ARTICLE
29 September 2025

Unlocking Gaid 2025: Answers To All Your Burning Questions

Syntegral Legal Practice

Contributor

Syntegral Legal Practice logo
Syntegral Legal is a full-service law firm with offices in Lagos and Abuja, well-placed to support clients across Nigeria’s major commercial centres. The firm takes a practical, client-centred approach, offering legal solutions tailored to the unique needs of each business. With strong expertise across a range of sectors – including energy, maritime, finance, telecommunications, aviation, and IT – Syntegral is trusted for its deep understanding of both local and international transactions. Whether advising on complex debt and equity arrangements or general commercial matters, the firm works closely with clients to deliver clear, effective legal support.
Explore Firm Details
The GAID came into effect as of 19 September 2025 and is now a primary regulatory framework alongside the Nigeria Data Protection Act (NDPA) 2023.
Nigeria Privacy
Syntegral Legal Practice
Your Author LinkedIn Connections

The GAID came into effect as of 19 September 2025 and is now a primary regulatory framework alongside the Nigeria Data Protection Act (NDPA) 2023. GAID stands for the General Application and Implementation Directive, issued by the Nigeria Data Protection Commission (NDPC) on March 20, 2025. It provides detailed guidance on implementing the Nigeria Data Protection Act (NDPA) 2023 in practice. If you process personal data in Nigeria, this is your new playbook. Here's everything you need to know!

Q1: Does GAID replace the NDPR 2019?

Yes. Article 3(3) of GAID which states that:

‘Upon the issuance of the GAID, the Commission shall cease to apply the Nigeria Data Protection Regulation (NDPR) 2019 as a legal instrument for regulating data privacy and protection…'

It explicitly repeals the Nigeria Data Protection Regulation (NDPR) 2019 and the NDPR Implementation Framework 2020. From September 19, 2025, the NDPA 2023 and GAID are the only legal instruments that govern data protection in Nigeria. However, all actions taken under the NDPR before GAID's issuance remain valid.

Q2: What is the scope and priority of GAID?

GAID reinforces the supremacy of the NDPA over conflicting laws. All public and private organizations must consider the “material context” of data processing and uphold fundamental privacy rights.

Q3: Who must comply with GAID?

All Data Controllers and Data Processors that process personal data of Nigerian residents must comply. Those classified as DCPMIs (Data Controllers/Processors of Major Importance) have heightened obligations. Additionally, GAID expands coverage to foreign entities that "target" Nigerian data subjects, even without physical presence in Nigeria.

Q4: What are Data Controllers and Data Processors?

A Data Controller is the person or organisation that decides why and how personal data is collected, stored, used, shared, or deleted (i.e. processed). A Data Processor is the person or organisation that handles or processes the data on behalf of the Data Controller, following the Controller's instructions.

Q5: What are the DCPMI (Data Controllers/Processors of Major Importance) tiers and their requirements?

A central feature of GAID is fleshing out the NDPA's concept of “data controllers and data processors of major importance.” NDPA Section 65 defines these as entities (including those “operating in Nigeria”) processing data on a large scale or of significant value to the economy or security. Article 8 of GAID restates this definition and instructs the NDPC to classify such entities into three tiers:

  • Ultra-High Level (UHL): Entities processing over 5,000 data subjects in 6 months (banks, telecoms, multinationals). Registration fees: ₦500,000-₦1,000,000
  • Extra-High Level (EHL): Entities processing over 1,000 data subjects in 6 months (government MDAs, microfinance banks). Fees: ₦100,000-₦250,000
  • Ordinary High Level (OHL): Entities processing over 200 data subjects in 6 months (schools, health centres). Lower fees and reduced obligations.

Q6: What are the key compliance obligations under GAID?

Major obligations include:

  • Registration with NDPC for DCPMIs within 6 months
  • Initial compliance audit within 15 months, then annually
  • Filing Compliance Audit Returns (CAR) by prescribed deadlines
  • Appointing certified Data Protection Officers (DPOs)
  • Semi-annual internal data protection reporting
  • Implementing Standard Notice to Address Grievance (SNAG) mechanisms
  • Conducting Data Protection Impact Assessments (DPIAs) for high-risk processing.

Q7: What is SNAG and how does it work?

SNAG (Standard Notice to Address Grievance) is a mandatory internal compliance mechanism that allows data subjects to raise privacy concerns directly with data controllers/processors before escalating to the NDPC. Organizations must implement user-friendly procedures for handling such grievances, creating a structured dispute resolution process.

Q8: What are the current enforcement actions and compliance deadlines?

In August 2025, the NDPC issued compliance notices to 1,368 organizations across banking, insurance, pension, and gaming sectors, giving them 21 days to prove compliance on or before September 15, 2025. This follows previous enforcement actions, including a ₦766.2 million fine against Multichoice Nigeria. Full GAID compliance is required by September 19, 2025.

Q9: What are the penalties for non-compliance?

Penalties vary by entity type:

  • DCPMIs: Maximum fine of ₦10,000,000 or 2% of annual gross revenue, whichever is higher
  • Other entities: Maximum fine of ₦2,000,000 or 2% of annual gross revenue
  • Late CAR filing: 50% surcharge on applicable filing fees
  • Criminal prosecution: Possible for serious violations, including imprisonment
  • Additional sanctions: Suspension of data processing activities and enforcement orders.

Q10: How does GAID handle cross-border data transfers?

GAID strengthens requirements for international data transfers, requiring Transfer Impact Assessments (TIAs) and NDPC approval when using safeguards like Standard Contractual Clauses. Organizations must ensure foreign jurisdictions maintain substantially similar protections to Nigerian standards or implement appropriate contractual mechanisms.

Q11: What are the enhanced protections for children's data?

Key protections include:

  • Mandatory age verification methods for entities processing children's data
  • Child-friendly privacy policies when targeting minors
  • Parental or guardian consent requirements where legally necessary
  • Stricter processing limitations and enhanced security measures.

Q12: What Data Protection Impact Assessments (DPIAs) are required?

GAID significantly expands DPIA requirements for:

  • Communication software development
  • Financial services using digital devices
  • Healthcare and e-commerce platforms
  • Educational institutions processing student records
  • Public surveillance camera deployment
  • Cross-border data transfers, Schedule 4 provides a comprehensive 10-section DPIA template.

Q13: How does GAID define "operating in Nigeria" for foreign entities?

GAID expands this definition to include foreign data controllers/processors that "target" Nigerian data subjects, regardless of physical presence. This covers entities that deliberately direct services, marketing, or data collection activities toward Nigeria, significantly broadening jurisdictional reach.

Q14: What are the CAR filing requirements and deadlines?

Only DCPMIs must file Compliance Audit Returns:

  • UHL and EHL entities: Annual filing by March 31st (or 15 months after establishment)
  • Must use licensed DPCOs: Ultra-High and Extra-High-level entities must file through Data Protection Compliance Organizations
  • Filing fees: Range from ₦100,000 to ₦1,000,000 based on data subject volume
  • Late penalties: 50% surcharge on applicable fees.

Q15: What should organizations do immediately to prepare for GAID compliance?

Immediate actions include:

  • Conduct gap analysis against GAID requirements
  • Register as DCPMI if criteria are met
  • Appoint qualified DPOs and support staff
  • Implement SNAG complaint procedures
  • Review and update privacy policies and consent mechanisms
  • Prepare for initial compliance audits
  • Establish data processing records and reporting systems
  • Assess cross-border transfer arrangements.

Q16: How will the NDPC enforce GAID compliance?

The NDPC has demonstrated aggressive enforcement through:

  • Sector-wide investigations targeting over 1,300 organizations
  • Public naming of non-compliant entities
  • 21-day compliance deadlines with specific evidence requirements
  • Monetary penalties up to ₦10 million or 2% of revenue
  • Criminal prosecution for serious violations
  • Suspension of data processing activities
  • Regular compliance audits and monitoring.

Q17: What if I'm non-compliant when the NDPC comes knocking?

Expect investigation, requests for documentary evidence, potential fines, remedial directions, and public naming. For large players, the NDPC has shown willingness to impose multi-million-naira penalties, and to follow up with enforcement orders when necessary. Prompt remediation and cooperative engagement with the NDPC can mitigate fallout.

Q18: Are there transitional provisions for businesses moving from NDPR to GAID?

Yes. GAID provides transitional mechanisms for pre-existing compliance measures under the NDPR. But transitional relief is time-limited: organisations must align with GAID timelines and file required audits/returns per the new schedule. Don't rely on indefinite grace.

Q19: How should multinational organisations coordinate global privacy programs with GAID?

Ensure Nigerian data processing fit into the company's global privacy framework; ensure contracts incorporate GAID-compliant clauses; run TIAs for transfers; and designate a local compliance lead or legal counsel familiar with GAID. Also, maintain evidence of targeted mitigation steps, that documentation is gold in an NDPC audit.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Person photo placeholder
Syntegral Legal Practice
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More