Navigating the NDPA 2023: Implications for Digital Tax Administration in Nigeria

The introduction of automated digital tax systems in Nigeria marks a major shift in how government determines tax eligibility and collection. Powered by technology, these systems decide who pays tax and how much, using large volumes of personal and financial data. While this approach promises efficiency and improved revenue generation, it also raises serious concerns around privacy, cybersecurity and economic stability under the Nigeria Data Protection Act 2023.

The NDPA 2023 establishes clear rules for how personal data must be collected, processed and protected. It also strengthens the oversight role of the Nigeria Data Protection Commission and places higher responsibility on organisations that process sensitive data at scale. Digital tax administration platforms now fall squarely within this high risk category.

Automated tax systems rely on identity data, income records, bank details, transaction histories and business information. This concentration of sensitive data makes tax platforms attractive targets for cybercriminals. Once compromised, taxpayer data can be used for identity theft, fraud, blackmail and social engineering attacks. Beyond individual harm, such breaches can damage public trust in government systems and weaken tax compliance.

There is also a strong economic implication. Businesses today depend heavily on digital platforms to operate. A cyber incident affecting tax systems can disrupt business activities, delay filings, slow revenue collection and discourage local and foreign investment. In a digital economy, cybersecurity failures in critical national systems quickly translate into economic risk.

The concern is not theoretical. Nigeria has previously experienced the hacking of a government revenue organisation, and years later the full impact of that breach remains unclear. That incident serves as a reminder that revenue systems are prime cyber targets and that basic or paper based compliance is not enough.

Under the NDPA, compliance goes beyond policies and documentation. Organisations involved in digital tax administration, including government agencies, licensed tax operators and technology vendors, must implement practical technical and organisational measures. These include encryption, strict access controls, secure system architecture, continuous monitoring and regular security testing. Without these controls in place, compliance exists only on paper.

Another key issue is automated decision making. Where algorithms are used to determine tax obligations, organisations must ensure transparency and fairness. Taxpayers should understand how decisions are made and have access to clear channels for review or correction. Automated systems must be accountable, explainable and subject to oversight.

Technology stakeholders also need to invest in capacity building. Many breaches occur not because attackers are sophisticated, but because systems are poorly configured or staff are not properly trained. Regular training for technical teams, Data Protection Officers and operational staff is essential to reduce human error and improve response readiness.

Cybersecurity professionals emphasise the need for continuous testing. Systems should be assumed vulnerable until proven otherwise. Vulnerability assessments, penetration testing and independent audits must be routine, not occasional. There is no assurance of security until a system is tested, and the only proof of security is in the testing.

According to Benedict Ugwuja, Lead Consultant at Cybergon Limited, digital tax platforms now hold some of the most sensitive data in the country. He notes that without rigorous security testing, real time monitoring and strong accountability, these systems risk becoming national liabilities rather than assets. He adds that cybersecurity is now the backbone of the economy and that protecting taxpayer data is both a privacy obligation and a national security responsibility.

As Nigeria continues to modernise its revenue systems, the NDPA 2023 provides a strong legal foundation. However, law alone is not enough. Practical cybersecurity, real oversight and skilled implementation are required to protect taxpayer data, maintain public trust and ensure that digital tax administration strengthens rather than weakens the economy.

For organisations involved in tax technology, the message is clear. Secure the data, test the systems, train the people and treat taxpayer information as critical national infrastructure.