ARTICLE
29 September 2025

The Operationality Of The Nigeria Data Protection Act (NDPA) General Application And Implementation Directive (GAID), 2025

LL
Lexworth Legal Partners

Contributor

Lexworth Legal Partners logo
Lexworth is a a full-service commercial law firm in Nigeria, offering a full complement of legal services to local and international clients. Its primary focus is Business Law, and practice areas include Corporate and Commercial transactions, Finance, Capital Markets, Tech law, Intellectual Property, Legal and Regulatory Compliance, Data Privacy, Real Estate, and Commercial Disputes.
Explore Firm Details
n March 2025, the Nigeria Data Protection Commission ("NDPC") issued the Nigeria Data Protection Act ("NDPA") General Application and Implementation Directive, 2025 ("GAID").
Nigeria Privacy
Mary Ajibola
Your Author LinkedIn Connections

In March 2025, the Nigeria Data Protection Commission ("NDPC") issued the Nigeria Data Protection Act ("NDPA") General Application and Implementation Directive, 2025 ("GAID"). The Directive became effective on 19 September 2025, marking a new phase in Nigeria's data protection implementation regime. As a result, the Nigeria Data Protection Regulation ("NDPR") and the NDPR Implementation Framework, 2020, are no longer applicable as data protection regulatory instruments in Nigeria.

With its implementation, the GAID provides guidance on the protection of data subjects' privacy rights, offers clarification, and expounds certain provisions of the NDPA. Notably, the GAID introduces new provisions and additional obligations for data controllers and processors, including:

  1. Household or Personal Data Processing Obligations– The GAID provides that individuals processing personal data must respect data privacy and may be held accountable for actions that put others' personal data at risk. Risky conduct includes the unauthorised disclosure of personal data, failure to exercise due care in handling devices that store personal data, sharing or transferring personal data to any person or platform without lawful basis, and unauthorised access to another person's personal data.
  2. Widened definition of ''Operating in Nigeria'' in Section 65 of the NDPA – The phrase "operating in Nigeria" as stated in Section 65 of the Act includes a data controller or processor that targets data subjects in Nigeria, even if such controller or processor is not domiciled or resident in the country. This means that any organisation, whether based abroad or not, that processes personal data in a manner that significantly impacts Nigeria's economy, society, or security may be classified as a data controller or processor of major importance.
  3. Clarification of the Right to be Forgotten – This Directive provides that a data subject may request the erasure of personal data in the following circumstances: where the data is no longer necessary for the purpose for which it was originally collected; where the data has been unlawfully processed; where processing is carried out for marketing purposes and the data subject objects; or where processing is based on consent and the data subject withdraws that consent. However, the exercise of this right may be limited where processing is necessary to comply with a legal obligation or ruling, for public health purposes, to serve the public interest, or for scientific, historical, or statistical purposes. Where personal data has been made public or shared, the controller must ensure that third parties erase such data upon request. Claims of overriding public interest must be substantiated by the data controller.
  4. Mandatory Registration for Data Controllers and Processors of Major ImportanceArticle 9 requires all controllers and processors designated as being of major importance to register with the NDPC. Entities classified as Ultra-High Level (UHL) or Extra-High Level (EHL) are required to register once and thereafter file annual Compliance Audit Returns (CARs), while those in the Ordinary-High Level (OHL) category must renew their registration annually but are not required to file separate CARs. In addition, entities must notify the Commission within 60 days of any significant change to their registration details. Where an organisation no longer qualifies as a data controller or processor of major importance, it may request removal from the register, although it will remain liable for any outstanding fees.
  5. Data Processing Requiring Consent and Reliance on Consent – The GAID provides that consent is required for any direct marketing activity, the processing of sensitive personal data, the processing of a child's personal data, and before personal data may be transferred to a country in respect of which the Commission has not issued an adequacy decision. However, where reliance on consent would undermine the rule of law, another lawful basis may be considered. A data controller relying on consent must also maintain proper records to ensure accountability in respect of such consent.
  6. Designation, Position and Semi-Annual Report of the Data Protection Officer (DPO) – Section 32 of the Act provides that the Data Protection Officer may be a member of staff of the data controller or data processor, and the data controller/processor must communicate the DPO's details to the Commission.

    Position – The data controller/processor must actively engage its DPO on all issues relating to the processing of personal data, and the DPO must report directly to the management level of the controller or processor. The DPO is bound by secrecy and confidentiality obligations in performing his or her duties, in accordance with relevant legislation.

    Semi-Annual Data Protection Report – The DPO is required to compile a semi-annual report, submit it to management, and ensure it is delivered to the officer of the data controller/processor authorised to receive records of processing activities. This report must be verified by a Data Protection Compliance Organisation (DPCO) during the compliance audit.
  1. Filing of NDPA Compliance Audit Returns (CAR) – Data controllers and processors are required to conduct periodic audits to assess risks and mitigate data breaches. Key requirements include adopting a risk-based approach to audits and the annual filing of CARs by Ultra-High Level (UHL) and Extra-High Level (EHL) entities, with new entities required to file within 15 months of commencement. Failure to file within the stipulated timeframe attracts a 50% penalty of the stipulated CAR filing fee. In addition, UHL and EHL entities must file their CARs through a licensed Data Protection Compliance Organisation (DPCO)

CONCLUSION

With the implementation of the GAID, the enforcement of data privacy rights is set to become more robust, as the NDPC will commence active monitoring to ensure strict compliance. All data controllers and processors are advised to take immediate steps to review and update their data protection and privacy policies, contracts, and operational practices in line with the new requirements. Early alignment will not only mitigate regulatory risks but also demonstrate accountability and good corporate governance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Mary Ajibola
Mary Ajibola
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More