On March 20, 2025, the Nigeria Data Protection Commission (the "NDPC") took a significant step toward deepening regulatory clarity and enforcement with the issuance of the Nigeria Data Protection Act General Application and Implementation Directive, 2025 (the "NDP ACT, GAID 2025/ Directive"). 1 Released pursuant to its powers under the Nigeria Data Protection Act, 2023 (the "NDP Act"), the Directive sets the tone for how data controllers and processors must align their operations with the NDP Act.2
This article explores key provisions of the GAID 2025 and unpacks what they mean for organisations navigating Nigeria's evolving data protection regime.
1. Clarifying the Legal Hierarchy and Transition from NDPR
Notably, the issuance of the NDP ACT GAID 2025 officially repeals the NDPR 2019 as a binding legal instrument for data privacy and protection in Nigeria. While this marks a significant regulatory shift, it is important to note that acts performed under the NDPR prior to the release of the NDP ACT GAID 2025 remain valid and unaffected.
Furthermore, for the sake of clarity, and harmonisation of the data protection laws in Nigeria, in the event of a conflict between the NDP Act and the NDP GAID 2025, the NDP Act shall take precedence.
2. Expansion of the Definition of Data Controller or Data Processor of Major Importance
The NDP ACT GAID 2025 has expanded the definition of data controllers or data processors of major importance "operating in Nigeria" contained in section 65 of the NDP Act3. It broadens the interpretation of "operating in Nigeria" to include entities that are neither domiciled nor resident in Nigeria but specifically target Nigerian data subjects4. This extension means that foreign entities that offer goods, services, or monitor the behaviour of individuals in Nigeria fall within the regulatory reach of the NDP Act.
In addition, the NDP ACT GAID 2025 outlines parameters the NDPC may consider when determining whether a data controller or processor's activities are of major importance. These include factors such as the volume and sensitivity of data processed, the sector in which the entity operates, and the potential impact of its data activities on Nigeria's economy, society, or national security.
3. Data Controllers or Data Processors of Major Importance Compliance Audit Returns Filing Fee
The Directive introduces a tiered compliance framework for Data Controllers or Data Processors of Major Importance (DCPMI), particularly in relation to the filing of compliance audit returns. These organisations are now classified into three distinct levels based on the scale of their data processing activities:
| DCPMI | Tier | Fee(₦) |
|---|---|---|
| Ultra-High Level- (MDP-UHL) |
A – 50,000 data subjects and above. B – 25,000-49,999 data subjects. C – below 25,000 data subjects. |
1,000,000 750,000 500,000 |
| Extra-High Level – (MDP-EHL) |
A – 10,000 data subjects and above. B – 5,000-2,500 data subjects. C – below 2,500 data subjects. 100,000 |
250,000 200,000 100,000 |
Each category has sub-tiers based on the number of data subjects processed, with corresponding filing fees as outlined below:
4. Annual Compliance Audit Returns Filing
In line with the new tiered framework, organisations classified under the Extra-High Level (EHL) and Ultra-High Level (UHL) categories are required to submit Compliance Audit Returns (CAR) through a Data Protection Compliance Organisation ("DPCO") to the Nigeria Data Protection Commission (NDPC) annually.
The filing deadlines vary depending on the date of establishment:
- for organisations established before 12th June,2023: CAR must be filed on or before 31st March of every year.
- for organisations established after 12thJune, 2023: CAR must be filed within fifteen (15) months of establishment and annually thereafter.
This requirement underscores the NDPC's intention to maintain robust oversight over entities processing significant volumes of personal data or handling data of critical national importance.
5. Mandatory Data Privacy Impact Assessment (DPIA)
The Directive prescribes specific circumstances under which a Data Controller or Data Processor is required to conduct and file a DPIA with the NDPC. These circumstances are considered high-risk due to their potential impact on the rights and freedoms of data subjects. They include:
- evaluation or scoring activities, such as profiling;
- automated decision-making processes that have legal or similarly significant effects on data subjects;
- systematic monitoring of individuals;
- processing involving sensitive or highly personal data;
- processing of personal data relating to vulnerable data subjects;
- deployment of innovative processes or new technological or organisational solutions that may pose significant privacy risks;
- development of software designed to enable communication with data subjects;
- provision of financial services involving the processing of personal data through digital devices;
- delivery of health care services;
- engagement in e-commerce activities;
- deployment of surveillance cameras in areas accessible to the public; and
- development and implementation of legal instruments or policies that necessitate the processing of personal data belonging to members of the general public.
This requirement ensures that potential privacy risks are identified and addressed proactively, in line with global best practices for data protection.
6. Mandatory obligations of Data Controllers and Data Processors
The Directive sets out detailed compliance obligations for data controllers and data processors which include:
- preparation and maintenance of semi-annual data protection reports, offering a comprehensive analysis of all data processing activities conducted within each six months;
- sensitisation and training programmes aimed at fostering a culture of data protection compliance throughout the organisation;
- development or review of organisational privacy policies to ensure alignment with the NDP Act and global best practices;
- provision of privacy and cookie notices on the homepage of the organisation's website. The cookie notice must offer data subjects the opportunity to either accept or decline the use of cookies;
- conduct of a Data Privacy Impact Assessment (DPIA) where required under the NDP Act, or when directed by the NDPC;
- notification of the NDPC of personal data breaches within seventy-two (72) hours of becoming aware of the breach;
- immediate notification of affected data subjects where the personal data breach is likely to result in a high risk to their privacy rights;
- review and update of agreements with third-party data processors, ensuring such agreements reflect the data protection obligations under the NDP Act;
- implementation of data protection by design and by default, ensuring systems, platforms, and processes are developed to uphold data privacy principles from inception.
These responsibilities are critical to establishing a privacy-conscious ecosystem and ensuring that organisations remain in compliance with Nigeria's evolving data protection framework.
7. Evaluation of Household or Personal Purposes Risky Data Processing Activities
While the NDP Act recognises that individuals may process personal data solely for household or personal purposes, such activities are not entirely exempt from regulatory oversight. The NDP Act imposes a duty on individuals to respect the privacy of data subjects and provides that they may be held accountable for any conduct that puts a data subject at risk.
Pursuant to the NDP ACT GAID 20255, the following activities have been identified as risky data processing practices by individuals, even in personal or household contexts:
- granting data controllers or processors access to phone contacts through digital applications or software without proper safeguards;
- sharing or transferring personal data to third parties or platforms without lawful basis;
- failing to exercise due care in the handling of devices that store personal data;
- verbally or in writing disclosing personal data without authorisation;
- permitting or facilitating unauthorised access to another person's personal data.
This provision reinforces the principle that data protection obligations are not limited to corporate entities alone, and that individuals must also act responsibly when handling the personal data of others, regardless of the context.
8. Exemption of Data Controllers and Data Processors of Major Importance from Registration
In line with section 44(6) of the NDP Act6, the NDPC exempts the following categories of data controllers of major importance from registration:
- community-based associations;
- faith-based organisations;
- foreign embassies and high commissions;
- judicial establishments or bodies carrying out adjudicatory functions; and
- multigovernmental organisations.
9. Data Processing Fees
Pursuant to Section 6(b) of the NDP Act, the NDPC is empowered to prescribe applicable fees in relation to data processing activities conducted by data controllers and data processors.
In line with this provision, the NPD GAID ACT 2025 introduced a data processing activities fee of Five Thousand Naira (₦5,000) for each data processor that a data controller of major importance classified under the MDP-UHL category engages for data processing activities within a period of 12 (twelve)calendar months.
However, where a data controller transfers data processing responsibilities from one data processor to another within the same 12 (twelve)calendar-month period, the controller shall not be required to pay an additional processing fee for the newly engaged processor within that period.
Conclusion
The issuance of the NDP ACT GAID 2025 marks a significant turning point in Nigeria's data protection landscape, ushering in a period of increased focus on clarity, compliance, and accountability. As the NDPC intensifies its oversight and broadens its regulatory framework, organisations, whether local or international, can no longer afford to treat data protection as an afterthought.
Whether you are a startup, a tech giant, or a multinational corporation operating in Nigeria, now is the time to reassess your data processing activities, understand your classification, and take proactive steps to comply with the obligations set out in the NDP Act and NDP ACT GAID 2025.
Footnotes
1. https://ndpc.gov.ng/wp-content/uploads/2025/03/NDP-ACT-GAID-2025-MARCH-20TH.pdf
2. Section 6 of the Nigeria Data Protection Act, 2023 (the "NDP Act")
3. "data controller or data processor of major importance" means a data controller or data processor that is domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria, as the Commission may prescribe, or such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society or security of Nigeria as the Commission may designate
4. Article 8(2) of the NDP ACT GAID 2025
5. Article 6
6. Section 44(6) of the NDP Act provides that the Commission may exempt a class of data controllers or data processors of major importance from the registration requirements of this section, where it considers such requirement to be unnecessary or disproportionate.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
