Newsletter on the Nigeria Data Protection Act General Application and Implementation Directive (GAID) 2025

 Introduction

The Nigeria Data Protection Commission (NDPC or the Commission) has issued the Nigeria Data Protection Act General Application and Implementation Directive (GAID or the Directive) 2025, pursuant to the Commission’s power under Sections 1(a), 6(c), 61 & 62 of the Nigeria Data Protection Act (NDPA or the Act) 2023, to provide clarity on compliance obligations under the Act. The Directive aims to enhance data privacy governance, ensure regulatory certainty, and align Nigeria’s data protection framework with global best practices.

Accordingly, this Newsletter provides an overview of the key provisions of GAID.

Background

The NDPA was enacted to safeguard data privacy rights and regulate the processing of personal data in Nigeria. To facilitate effective implementation, the NDPC has developed the GAID, which provides further interpretation of the NDPA and outlines additional obligations, compliance requirements, and enforcement measures relevant to the NDPA.

GAID is intended to provide regulatory clarity, particularly in areas of evolving technologies, data sovereignty, cross-border data transfers, and other key provisions of the NDPA, such as lawful basis for data processing, etc., and introduces new and supplementary compliance mechanisms applicable to data controllers and processors.

Key Provision of the GAID
Data Subjects

The GAID clarifies the categories of data subjects entitled to the rights and protection granted under the NDPA[1]Further interpreting the provision of Section 2(c) of the NDPA, GAID extends the categories of data subjects protected under the NDPA to include:

  • individuals within Nigeria, regardless of nationality and migration status;
  • individuals whose personal data have been transferred to Nigeria;
  • individuals whose personal data are in transit through Nigeria, provided that the obligation of the data controller or data processor facilitating the transmission is limited to ensuring data confidentiality, integrity, and availability;
  • Nigerian citizens residing outside Nigeria[2]

This provision extends the scope of data protection beyond Nigeria’s borders, ensuring that individuals within the country, citizens abroad, and foreign individuals whose data are processed in or through Nigeria are covered under the NDPA. Pursuant to the foregoing provision, foreign entities transferring personal data into Nigeria are required to comply with the NDPA.

Statutory Remedy in respect of double or multiple regulatory frameworks on data protection

Importantly, in furtherance of Section 64 of the NDPA, GAID repeals the Nigeria Data Protection Regulation (NDPR) 2019,[3] the NDPR is no longer applicable in Nigeria; thus, the NDPA and GAID are the primary reference documents for matters and issues relating to personal data protection (especially in relation to conduct of data processors and controllers).

It is important to flag that given that GAID also introduces supplementary guidance provisions applicable to data controllers or processors, some of which may conflict with the NDPA, Article 3(2) of GAID attempts to resolve any such conflict by providing that “[i]n the event of a conflict between the [NDPA] and [GAID], [NDPA] shall prevail.” Thus, where any provision of the GAID conflicts with the NDPA, the provision of the NDPA would prevail, and this resolution is critical to interpret and comply with the NDPA and the GAID.

Evaluation of Exemptions to the NDP Act

Pursuant to Article 5(2)(e) of GAID, the Commission has also extended the minimum compliance obligations applicable to entities exempt from the operation of Part V of the NDPA. Whereas, Section 3(a) – (e) of the NDPA permits certain entities not to comply with the NDPA provided that sections 24, 25, 32 and 40 of the Act shall continue to apply to such entities; however, pursuant to Article 5(2)(e) of GAID, the Commission has introduced a new category of minimum requirements that such exempt entities must comply with, specifically, Part VI (of the NDPA)– Data Subject Rights.

Thus, the foregoing could mean that while some entities may be exempt from complying with Part V of the NDPA, such exempt entities must continue to comply with the provisions of Part VI of the NDPA regarding data subject rights. This amendment seems inconsistent considering that an exempt entity (for instance, a law enforcement authority) may suppress the rights of a data subject for legitimate reasons, thereby rendering Part VI of the NDPA inapplicable. Such encroachment on the right of the data subject is also validated and recognized pursuant to Section 45(1) of the Constitution of the Federal Republic of Nigeria, (the Constitution) 1999 (as amended) which generally acknowledges the validity of any law that is reasonably justifiable in a democratic society in the interest of defence, public safety, or to protect the rights and freedom of other persons.

Mandatory Compliance Audit Returns (CAR)

Organizations processing large volumes of data or handling sensitive personal data must register with the NDPC.[4]

The Directive recognizes the three categories of data processing: Ultra-High Level (UHL), Extra-High Level (EHL), and Ordinary-High Level (OHL) as designated by the Commission further to Section 65 of the NDPA (which defines data controller or process of major importance and empowers the Commission to designate the relevant categories as the Commission deems fit). Accordingly, GAID entrenches and recognizes the categories of data controllers and data processors of major importance[5] classified under the Guidance Notice on Registration of Data Controllers and Data Processors of Major Importance (issued by the Commission) as follows:

  • Major Data Processing-Ultra High Level (MDP-UHL)
  • Major Data Processing-Extra High Level (MDP-EHL)
  • Major Data Processing-Ordinary High Level (MDP-OHL)

Registration obligation: GAID clarifies that all data controllers and data processors of major importance must register with the NDPC.[6]

Compliance Audit Returns: only data controllers or processors categorized under MDP-UHL and MDP-EHL are required to file with the Commission, annual Compliance Audit Returns (CAR) by March 31st through a Data Protection Compliance Organization (DPCO)[7]. Pursuant to Article 10(6), MDP-OHL may be required to file an audit with the Commission, albeit without a DPCO.

Registration renewal/exemption: entities classified as MDP-OHL must renew their registration with the NDPC annually but are exempt from filing CAR during such renewal.[8] In other words, MDP-OHL need not file CAR while renewing its registration with the Commission. On the other hand, entities classified as MDP-UHL or MDP-EHL are only required to register with the Commission once, without renewing the registration annually. [9] Additionally, all data controllers and data processors are mandated to keep a compliance schedule detailing their obligations under the NDPA.[10]

General audit: Article 7(b) of GAID seems to impose a general audit requirement on all data processors or controllers, but when read together with other provisions of GAID[11]and the NDPA, it could be interpreted to mean that while all data processors or controllers are required to complete a data protection audit annually, only entities categorized as MDP-UHL or MDP-EHL are mandated to submit a CAR (through a DPCO) with the Commission.

Additional notification requirement: GAID also imposes an ongoing notification obligation on all data processors or controllers of major importance; thus, pursuant to Article 9(4) of GAID, these entities must notify the Commission of any significant change to the information submitted (to the Commission) in its most recent registration within sixty (60) days after such change.

Non-compliance with mandatory CAR filing attracts an administrative penalty amounting to 50% of the stipulated CAR filing fee or as otherwise determined by the NDPC.[12]

Designation and Responsibilities of Data Protection Officers (DPOs)

Entities classified as major data processors are required to appoint a certified DPO, publish the contact details of the DPO and ensure the information is also communicated to the NDPC. The GAID defines the key responsibilities of a DPO, which include:

  • Overseeing compliance with data protection laws
  • Conducting internal audits and risk assessments
  • Acting as the primary contact for regulatory authorities and data subjects.

GAID also introduces a new obligation on DPOs; DPOs are required to submit semi-annual internal data protection reports to their management, which must be received by an authorized person appointed to handle the Record of Processing Activities (RoPA). The Directive also highlights the contents of these reports.[13]

To maintain the required level of professionalism, DPOs are now required to undergo a compulsory Annual Credential Assessment (ACA) with the NDPC. The ACA may be subject to verification by the NDPC upon the payment of the appropriate fees by the DPO.

Lawful Bases for Data Processing

In alignment with the NDPA[14] the GAID emphasizes the importance of a data controller to carefully assessing the lawful bases of data processing. Reiterating and clarifying the provisions of the NDPA, GAID further provides that data processing activities must be based on at least one or more of the following legal justifications:

  • Consent: the data subject must provide explicit and informed consent for the processing of their personal data. Consent must be freely given, specific, and unambiguous, and organizations must ensure that withdrawal of consent is as easy as giving it. The GAID introduces; (x) an implied or a constructive consent framework[15]; or (y) the Special Rule of Law Indexes (SRLI) to address situations where consent is not obtained in a clear and specific manner and it is sought in a way that infringes on the fundamental rights and freedoms of data subjects.[16] Importantly, the GAID further expands the scope of mandatory consent, covering areas such as direct marketing activity, processing of sensitive personal data, data processing incompatible with its original purpose, children’s data, cross-border transfers, and automated decision-making that significantly impacts data subjects.[17] Thus, data processors or controllers performing any of the foregoing activities must obtain the consent of the data subjects prior to performing such processing activities.
  • Contractual obligation: processing is required for the performance of a contract to which the data subject is a party. This applies to employment contracts, service agreements, and product purchases.
  • Legal obligation: data may be processed when required for compliance with Nigerian legal requirements imposed on the data controller, such as financial reporting, regulatory disclosures, and statutory record-keeping.
  • Public interest: processing is justified when it is necessary for tasks carried out in the interest of the public, such as law enforcement, healthcare services, and national security measures.
  • Vital interest: personal data may be processed where necessary to protect an individual’s life or prevent harm, particularly in emergency medical situations or public health crises.
  • Legitimate interest: processing is permissible where an organization has a compelling legitimate interest that is not overridden by the rights and freedoms of the data subject. This basis requires a thorough assessment to ensure that privacy rights are not unduly infringed on privacy rights.

Additionally, stricter safeguards apply to the processing of sensitive personal data such as health, biometric, financial information, and children’s data. Organizations processing such data must demonstrate a higher standard of security and compliance to ensure adequate protection. Furthermore, the GAID mandates that data processing must not only comply with the NDPA but also align with existing Nigerian legislation and international legal norms.[18]

Data Privacy Impact Assessment (DPIA)

The NDPA establishes a broad framework for DPIAs, requiring data controllers to conduct an assessment when processing activities that pose a high risk to data subjects’ rights and freedoms. The Act also empowers the Commission to issue regulations or directives specifying categories of processing that necessitate a DPIA[19]. However, it does not provide an exhaustive list of such activities. The GAID expands on this framework by explicitly listing data processing activities that require a DPIA, such as profiling, automated decision-making, systematic monitoring, processing of sensitive data, processing data of vulnerable subjects, deployment of new technologies, financial and healthcare services, surveillance, education, hospitality, cross-border data transfers, and more.[20]

Articles 28(4) and (12) establish that only a DPO certified by the Commission may vet and sign off on a DPIA. This is also a new requirement that is now imposed on data controllers or processors.

Schedule for Internal Sensitisation and Training on Privacy

Under the GAID, data controllers or data processors must implement a comprehensive schedule for privacy training and compliance assessment. The schedule must outline clear evaluation mechanisms, leveraging tools such as meetings, questionnaires, and interviews to assess adherence to the NDPA and other related regulatory instruments.[21] The framework should aim to:

  • Identify data processing practices to discontinue, initiate, or maintain;
  • Publish compliance schedules through accessible internal communication channels;
  • Assign relevant officers to oversee data processing reviews and implementation timelines;
  • Establish a privacy checklist to guide personnel on their responsibilities and

Develop policies for routine, unannounced compliance checks, which may be integrated into broader data governance frameworks.

By enforcing this structured approach, the GAID ensures that organizations remain compliant with privacy regulations while fostering a culture of data protection awareness within their operations.

Deployment of a Data Processing Software

Article 31 of GAID requires any data controller or data processor that deploys or intends to deploy data processing software for tracking a data subject or for enabling communication links must comply with the NDPA[22]. In addition to the general obligations, such entities are required to:

  • Conduct a DPIA prior to deploying the software.
  • Ensure privacy by design and by default, embedding data protection principles into the software.
  • Comply with data security guidelines specified in app stores or relevant platforms where the software is available.
  • Include a data privacy policy within the software.
  • Provide a privacy statement to users before installation.

Data Breach Notification and Security Measures

Under the NDPA, data controllers are required to report breaches that pose risks to individuals’ rights and freedoms to the NDPC within 72 hours of discovery[23]. The affected data subjects must be notified promptly to prevent potential harm, such as fraud or identity theft. The notification to the NDPC should include:

  • The nature and circumstances of the breach,
  • The types of personal data involved,
  • An assessment of potential harm,
  • Steps taken to mitigate risks,
  • Measures to inform affected individuals and
  • Contact details for further inquiries.
  • For breaches with national security implications, immediate notification to the NDPC and relevant authorities is mandatory to contain risks effectively. 
Data Subject’s Standard Notice to Address Grievance

In ensuring the protection of personal data rights, the GIAD introduces the Standard Notice to Address Grievance (SNAG) as a structured mechanism for data subjects to seek redress when they believe their privacy rights have been violated. While the SNAG is not a prerequisite for filing a formal complaint with the NDPC or pursuing legal action, it serves as a standardized approach to requesting internal remediation from data controllers and processors.

Aggrieved individuals, their authorized representatives, or civil society organizations acting in the public interest may issue a SNAG through various channels, including email, courier, or telephone messaging. Upon receipt, data controllers and data processors must reopen appropriately and communicate their decision to the NDPC via its designated electronic platform. The NDPC may track SNAG submissions and, where necessary, initiate direct investigations into unresolved cases.[24]

Emerging Technologies and Privacy Impact Assessments

Entities deploying new technologies such as artificial intelligence, internet of things and blockchain for data processing must take into consideration the provision of the data protection laws and public policy.[25] These entities must establish technical and organizational parameters that uphold the data subject’s rights, including protection against fully automated decision-making, rights to be forgotten, and privacy by design principles. Special attention must be given to sensitive data processing, child protection, and cross-border data transfers.

Additionally, a comprehensive DPIA is required, focusing on risk assessment, disparate outcomes, and anonymization measures. Testing in controlled environments, iterative risk mitigation, and ongoing monitoring mechanisms are essential before full deployment. Where risks remain unaddressed, these organizations must reconsider the adoption of such technologies,

DPIAs are mandatory for high-risk processing activities, including financial services, healthcare, and e-commerce.

Conclusion

GAID is a significant step in strengthening Nigeria’s data protection framework. It emphasizes accountability, transparency, and compliance in data processing activities. It expands on the NDPA, addressing emerging technologies and evolving data protection challenges that were not originally considered. Organizations must take proactive steps to align with the directive and ensure the protection of personal data.

For further clarification or assistance regarding compliance with the NDPA or any related legal matters, you can contact us via email at lawyers@credence-law.com

[1] Section 34 of the NDPA

[2] Article 1(4) of the GAID

[3] Article 3(3), GAID

[4] Section 44 of the NDPA

[5] Section 2 of Guidance Notice/NDPC/HQ/VOL.02/24

[6] Article 9(1) of GAID

[7] Section 33 of the NDPA, Article 9(2) and Article 10(14) of GAID

[8] Article 9(3) of GAID

[9] Article 9(2) of GAID

[10] Article 10(d) of GAID

[11] See also Article 10(1) of GAID

[12] Article 10(9) of the GAID

[13] Article 13 (5) of the GAID

[14] Section 25 of the NDPA

[15] Article 17(8) of the GAID

[16] Article 17(3)-(5) of the GAID

[17] Article 18 (1) of the GAID

[18] Article 20 of the GAID

[19] Section 28(3) of the NDPA

[20] Article 28(3) of the GAID

[21] Article 30(1)of the GAID

[22] Article 31 of the GAID

[23] Section 40 (2) of the NDPA, 2023

[24] Article 40 (7) of the GAID

[25] Article 43 (1) of the GAID

We are not your typical law firm; we are built differently, purposefully!

Contact Us