the bring-your-own-key (BYOK) principle: usage-based pricing with no per-user fee, local-first operation, and the option to self-host, with a choice of data region (the United States, the European Union or Japan) or running it in your own private cloud.

Reporting a breach

Where a personal-data breach occurs, the Nigeria Data Protection Act 2023 requires you to notify the NDPC within 72 hours of becoming aware of it; affected individuals must be told where the breach is likely to result in a high risk to their rights. Prepare an incident-response process in advance, with clear roles and an incident register, so you can meet the deadline.

The NDPA frame

Personal data you process is governed by the Nigeria Data Protection Act (NDPA) 2023, enforced by the Nigeria Data Protection Commission (NDPC) — not by the EU’s GDPR, though the NDPA is broadly similar in spirit. The Act requires a lawful basis for processing, data minimisation, transparency towards data subjects, respect for their rights (including a right not to be subject to a decision based solely on automated processing), and a data-protection impact assessment where processing is high-risk. A personal-data breach must be reported to the NDPC within 72 hours of becoming aware of it. The General Application and Implementation Directive (GAID) 2025 sets registration duties for data controllers and processors of major importance. The NDPA does not impose a general data-localisation rule, but a cross-border transfer needs a lawful basis under Part VIII of the Act.

Worth remembering

This article is general information and not legal, financial or tax advice. Incentives, tax rates and regulations change; always confirm the current position with an official source — the NDPC, NITDA, the Federal Inland Revenue Service (becoming the Nigeria Revenue Service), the Central Bank of Nigeria, the Securities and Exchange Commission, NAICOM, the Nigerian Investment Promotion Commission or the relevant authority — or a qualified adviser before acting.

Where osFoundry fits in

osFoundry is a model-agnostic platform, priced by usage, that your teams can use to put the ideas in this article into practice — building assistants, agents and applications on your own data. dgm helps you independently take the first step.

Where dgm fits in

dgm is an independent integration partner that helps organisations in Nigeria adopt the osFoundry platform — from identifying the first practical use case, to configuration, to connecting AI to the systems you already run. dgm works separately from the maker of osFoundry (OS LLC) and has not yet completed an integration project for any client, so everything described above is a proposed service, not a delivered result. If you would like to weigh a practical first step, dgm is glad to look at it with you. Book an introductory call with dgm.