HR Compliance Checklist for Nigerian Businesses: NDPA 2023 and Employment Law

Running an HR function in Nigeria in 2026 means navigating a more complex compliance landscape than ever before. The Nigeria Data Protection Act 2023 (NDPA) introduced new obligations for how employee personal data must be collected, stored, and processed. Combined with the Labour Act and the Employee Compensation Act, Nigerian employers face a layered set of requirements that must all be addressed during onboarding.

This checklist is designed for HR professionals, business owners, and people operations teams in Nigeria who want to ensure they're meeting their legal obligations — without needing a law degree to understand them.

1. Employment Contract Requirements (Labour Act)

Under the Nigerian Labour Act, every employee is entitled to a written statement of employment terms. This must be provided no later than three months after the commencement of employment — but best practice (and a requirement for professional organisations) is to issue it on or before day one.

• Full legal name and address of employer and employee
• Job title, description, and place of work
• Date of commencement and nature of employment (permanent, fixed-term, contract)
• Rate of remuneration and pay frequency
• Hours of work and overtime terms
• Holiday and leave entitlements
• Notice period for termination by either party
• Pension contribution arrangements (mandatory under the Pension Reform Act)
• Probation period terms and conditions
• Grievance and disciplinary procedure reference

2. Nigeria Data Protection Act 2023 — Onboarding Obligations

The NDPA 2023 replaced the Nigeria Data Protection Regulation (NDPR) and introduced significantly stronger requirements for how personal data is handled. During onboarding, employers collect substantial amounts of personal data — and every step must be NDPA-compliant.

Lawful basis for processing

Every piece of employee data must have a documented lawful basis. For most employment data, this is contractual necessity (processing required to fulfil the employment contract). For sensitive data (biometric, health, next-of-kin details), you must also document explicit consent or another NDPA-recognised basis.

Privacy notice

Before collecting any personal data, employees must be given a privacy notice explaining what data is collected, why, how long it will be retained, and their rights under the NDPA. This notice must be in plain language — not buried in a contract appendix.

• What personal data is being collected
• The purpose and lawful basis for each category of data
• How long each category will be retained
• Whether data will be shared with third parties or transferred outside Nigeria
• The employee's rights: access, correction, deletion, portability, objection
• How to contact the organisation's data protection officer or contact

Data minimisation

Only collect data that is genuinely necessary for the employment relationship. Collecting NIN, BVN, home address, and emergency contacts is justified. Collecting marital status or religious affiliation without a clear employment reason is not — and creates NDPA exposure.

3. NDPC Registration

If your organisation processes personal data of more than 200 individuals in a six-month period — which includes all employees, job applicants, and customers — you are likely required to register with the Nigeria Data Protection Commission (NDPC) as a Data Controller or Data Processor.

• Determine your classification: MDP-OHL (200+ data subjects, ₦10,000), MDP-EHL (1,000+, ₦100,000), or MDP-UHL (5,000+, ₦250,000)
• Register at ndpc.gov.ng — late registration attracts penalties
• Appoint a Data Protection Compliance Officer (DPCO) if required for your classification
• Maintain a Record of Processing Activities (ROPA) documenting all HR data processing
• Ensure any HR software or onboarding platforms you use have NDPA-compliant Data Processing Agreements (DPAs)

4. Pension Obligations (Pension Reform Act 2014)

• Employers with 15 or more employees must participate in the Contributory Pension Scheme (CPS)
• Employee contribution: minimum 8% of monthly emolument
• Employer contribution: minimum 10% of monthly emolument
• New employees must open a Retirement Savings Account (RSA) with a licensed PFA within 3 months of commencement
• Pension deductions must commence from the first month of employment
• Maintain records of all pension remittances for audit purposes

5. Employee Compensation Act 2010

All employers must register with the Nigeria Social Insurance Trust Fund (NSITF) and pay monthly contributions of 1% of total monthly payroll. This covers employees for workplace injuries, diseases, and death.

• Register with NSITF before or immediately after your first hire
• Remit 1% of total monthly payroll each month
• Maintain a workplace health and safety policy
• Report any workplace injury or incident within 7 days to NSITF

6. Document Retention Requirements

Nigerian employment law and the NDPA both impose requirements on how long employment records must be kept. A well-documented retention policy is essential — both for legal compliance and for the NDPC audits that are becoming increasingly common.

• Employment contracts and amendments: duration of employment + 6 years
• Payroll and tax records: 6 years (FIRS requirement)
• Pension records: duration of employment + 6 years
• Disciplinary and grievance records: 5 years after resolution
• Personal data no longer needed for the employment purpose: delete within 30 days of request or termination
• Data breach records: minimum 3 years

Building a Compliant Onboarding Process in Nigeria

The challenge for most Nigerian HR teams is not knowing what they need to do — it's having a system that actually enforces it consistently across every hire. When onboarding is managed through email and WhatsApp messages, documents get lost, privacy notices get skipped, and pension registrations get delayed.

A structured onboarding platform that is NDPA-compliant by design — with built-in privacy notices, document tracking, retention policies, and audit trails — is the most reliable way to meet these obligations at scale.