Assessing The Implications Of The Gaid Implementation For Small And Medium-Sized Enterprises (SMEs) In Nigeria

1 Introduction

The enactment of the Nigeria Data Protection Act¹ marked a pivotal step in strengthening the nation's data governance framework, creating clear structures for safeguarding personal data and promoting accountability among data controllers and processors.² Recently, this foundation has been strengthened through the introduction and implementation of the General Application and Implementation Directive (GAID), which has provided detailed guidance, procedures, and practical compliance measures to ensure the effective enforcement of the NDPA. The provisions of GAID are significant for Small and Medium Enterprises (SMEs), especially as they are widely regarded as the cornerstone of Nigeria's economy.

The implementation of GAID presents a dual reality for SMEs. On one hand, it creates opportunities to build consumer trust, strengthen data security practices, and equips SMEs to compete more effectively in an increasingly digital economy. On the other hand, it introduces challenges such as compliance costs, the need for technical expertise, and the risk of sanctions for non-compliance. Assessing the implications and impact of the GAID within Nigeria's data privacy framework is essential, not only for the regulators,³ but also for SMEs seeking to balance business growth with legal responsibilities. This article examines how the GAID shapes the compliance landscape for SMEs, highlighting both the opportunities it creates and the hurdles it imposes.

2 Understanding Small and Medium Enterprises in Nigeria.

The Small and Medium Industries Equity Investment Scheme (SMIEIS) defines SME as any enterprise with a maximum asset base of N200 million, excluding land and working capital, with at least ten employees or more than 300 staff. Small and Medium-Scale businesses can be defined as any enterprise employing between five and one hundred workers with an annual turnover of about four hundred thousand Naira (N400,000).⁴

The Federal Ministry of Commerce and Industry, defines Small and Medium Enterprises (SMEs) as firms with total investments of up to ₦750,000 (excluding land costs but including capital) and employing up to fifty (50) people. SMEs typically operate as sole proprietorships or partnerships, though some may be registered as limited liability companies. They are generally characterised by simple management structures, informal employer–employee relations, labour-intensive operations, reliance on basic technology, the overlap of ownership and management, and restricted access to capital. Some significant sources of funding available to SMEs in Nigeria may include, but are not limited to, personal resources, family and friends, partners or business associates, informal financial markets, banks, specialised funding facilities, e.g., National Economic Reconstruction Fund (NERFUND) and specialised financial institutions, e.g., Bank of Industry (BOI), Nigerian Industrial Development Bank (NIDB) etc. ⁵

Small and Medium-sized Enterprises (SMEs) significantly contribute to the nation's Gross Domestic Product (GDP). They are diverse and dynamic, spanning sectors such as agriculture, manufacturing, services, and technology. SMEs play a crucial role in creating employment for millions of Nigerians while driving entrepreneurship and innovation. Beyond this, they support technological and industrial advancement, facilitate technology transfer and capacity building, and promote overall economic growth. Their contributions extend to improving living standards, encouraging industrial dispersion, supporting large-scale industries, boosting exports, transforming rural areas, and offering flexibility with relatively low start-up requirements.

Like all business entities, SMEs in Nigeria engage in data processing such as, collecting, storing, using, and sharing data. The nature and extent of processing depend on their business model. SMEs in Nigeria play a crucial role in the economy and process significant amounts of personal and transactional data daily. While some act as both data controllers and processors, many still struggle with compliance under the Nigeria Data Protection Act due to cost, lack of awareness, and capacity challenges.

Below are some of the most important changes and new requirements under the GAID that SMEs must be aware of:

2.1 Data Subject Rights and Transparency

GAID heightened emphasis on making data subject rights easy to exercise. For instance, data subject rights include rights to access their data, right of erasure, correction, deletion, and transfer of personal data from one system to another. Privacy notices must be clear, transparent and accessible, especially for vulnerable individuals.

2.2 Adherence to Lawful Basis for Processing

The GAID has instructed data controllers and processors to carefully consider and choose the appropriate lawful basis of data processing in order to process personal data.⁶ The lawful bases for processing personal data are: a) Consent, b) Contractual Obligation c) Legal Obligation d) Vital Interest e) Public Interest, and f) Legitimate Interest.

2.3 Complaint Mechanism & Enforcement

The GAID introduces the use of the Data Subject's Standard Notice to Address Grievance (SNAG) for lodging complaints.⁷ SNAG will be regarded as a standardised template for demanding internal remediation in an organisation which may be acting in violation of a data subject's privacy. Aggrieved data subjects are encouraged under the GAID to issue a SNAG to a data controller or a data processor where they reasonably believe that the data controller or data processor violated their right to data privacy. NDPC may create an electronic platform through which it might track SNAG.

2.4 Data Protection Impact Assessment (DPIA)

The GAID makes it mandatory for organisations to conduct a DPIA.⁸ This is required when processing may likely result in high risk to the rights and freedoms of a data subject. For instance, where an SME introduces new technologies or new processing techniques or directives mandating processing of personal data on a large scale. GAID has directed entities which process such personal data to conduct a DPIA 6 months before the commencement of the GAID. Also, entities designated as data controllers and processors which deploy software for processing sensitive personal data, among other datasets are directed to carry out a DPIA and submit same to the Commission within four (4) months after the issuance of this GAID.⁹

Please note that, the commission may impose enforcement action on any organization which fails or refuses to conduct a DPIA. It may also place restrictions on all platforms where data subjects may have contact with a data controller or a data processor for the purpose of carrying out any transaction in which personal data is required.

2.5 Emerging Technologies

The GAID mandates data controllers and processors which deploy or intend to deploy Emerging Technologies (ETs)¹⁰ such as Artificial Intelligence, Internet of Things and Blockchain for the purposes of processing personal data, to take into consideration: (a) the provisions of the NDP Act, (b) public policy, and (c) the GAID, as well as other regulatory instruments issued by the Commission in order to safeguard the privacy of data subjects. The Data Controllers / Processors which intend to employ ETs for the purposes of processing personal data must set forth technical and organizational parameters in order to design it in compliance with the NDPA. Data Controllers / Processors that deploy ETs must carry out DPIA on the technologies and the technical and organisational parameters documented and filed with the Commission as part of NDP Act Compliance Audit Returns.

3 Why SMEs Are Regarded as Data Controllers and Processors

Even though SMEs are not explicitly mentioned in the NDPA and the GAID, the obligations under the Act generally apply to all entities that process personal data (depending on scope, risk, or classification). Thus, SMEs cannot assume exemption merely because they are "small" unless an exemption is explicitly stated, and no such blanket exemption for SMEs appears to exist in the NDPA or the GAID.

Who are Data Controllers and Processors?¹¹

According to the NDPA, "data processor" is as an individual, private entity, public authority, or any other body, that processes personal data on behalf of, or at the direction of, a data controller or another data processor. It also defines a "data controller" as an individual, private entity, public commission, agency, or any other body which (alone or jointly with others) determines the purposes and means of processing of personal data.¹²

In line with the above, it is safe to argue that most SMEs such as, retail shops, law firms, fintech startups, health facilities, schools, restaurants, etc., are data controllers because they:

1. Collect customer information (names, phone numbers, addresses, payment details).
2. Decide why and how that information is used (for billing, delivery, marketing, client management, payroll, etc.).
3. Store employee data (contracts, bank details, health information).

SMEs also act as data processors when they handle and process personal data on behalf of another business or entity. For instance, a fintech SME providing cloud-based payroll services for other companies or a marketing SME running targeted advertising campaigns with data supplied by clients. These SMEs are also categorized as data processors because they process the personal data of their employees for various reasons. Most SMEs in Nigeria are considered data controllers and processors as they are domiciled, resident in, and operate in Nigeria and also process personal data of particular value or significance to the economy and society of Nigeria.¹³

4 Do SMEs Qualify as Data Controllers and Processors of Major Importance?

To determine whether SMEs qualify as Data Controllers or Processors of Major Importance (DCPMI) based on their processing activities, it is essential to first understand the definition of DCPMI as provided in the Act. In assessing whether an organisation falls within this category, consideration must be given not only to the volume of data processed but also to the nature of the data and the potential risks associated with its processing.

The Act¹⁴ defines, "data controller or data processor of major importance" as a data controller or data processor that is domiciled, resident in, or operating in Nigeria and which processes or intends to process personal data of more than such number of data subjects who are within Nigeria, as the Commission may prescribe, or such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society or security of Nigeria as the Commission may designate. That section goes further to explain the words "Operating in Nigeria" to mean a data controller or a data processor which targets a data subject in Nigeria as such data controller or processor may not be domiciled in or resident in Nigeria.

To determine what is of value or significance to the economy society or security of Nigeria, as stated in the above definition, the Commission shall consider all relevant factors including but not limited to the risks that the data processing by a data controller or a data processor poses to a data subject; and the sensitivity of the personal data involved, among others.¹⁵

Like all business entities, SMEs in Nigeria engage in data processing activities such as, collecting, storing, using, and sharing data. They process information of Nigerian citizens who are within the country, they also process information of data subjects whose information has been transferred to Nigeria, as well as data subjects whose personal data are in transit through Nigeria. Some process sensitive information which may likely result in high risk to the rights and freedoms of a data subject. For instance, where an SME introduces new technologies or new processing techniques. The GAID mandates all data controllers and processors, irrespective of the categories of data processing they fall in to handle and process personal data entrusted to their custody with care and to seek mutual assistance from foreign authorities when dealing with data of Nigerian citizens who are not within Nigeria, taking into account the universal right to privacy under international law.¹⁶

5 Compliance Measures by SMEs (Data Controller & Processors of Major Importance) Under GAID.

The GAID¹⁷ outlines certain compliance measures expected to be observed by Organisations that qualify as Data Controllers and Data Processors of Major Importance in order to comply with the provisions of the NDP Act. One of which is that SMEs which are designated as data controllers and processors are obligated to register with the Commission as data controllers and processors of major importance, as provided in the Guidance Notice¹⁸ issued by the Commission.

Most SMEs that are designated as controllers or data processors can be said to fall under the category of Ordinary High Level (OHL), meaning that they process personal data of over 200 data subjects but not more than 1000 data subjects, utilising technology under their technical control or through service contracts. SMEs in this category are obligated to renew their registration with the Commission on an annual basis and are not required to file annual compliance audit returns (CAR) when they renew their registration annually.¹⁹

To comply with the provisions of the NDP Act, the GAID has directed all entities handling and processing data to, among other things:

5.1 Confirm Registration Requirements

Determine whether your organisation qualifies as a Data Controller or Data Processor of Major Importance and, if so, ensure timely registration with the NDPC. Be aware that you are not expected to file the CAR annually if you fall in the ordinary high-level category but you are required to renew your license annually with the commission.

5.2 Engage a Licensed DPCO

Retain a licensed Data Protection Compliance Organisation (DPCO) to audit your company's data protection practices for the preceding year and file the corresponding report with the Commission, especially if this has not yet been done.

5.3 Appoint, Support and Verify your DPO's Role

Appoint a person (internal staff or external consultant) who will ensure compliance with data protection laws and best practices in your enterprise. Follow up with your Data Protection Officer (DPO) to confirm they are compliant with the Act. In addition, ensure that your DPO satisfies the Annual Credential Assessment requirement.

5.4 Manage Data Subjects Complaints Effectively

Put mechanisms in place to acknowledge and address complaints (including Standard Notices to Address Grievances (SNAG) from aggrieved data subjects. Also, ensure that your privacy notices and cookie banners meet the requirements of visibility, consent, and accessibility.

5.5 Safeguard Cross-Border Data Transfers

Ensure that appropriate safeguards are implemented for all cross-border data transfers or data in transit through Nigeria.

5.6 Draw up Capacity Building Plan for Staff Members

Organise regular data protection training for all staff members involved in handling personal data to ensure they understand and can comply with the new obligations under the GAID.

5.7 Conduct a Data Privacy Impact Assessment (DPIA) when required under the NDP Act, or when directed by the Commission

This is required when processing may likely result in a high risk to the rights and freedoms of a data subject. For instance, where an SME introduces new technologies or new processing techniques or directives mandating the processing of personal data on a large scale.

5.8 Notify the Commission of any Data Breach

Inform the Commission of personal data breaches within seventy-two (72) hours of becoming aware of the breach and also notify the affected data subjects immediately after becoming aware of a personal data breach that may pose high risk to privacy rights.²⁰

7 Implication of GAID Implementation for Small And Medium-Sized Enterprises (SMEs) in Nigeria.

7.1 Some Opportunities Created by GAID

GAID provides clarity and structure for SMEs that may have been uncertain about how to implement the NDPA. Some key benefits include:

1. Clearer Compliance Guidance
   GAID was designed to simplify the implementation of the NDPA by breaking down its broad obligations into practical, step-by-step requirements. This clarity enables SMEs to better understand their responsibilities as data controllers and processors.²¹ By reducing ambiguity, the GAID not only makes compliance more achievable for small businesses but also helps them align with international data protection standards.
2. Building Trust and Reputation
   When an SME complies with GAID and the NDPA, it shows that the business takes customer privacy seriously. Customers are more likely to share their personal data (emails, phone numbers, financial details) if they feel confident it won't be misused. Similarly, business partners and investors prefer to work with companies that have robust compliance frameworks, because this reduces legal and reputational risks.
3. Data Governance Culture
   By encouraging SMEs to embrace principles such as data minimization, accountability, and robust security measures, the GAID fosters the development of a strong data governance culture. This not only ensures compliance with legal requirements but also enhances the operational efficiency of companies.
4. Support for Innovation and Consulting Services
   By promoting privacy-by-design practices,²² GAID encourages SMEs to develop products and services with data protection embedded from the outset. This approach not only enhances user trust but also stimulates innovation by creating opportunities in privacy-focused technologies, consulting, and compliance services. For example, startups can design applications and platforms that prioritize security and privacy, such as encrypted payment systems, or cloud storage services tailored specifically for SMEs.

7.2. Some of the Hurdles Imposed by the GAID Implementation.

While the GAID offers valuable opportunities for SMEs, it also presents a range of practical challenges that can strain their limited resources. These hurdles highlight the need for a balanced regulatory approach that supports compliance without stifling growth.

1. Cost of Compliance
   For many SMEs, the financial burden of compliance is significant. Engaging Data Protection Officers (DPOs), conducting regular audits, and deploying advanced security infrastructure require investments that small businesses often cannot afford. While external consultants can provide support, their fees may be prohibitive for micro and small enterprises operating on thin margins.
2. Capacity and Awareness Gaps
   A large proportion of SME owners and staff remain unfamiliar with data protection laws and their implications. The technical requirements of the GAID, such as conducting risk assessments or handling data subject rights requests can easily overwhelm businesses that lack in-house legal or IT expertise. This knowledge gap not only slows adoption but also increases the likelihood of unintentional non-compliance.
3. Regulatory Burden
   GAID introduces mandatory documentation and regulatory requirements, including privacy notices, consent records, and mandatory registration with the Commission. For SMEs, maintaining these records and ensuring annual registration leads to additional administrative work, which can divert attention from core business activities. This added layer of bureaucracy, though necessary for accountability, may feel disproportionate for businesses with limited manpower.
4. Risk of Penalties
   Non-compliance carries the risk of regulatory sanctions, including fines and reputational damage. For SMEs already operating with tighter profit margins, the financial and reputational costs of enforcement actions can be devastating, unlike larger corporations that have greater resilience. This looming threat creates anxiety and can discourage smaller businesses from innovating or expanding into data-driven services.

8 Conclusion

The implementation of the GAID marks a crucial step in straightening Nigeria's data protection landscape, presenting both opportunities and challenges for SMEs.²³ On the one hand, it fulfils its objective of providing clarity on the implementation of the Act, encourages innovation, and creates pathways for countries competitiveness towards their economic expansion by aligning local practices with international standards. On the other, it imposes costs, technical demands, and compliance burdens that many SMEs may struggle to shoulder without additional support.

Ultimately, the success of the GAID for SMEs will depend on how effectively regulators, industry stakeholders, and business owners collaborate to balance enforcement with capacity building. With targeted awareness campaigns, affordable compliance tools, and supportive policies, GAID can evolve from being viewed primarily as a regulatory hurdle into a catalyst for stronger governance, sustainable growth, enhanced trust in Nigeria's digital economy and an effective apparatus for business success for Nigeria's SMEs.

Footnotes

1 Nigeria Data Protection Act, 2023.

2 'What the Nigeria Data Protection Act 2023 Means for Your Organisation' at: accessed on 28th September 2025.

3 Nigerian Data Protection Commission and sector specific agencies and parastatals.

4 World Trade Centre, 'Small and Medium-Sized Enterprises (SMEs): An Assessment of its Inclusion in Nigeria Trade', at accessed on 28th September, 2025.

5 Ibid.

6 Article 16 of the NDPA-General Application and Implementation Directives, (GAID) 2025.

7 Article 40.

8 Article 28.

9 Article 31.

10 Article 41.

11 Section 65 of the Nigeria Data Protection Act, 2023.

12 Section 65.

13 Ibid.

14 Ibid.

15 Article 8 NDPA- GAID, 2025.

16 Article 1.

17 Article 7.

18 Schedule 7, GAID 2025.

19 Schedule 7 & 10 of the (NDP Act) General Application and Implementation Directives.

20 Section 40, NDPA 2023.

21 Article 9.

22 Article 31.

23 See, Olaniwun Ajayi LP, 'Major Innovation of the NDPA General Application and Implementation Directive (GAID)' at: https://www.olaniwunajayi.net/blog/major-innovation-of-the-ndpa-general-application-and- implementation-directive-gaid/ accessed on 28th September 2025.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.