Highlights Of The Nigeria Data Protection Act General Application And Implementation Directive, 2025

Introduction

On March 20, 2025, the Nigeria Data Protection Commission (the “NDPC”) issued the Nigeria Data Protection Act General Application and Implementation Directive, 2025 (“GAID”), pursuant to its powers under section 61 of the Nigeria Data Protection Act, 2023 (“NDPA”). The GAID is aimed at providing clarity and practical guidance on the implementation of the NDPA. However, where any inconsistency arises between the NDPA and the GAID, the provisions of the NDPA will prevail.¹

Regulatory oversight of the NDPC has intensified, with the NDPC actively sanctioning companies that consistently violate the NDPA.² Enforcement efforts are also gaining momentum, with private citizens instituting suits to enforce their rights under the NDPA. ³

The GAID has arrived at a timely moment to enhance general understanding and support the practical implementation of the NDPA. The GAID seeks to protect the personal data and fundamental right to privacy of the following data subjects⁴ : (a) individuals within the territory of Nigeria; (b) individuals whose personal data has been transferred to Nigeria; (c) individuals whose personal data is in transit through Nigeria, provided that the data controller or data processor responsible for the transmission is subject to a jurisdiction with adequate data privacy laws; and (d) Nigerian citizens residing outside Nigeria.⁵

Highlights of the GAID

1. Repeal of the Nigeria Data Protection Regulation, 2019 (“NDPR”): Upon issuance, the GAID effectively repealed the NDPR. Notably, the GAID does not speak to the status of the Implementation Framework of the NDPR. However, since the Framework was made pursuant to, and to give effect to the NDPR, consideration may be made that the GAID equally repeals the Framework, as its use has now become obsolete and unnecessary with the repeal of the NDPR. Regardless, actions taken, or processes initiated under the NDPR, prior to the issuance of the GAID will remain in force.⁶
2. Increased Obligation for Individuals Processing Data for Household or Personal Purposes: The NDPA provides that it shall not apply to processing of personal data solely for personal or household purposes, subject to certain exceptions.⁷ The GAID further clarifies that such individuals will not be held accountable only if such processing does not put the privacy of the data subject at risk. Conduct which might put a data subject at risk includes: (a) granting permission to a third party to access phone contact through a software or application; (b) sharing or transferring personal data to any individual or platform; (c) failing to exercise duty of care in handling a device containing personal data; (d) verbal or written disclosure of personal data; and (e) granting unauthorised access to the personal data of another person.⁸
3. Compliance Measures by Data Controllers and Processors: The GAID outlined twenty-three (23) compliance measures that data controllers and processors must implement to comply with the NDPA. Some of the notable compliance measures include: conduct of an NDPA compliance audit and filing of compliance audit return (“CAR”)⁹ with the NDPC, preparation and submission of semi-annual data protection reports, provision of clear and visible privacy and cookie notices on the home pages of their websites, establishing internal data protection strategies/policies and basic privacy checklists, establishing schedules for compliance with data protection laws, annual training ofstaff or personnel on data protection law and practices etc.¹⁰
4. Categories of Data Processing: The GAID classifies data controllers and processors into three (3) categories, according to their levels of processing, as follows: (i) Ultra-High Level (“UHL”), (ii) Extra-High Level ("EHL”) and (iii) Ordinary-High Level ("OHL”).¹¹ For registration, UHL's shall pay the sum of ₦250,000 (Two Hundred and Fifty Thousand Naira), EHL's shall pay of ₦100,000 (One Hundred Thousand Naira) and OHL's shall pay of ₦10,000 (Ten Thousand Naira). Data Controllers and processors in the UHL and EHL categories are required to register once with the NDPC but must file CAR with the NDPC annually. However, those in the OHL category must renew their registration annually but are not required to file CAR with the NDPC. ¹²
5. Obligations of a Data Protection Officer (“DPO”): The DPO of a company is required to prepare a semi-annual data protection report, detailing the data processing of the company within six (6) months, to be submitted to the management of the company.¹³ Further, the NDPC will conduct an annual credential assessment of DPOs, to ensure they maintain the requisite knowledge and professionalism to carry out their responsibilities.
6. Mandatory Consent as a Lawful Basis for Processing¹⁴: The NDPA provides that for processing to be lawful, any of the lawful bases provided under the NDPA shall suffice. ¹⁵ However, the GAID specifies instances where obtaining the consent of a data subject is mandatory before processing can occur. These include: (a) direct marketing; (b) processing of sensitive personal data¹⁶; (c) further processing that does not align with the original purpose of the processing; (d) processing the personal data of a child¹⁷; (e) cross-border transfer of data to a country the NDPC has not made an adequacy decision about; and (f) automated processing.
7. Introduction of Legitimate Interest Assessment: Where a data controller elects to rely on legitimate interest as the lawful basis for processing, the GAID requires that a legitimate interest assessment be conducted to assess whether legitimate interest can serve as an adequate lawful basis for the processing.¹⁸
8. Introduction of the Standard Notice to Address Grievance (“SNAG”): Where a data subject believes that their right to data privacy has been violated, they may issue a SNAG to the data controller or data processor. Issuing a SNAG does not preclude the data subject from lodging a complaint with the NDPC or instituting an action for the enforcement of their rights; rather, the SNAG is to serve as an internal remediation mechanism, creating an opportunity for organisations to remedy violations before they are escalated to the NDPC. Upon receipt of a SNAG, the data controller or data processor must communicate its decision to the NDPC.¹⁹
9. Provisions for Emerging Technologies: The GAID introduces specific compliance obligations for organisations intending to deploy emerging technologies such as artificial intelligence, internet of things and blockchain. The following measures must be implemented: (a) conduct a DPIA; (b) ensure anonymisation of data collected either from the data subject or a legitimate third party; (c) test the emerging technology in a low-risk environment to assess its impact; (d) evaluate the likelihood of disparate outcomes and the possibility of addressing them; (e) retest the emerging technology as often as possible to mitigate privacy risks; and (f) establish structures for continuous monitoring of the emerging technology.²⁰

The issuance of the GAID marks a significant step toward a stronger and more effective privacy protection regime in Nigeria. It provides robust clarifications to the provisions of the NDPA, supporting its implementation and advancing the protection of the privacy rights of Nigerian citizens.

Footnotes

1. GAID, art. 3(2).

2. Fidelity Bank “Fidelity Bank Affirms Commitment to Data Protection and Strong Corporate Governance”, available at (https://www.fidelitybank.ng/fidelity-bank-affirms-commitment-to-data-protection-and-strong-corporate-governance/) Where Fidelity Bank confirmed the NDPC's fine of ₦555.8 Million, for data privacy breaches.

3. Notably the cases of (FHC/ABJ/CS/1432/2019) - Olumide Babalola LP et al. v. True Software Scandinavia et al. and (FHC/ABJ/CS/195/2024) - Chukwunweike Araka v. Ecart Internet Serviced Nigeria Ltd. et al.

4. A data subject means an individual whom personal data relates to (NDPA, s. 65)

5. GAID, art. 1(4).

6. GAID, art. 3(3).

7. NDPA, s. 3.

8. GAID, art. 6(2).

9. Specifically for Data Controllers and Data Processors of Major Importance

10. GAID, art. 7.

11. GAID, art. 8(4).

12. GAID, art. 9.

13. GAID, art. 13.

14. GAID, art. 18.

15. NDPA, s. 25.

16. Sensitive personal data involves data relating to an individual's genetic or biometric data, race or ethnic origin, religion, health status, sex life, political opinions and trade union membership.

17. NDPA, s. 31.

18. GAID, art. 26.

19. GAID, art. 40.

20. GAID, art. 44.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.