The Nigeria Data Protection Commission (NDPC) On March 20, 2025 issued the Nigeria Data Protection Act General Application and Implementation Directive (GAID) which would take effect in September 2025. This directive is a crucial regulatory framework for implementing the Nigeria Data Protection Act (NDPA) 2023 and aims to provide detailed guidance that ensures uniform compliance across various industries as well as safeguarding the right to privacy and fostering the trusted use of data in Nigeria’s digital economy.
KEY PROVISIONS AND ANALYSIS
1. OBJECTIVES AND APPLICATION (ARTICLE 1)
SCOPE: The GAID clarifies the material and territorial scope of the NDP Act, emphasizing its constitutional obligation to consider the right to privacy in all data processes and transactions in Nigeria.
EXTRATERRITORIAL REACH: Notably, the Act applies to data controllers or processors not domiciled in Nigeria but who process or target the personal data of data subjects within Nigeria.
UNIVERSALITY OF RIGHTS: It extends data subject rights to individuals within Nigeria (regardless of nationality), those whose data is transferred to Nigeria, data in transit through Nigeria (with limited obligations for confidentiality, integrity, and availability), and Nigerian citizens abroad (with provisions for mutual legal assistance).
This broad application underscores Nigeria’s commitment to protecting its citizens’ data privacy globally and asserts jurisdiction over foreign entities processing Nigerian data, a common feature in modern data protection regimes like GDPR.
2. PRIORITY OF THE NDP ACT AND CESSATION OF NDPR 2019 (ARTICLE 2 & 3)
SUPREMACY: The GAID reinforces Section 63 of the NDP Act, stating that its provisions prevail where any other law or enactment is inconsistent with the processing of personal data. In cases of conflict between the NDP Act and the GAID, the Act takes precedence.
TRANSITION: Significantly, upon the GAID’s issuance, the Nigeria Data Protection Regulation (NDPR) 2019 ceases to be a legal instrument for data privacy regulation, though actions taken under the NDPR prior to the GAID remain valid.
This provision ensures legal certainty and a unified regulatory framework, preventing fragmentation and potential conflicts arising from multiple data protection instruments. The clear transition from NDPR 2019 is crucial for compliance.
3. COOPERATION WITH PUBLIC AUTHORITIES (ARTICLE 4)
COLLABORATION MANDATE: The Commission is mandated to collaborate with public authorities to achieve the NDP Act’s objectives. This includes cooperating in developing sub-national or sectoral data protection guidelines.
OVERSIGHT AND REVIEW: The Commission will periodically review such guidelines to ensure compliance with the NDP Act and may request joint reviews if a guideline negates the Act’s objectives.
CAPACITY BUILDING: Proactive steps include setting up Data Privacy Service Units, Legal Clinics, and Centres of Excellence.
This fosters a collaborative approach to data protection across different sectors and governmental levels, aiming for consistency while allowing for sector-specific nuances.
4. EVALUATION OF EXEMPTIONS (ARTICLE 5)
LIMITED EXEMPTIONS: While Section 3 of the NDP Act provides for exemptions, the GAID clarifies that even exempted data processing activities remain bound by core provisions such as principles of personal data processing (S. 24), lawful basis (S. 25), DPO designation (S. 32), breach notification (S. 40), and data subjects’ rights (Part VI).
ASSESSMENT PARAMETERS: The Commission will consider factors like the degree of derogation under the Constitution, lawful basis, impact on data subjects, compliance with data protection principles, proportionality, and the opportunity for complaints when assessing exempted activities.
This ensures that exemptions are not loopholes and that fundamental data protection principles and data subjects’ rights are maintained even in exempted scenarios, preventing misuse.
5. GENERAL COMPLIANCE MEASURES FOR DATA CONTROLLERS AND PROCESSORS (ARTICLE 7)
REGISTRATION AND AUDITS: Obligation to register with the Commission (for major important entities) and conduct annual compliance audits.
REPORTING: Filing annual Compliance Audit Returns (CAR) for Ultra-High Level (UHL) and Extra-High Level (EHL) organizations by March 31st each year. Preparation of semi-annual data protection reports.
DPO DESIGNATION: Data controllers/processors of major importance must designate a Data Protection Officer (DPO).
PRIVACY POLICIES & NOTICES: Development and publication of organizational privacy policies and provision of transparent privacy and cookie notices on platforms.
DPIA AND BREACH NOTIFICATION: Conducting Data Privacy Impact Assessments (DPIA) when required and notifying the Commission of personal data breaches within 72 hours, and data subjects immediately if high risk.
DATA SUBJECT RIGHTS: Design systems for seamless data requests, corrections, updates, and portability.
This article provides a comprehensive checklist for compliance, covering the entire lifecycle of data processing from collection to handling breaches and upholding data subject rights. The emphasis on transparency and accountability is clear.
6. DESIGNATION AND REGISTRATION OF DATA CONTROLLERS AND PROCESSORS OF MAJOR IMPORTANCE (ARTICLE 8 & 9)
DEFINITION: Defines “data controller or data processor of major importance” based on domiciliation, operation in Nigeria, number of data subjects, or processing of data of particular value/significance to Nigeria’s economy, society, or security.
CATEGORIZATION: Classifies major data processing into Ultra-High Level (UHL), Extra-High Level (EHL), and Ordinary-High Level (OHL) with associated registration and filing requirements. The GAID introduces changes to the Data Controllers and Processors of Major Importance (DCPMI) registration requirements, exempting certain organizations and removing some previous classification metrics. Only Ultra High-Level (UHL) and Extra High-Level (EHL) DCPMIs are now required to file Compliance Audit Returns (CAR) annually through a Data Protection Compliance Organisation (DPCO).
This tiered approach allows for proportionate regulation, placing greater obligations on entities with higher data processing volumes or those handling sensitive/critical data.
7. FILING OF NDP ACT COMPLIANCE AUDIT RETURNS (ARTICLE 10)
MANDATORY AUDITS: Requires periodic compliance audits with a risk-based approach.
FILING DEADLINES AND PENALTIES: UHL and EHL categories must file CAR annually by March 31st (or 15 months after establishment if newer), with a 50% administrative penalty for late filings.
DPCO INVOLVEMENT: UHL and EHL entities are generally required to file CAR through a licensed Data Protection Compliance Organisation (DPCO).
This provision establishes a clear enforcement mechanism, linking compliance with regular audits and imposing penalties for non-adherence, thereby promoting a culture of accountability.
8. DESIGNATION AND POSITION OF A DATA PROTECTION OFFICER (ARTICLE 11 & 12)
MANDATE: Mandates the designation of a DPO, who can be an internal staff member or an external service provider.
SUPPORT AND INDEPENDENCE: Data controllers/processors must actively engage DPOs, provide necessary resources, ensure access to processing activities, facilitate continuous training, and guarantee the DPO’s independence (not subject to duress or penalization for performing tasks). DPOs report directly to management.
DATA SUBJECT CONTACT: Data subjects can contact the DPO for all data processing and rights-related issues.
The GAID strengthens the DPO’s role, emphasizing their critical function in ensuring compliance and acting as a key point of contact for both the organization and data subjects. The independence provisions are vital for effective oversight.
9. LAWFUL BASES OF DATA PROCESSING (ARTICLES 16-26)
COMPREHENSIVE LISTING: The GAID elaborates on various lawful bases, including consent, contract, legal obligation, vital interest, public interest, and legitimate interest.
CONSENT REQUIREMENTS: Specifies scenarios where consent is required (e.g., direct marketing, sensitive personal data, child’s data, cross-border transfers without adequacy decisions, automated decisions). It also emphasizes ease of consent withdrawal and non-detrimental refusal.
LEGITIMATE INTEREST ASSESSMENT (LIA): Requires cautious consideration and justification for relying on legitimate interest, with a template provided in Schedule 8.
This section provides crucial practical guidance for organizations to determine appropriate legal grounds for processing personal data, aligning with international best practices that prioritize data subject rights and transparency.
10. DATA PRIVACY IMPACT ASSESSMENT (DPIA) (ARTICLE 28)
MANDATORY SCENARIOS: DPIAs are required for high-risk processing activities, including systematic and extensive evaluation, processing of sensitive personal data on a large scale, and processing activities that may lead to discrimination or significant damage.
TIMELINES: DPIAs must be conducted before processing, within four months for sensitive data processing software deployed after GAID, and within six months for existing processing.
PRIVACY BY DESIGN: DPIAs must demonstrate privacy by design and by default, focusing on proactive measures, mitigation of risks, end-to-end security, transparency, and respect for user privacy.
DPIAs are a proactive risk management tool, compelling organizations to assess and mitigate privacy risks before new processing activities commence, thereby embedding privacy considerations from the outset.
11. DATA BREACH NOTIFICATION (ARTICLE 33)
TIMELY NOTIFICATION: Data controllers must notify the Commission within 72 hours of becoming aware of a personal data breach.
DATA SUBJECT NOTIFICATION: Data subjects must be notified immediately if the breach is likely to result in a high risk to their privacy.
INFORMATION REQUIRED: The notification to the Commission must include details such as the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.
This provision ensures prompt action and transparency in the event of a breach, empowering both the regulator and affected individuals to take necessary steps to mitigate harm.
12. CROSS-BORDER DATA TRANSFER (ARTICLE 45)
OVERARCHING PROVISION: Part VIII of the NDP Act governs all cross-border transfers of personal data from Nigeria.
ADEQUACY DECISIONS AND SAFEGUARDS: Pending specific regulatory instruments, Schedule 5 of the GAID provides an explanatory note for evaluating countries for adequacy decisions and other recognized grounds for transfer.
This is a critical provision for businesses operating internationally, providing a framework for legitimate data flows while ensuring adequate protection for Nigerian data subjects, aligning with global data localization and transfer principles.
Finally, GAID signifies a crucial step and major update in operationalizing data protection in Nigeria, providing clear, actionable guidelines for legal practitioners and organizations navigating the evolving landscape of data privacy. GAID emphasizes accountability, transparency, and the fundamental rights of data subjects, positioning Nigeria as a key player in the global digital economy.
SOURCES
1. Nigeria Data Protection Act (NDPA) 2023.
2. Nigeria Data Protection Act General Application and Implementation Directive (GAID) 2025.
