On 20 March 2025, the Nigeria Data Protection Commission ("NDPC") released the General Application and Implementation Directive 2025 ("GAID"). The GAID is aimed at providing detailed guidance on the implementation of the Nigeria Data Protection Act 2023 ("NDPA").
The GAID has replaced the Nigeria Data Protection Regulation ("NDPR") 2019 and requires data controllers and processors who fall within the ambit of the NDPA and process the personal data of Nigerian residents to comply with its provisions.
The GAID has been designed to create uniformity in the application of the NDPA and it clarifies the key provisions of the NDPA particularly regarding:
- data governance;
- data processing principles;
- compliance audit requirements;
- the legal bases for processing of personal data;
- data breach incidence reporting; and
- cross-border data transfers.
In addition, the GAID has introduced the Data Subjects' Standard Notice to Address Grievance ("SNAG"), which is a mechanism that will allow data subjects to seek redress directly from data controllers and processors regarding any violation of their privacy rights.
Are the NDPR and the NDPR Implementation Framework 2020 still valid?
The GAID states that the NDPA is Nigeria's primary legislation on data protection. Article 3 (3) of the GAID provides that the NDPR is no longer a regulatory instrument governing data privacy and protection in Nigeria, effectively repealing the NDPR. The NDPC will now only apply the provisions of the NDPA and the GAID as the primary laws governing data privacy matters in Nigeria. In line with the transitional provisions of the NDPA, all actions, decisions, or enforcement measures undertaken pursuant to the NDPR before the issuance of the GAID will remain valid.
Mandatory Compliance Measures for Data Controllers and Data Processors
Article 7 of the GAID outlines the mandatory compliance measures for data controllers and processors under the NDPA. These obligations aim to ensure structured data governance, transparency, and accountability in their data processing activities.
Some of the key requirements include:
- Organisations classified as Data Controllers or Data Processors of Major Importance ("DCPMI") are required to register with the NDPC;
- All data controllers and processors are required to conduct a compliance audit within 15 months of business commencement and subsequently annually.
- DCPMIs categorised as Ultra-High or Extra-High Level must submit their Compliance Audit Returns ("CAR") to the NDPC by 31 March each year.
- Organisations must map out all compliance requirements under the NDPA and create structured compliance schedules.
- Organisations must prepare and maintain detailed reports on their data processing activities every six months.
- Organisations must develop data security policies to ensure the confidentiality, integrity, and availability of personal data they handle.
- Organisations must implement company-wide sensitisation programmes to foster a culture of compliance with data protection laws.
- DCPMIs are required to appoint a Data Protection Officer. Associate DPOs/Privacy Champions may be designated to support the DPO where the data controller or the data processor carries out data processing or interfaces with data subjects on multiple platforms and places.
- Organisations are required to draft or review their privacy policies to ensure alignment with the NDPA.
- Privacy policies must be easily accessible on platforms to educate data subjects on how their data is processed.
- Websites that make use of cookies must display prominent cookie notices that obstruct part of the screen, allowing users to accept or decline cookies.
- Organisations must ensure that their privacy policies and notices are transparent and prominently displayed on all platforms where data processing occurs. Additionally, they must comply with the NDPA while considering any privacy requirements set by relevant application hosting platforms.
- Organisations must report personal data breaches to the NDPC within 72 hours of awareness. If a breach poses a high risk to data subjects, they must be informed immediately.
- Organisations are required to create systems that allow users to access, correct, and update their personal data seamlessly.
- Data subjects must be able to transfer their data to another platform or service provider.
- Organisations must ensure contracts with vendors and data processors comply with NDPA provisions.
- Organisations are required to conduct a Data Privacy Impact Assessment (DPIA) when required under the NDPA or when directed by the NDPC.
- Organisations are required to establish clear complaint resolution mechanisms, ensuring that data subjects can escalate issues to the NDPC if necessary.
Compliance Audit Returns Filing
Data controllers and processors are required under the GAID to conduct periodic compliance audits of their data processing activities to ensure they have processes and systems in place and implement appropriate technical and organisational data protection measures to mitigate the risks of data breaches. These audits should follow a risk-based approach, considering the people, processes, and technologies involved in the data processing value chain.
For DCPMIs, filing of Compliance Audit Returns ("CAR") is an annual obligation. DCPMIs who were incorporated before 12 June 2023 must file their CAR to the NDPC by 31 March each year, while those established after this date must file within 15 months of operation and continue to file the CAR annually by 31 March.
In addition, organisations classified as Ultra-High Level (UHL) DCPMIs and Extra-High Level (EHL) DCPMIs are generally required to file the CAR through a licensed Data Protection Compliance Organisation (DPCO) unless otherwise provided by the NDPC.
Filing Fees
The fees for filing CARs for UHL DCPMIs and EHL DCPMIs have been revised by the GAID. Schedule 10 of the GAID provides as follows:
SN | DCPMI | TIER | FEE (N) |
---|---|---|---|
1. | Ultra-High Level – UHL | A – 50,000 data subjects and above | 1,000,000 |
B – 25,000 -49,999 data subjects. | 750,000 | ||
C – below 25,000 data subjects | 500,000 | ||
2. | Extra High Level | A – 10,000 data subjects and above. | 250,000 |
B – 5,000-2,500 data subjects. | 200,000 | ||
C – below 2,500 data subjects. | 100,000 |
It is important to note that a 50% penalty will apply to any late submission of a CAR, in addition to the standard filing fee.
Guidance on key issues
The GAID provides organisations with additional guidance on the key issues that they need to consider when relying on any of the legal bases recognised under the NDPA for data processing. The GAID also outlines the essential requirements which would guide data controllers and processors in conducting DPIAs, notifying the NDPC/Data Subjects of data breach incidence, facilitating the exercise of data subject rights, and ensuring compliance with cross-border data transfer requirements of the NDPA.
We are still analysing the details of the GAID and will provide further updates on its implications for data controllers and processors.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.