ARTICLE
21 May 2025

Key Regulatory Updates Under The 2025 General Application And Implementation Directive (GAID) Issued By The Nigeria Data Protection Commission (NDPC)

Adeola Oyinlade & Co

Contributor

Adeola Oyinlade & Co logo
Adeola Oyinlade & Co. is a leading full-service law firm in Nigeria providing competent, innovative, cost-effective, and well-timed responsive services. The firm offers a variety of legal services including corporate, commercial and business advisory, dispute resolution, litigation and more to a vast range of national and foreign clients.
Explore Firm Details
The General Application and Implementation Directive (GAID) 2025 is a key regulatory instrument issued by the Nigeria Data Protection Commission (NDPC) on March 20, 2025...
Nigeria Privacy
Felicia Ayeomoni
Your Author LinkedIn Connections

INTRODUCTION

The General Application and Implementation Directive (GAID) 2025 is a key regulatory instrument issued by the Nigeria Data Protection Commission (NDPC) on March 20, 2025, pursuant to its powers under the Nigeria Data Protection Act (NDPA), 2023. The GAID is scheduled to become operational on September 19, 2025, and is intended to guide the interpretation and implementation of the NDPA across both public and private sector data processing activities in Nigeria.

KEY UPDATES UNDER THE GAID 2025

Below are the most significant updates introduced by the General Application and Implementation Directive (GAID) 2025, which clarify and expand upon key provisions of the Nigeria Data Protection Act (NDPA), 2023.

  1. Repeal of the NDPR as a Governing Framework

With the issuance of the GAID, the Nigeria Data Protection Regulation (NDPR) 2019 ceases to apply as a legal framework for regulating data privacy and protection in Nigeria.1 This aligns with Section 64 of the NDPA, which provides transitional provisions for the shift from the NDPR to the NDPA. However, actions lawfully taken under the NDPR prior to the issuance of the GAID remain valid and are not retroactively affected. This update marks a formal and complete transition to the NDPA as the sole legal basis for data protection compliance in Nigeria.

  1. Household or Personal Data Processing Obligations

Individuals processing personal data for household or personal use must still respect data privacy and can be held accountable for actions that put others' data at risk. Risky conduct includes granting app access to contact lists, sharing data with others or online, mishandling devices that store personal data, disclosing data verbally or in writing, and allowing unauthorized access to personal information.2

  1. Expanded Compliance Duties for Data Controllers and Processors

The GAID introduces a detailed compliance framework for data controllers and processors. Key requirements include registration (where designated as major), conducting annual data compliance audits, filing compliance returns, appointing a Data Protection Officer (DPO), and implementing internal privacy training and monitoring systems.3 Entities must also publish clear privacy and cookie notices, report data breaches within 72 hours, and ensure systems support data subject rights like access, correction, and portability. These measures are designed to embed accountability and transparency into all data processing operations.

  1. "Operating in Nigeria" Now Includes Foreign Entities Targeting Nigerians

Article 8 of the GAID expands the interpretation of "operating in Nigeria" to include data controllers and processors not physically present in the country but who target Nigerian data subjects. This means that any organization, whether domiciled abroad or not, that processes personal data in a way that significantly impacts Nigeria's economy, society, or security may be classified as a data controller or processor of major importance. The NDPC considers factors such as volume and sensitivity of data, cross-border transfers, use of third-party infrastructure, and risk to data subjects. To align regulatory obligations with the scale of data processing, entities are categorised into Ultra-High, Extra-High, or Ordinary-High levels.

  1. Mandatory Registration for Data Controllers and Processors of Major Importance

Article 9 requires all data controllers and processors designated as being of major importance to register with the NDPC. Entities classified as Ultra-High Level (UHL) or Extra-High Level (EHL) must register once and only file annual compliance returns (CAR), while those in the Ordinary-High Level (OHL) category must renew their registration annually, without needing to file separate CARs.

Entities must also notify the Commission within 60 days of any significant change to their registration details.4 If an organisation no longer qualifies as a data controller or processor of major importance, it may request removal from the register, although it remains liable for any outstanding fees.5 The NDPC will publish and update the register annually to ensure transparency.6

  1. Filing of NDP Act Compliance Audit Returns (CAR)

Data controllers/processors must conduct periodic audits to assess risks and mitigate data breaches.7 Key requirements:

  • A risk-based approach for audits.
  • Annual CAR filing for UHL and EHL entities; new entities must file within 15 months.
  • Failure to file on time incurs a 50% penalty.
  • CAR submitted via the Commission's platform, with possible additional information requests.
  • UHL/EHL entities must file through a licensed Data Protection Compliance Organisation (DPCO).
  1. Designation, Position, and Credential Assessment of Data Protection Officer (DPO)
  • Designation of DPO: Data controllers/processors must designate a DPO, either as an internal staff member or via a service contract, and must communicate the DPO's contact details to the Commission.8
  • Position of DPO: DPOs must be actively involved in data processing decisions, receive adequate support, and report directly to management. They should be free from coercion, and their role includes confidentiality obligations. They may have other tasks, provided there is no conflict of interest.9
  • Semi-Annual Data Protection Report: The DPO must compile and submit a report on data protection compliance every six months, covering privacy notices, data security, lawful bases for processing, and more.10
  • Credential Assessment of DPO: The Commission will maintain a database of certified DPOs and conduct annual assessments to ensure ongoing professionalism. DPOs must meet specific criteria, including continuous professional development, and may be subject to verification.11
  1. Data Processing Requiring Consent and Reliance on Consent
  • Consent is required for direct marketing, sensitive data, further incompatible processing, child data, cross-border transfers, and automated decisions with legal impact.12
  • Reliance on Consent: Consent should be prioritized, but other lawful bases can be considered if consent undermines the rule of law. The Commission will assess risks to rights and security.13
  • Accountability: Data controllers must maintain consent records, ensure easy withdrawal, and guarantee that refusal doesn't harm the data subject's rights. Constructive or implied consent is allowed in specific situations.
  1. Consent Requirements for Cookies and Tracking Tools

The GAID reinforces the requirement for clear, informed, and freely given consent before deploying cookies or similar tracking tools on websites or digital platforms. Cookie banners must be prominently displayed without requiring users to scroll. While necessary cookies (supporting core site functions and not processing sensitive data) do not require consent, all other types demand an explicit "accept" or "reject" option. Website owners must also provide transparent details on the purpose, controller, and withdrawal process. Tools functionally similar to cookies are subject to the same consent rules.14

  1. Measures Against Privacy Breach Abetment

The GAID introduces stricter obligations for data controllers and processors to actively prevent their platforms, facilities, or networks from being used to infringe on data privacy rights. Upon being notified by the NDPC of misuse, they must immediately restrict the offending party, pending investigation.15 Failure to act on such directives renders them liable for abetting a privacy breach, treated as a direct violation of the NDP Act. The Commission will rely only on credible documentary or electronic evidence in determining breaches.

  1. Clarification on the Right to Be Forgotten

The GAID reinforces the data subject's right to have their personal data erased under specific conditions, such as when data is no longer needed, consent is withdrawn, processing is objected to or unlawful, or erasure is required by law.16 However, this right is limited where data is needed for public interest, legal claims, freedom of expression, public health, or scientific/historical/statistical purposes. When data has been made public or shared, the controller must ensure third-party erasure upon request. Claims of overriding public interest must be proven by the data controller.

  1. Data Subject's Standard Notice to Address Grievance (SNAG)

Data subjects can issue a Standard Notice to Address Grievance (SNAG) if they believe their data privacy rights have been violated.17 The SNAG serves as a template for requesting internal remediation and is not required before filing a complaint with the Commission or taking legal action. It can be issued by the data subject, their representative, or a civil society organization. The Commission may create an electronic platform to track SNAGs. Data controllers or processors must respond to SNAGs via the platform, and the Commission can investigate unresolved grievances. SNAGs can be delivered through various communication methods, including email and physical mail.

Conclusion
The GAID 2025 marks a significant evolution in Nigeria's data protection landscape, offering clearer obligations, expanded protections, and stronger enforcement mechanisms. Organizations and individuals must begin aligning their practices with the Directive ahead of its commencement on September 19, 2025. It is very important to engage leading Data Protection Compliance Organizations (DPCOs) in Nigeria or data privacy lawyers for businesses to navigate the complexities of data protection regulations. They help organizations

Footnotes

1 Article 3(3) of the GAID, 2025.

2 Article 6(2) of the GAID,2025.

3 Article 7 of the GAID,2025.

4 Article 9 (4) of the GAID, 2025.

5 Article 9 (5) (6) of the GAID, 2025.

6 Article 9 (7) of the GAID,2025.

7 Article 10 of the GAID, 2025.

8 Article 11 of the GAID, 2025.

9 Article 12 of the GAID, 2025

10 Article 13 of the GAID, 2025

11 Article 14 of the GAID, 2025

12 Article 18 of the GAID, 2025

13 Article 17 of the GAID, 2025

14 Article 19 of the GAID, 2025.

15 Article 32 of the GAID, 2025.

16 Article 38 of the GAID, 2025.

17 Article 40 of the GAID, 2025.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Person photo placeholder
Felicia Ayeomoni
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More