Nigeria’s data protection landscape has taken a significant step forward with the introduction of the General Application and Implementation Directive (GAID) 2025 by the Nigeria Data Protection Commission (NDPC) on March 20, 2025. This directive provides practical guidelines for implementing the Nigeria Data Protection Act (NDPA) 2023. The GAID is a significant step toward safeguarding privacy rights, enhancing legal certainty in data practices, and supporting Nigeria’s digital economy. The directive’s scope encompasses individual responsibilities, cross-border data transfers and emerging technologies [1], providing comprehensive guidance for stakeholders.
Highlights of GAID 2025
1. Legal Reach and Data Subject Rights
The GAID affirms that data protection rights extend beyond borders, applying not only to Nigerian residents but also to anyone whose personal data is processed within Nigeria’s jurisdiction regardless of their nationality and residency status. Even Nigerian citizens abroad may be protected under certain conditions [2]. Article 2 of the GAID further underscores the significance of personal data as a key element in governance and national development, identifying critical sectors such as immigration, finance, healthcare, and education where data protection is essential, thus establishing the NDPA as a unifying federal authority on privacy. [3]
2. Cancellation of the Nigeria Data Protection Regulation (NDPR) 2019
To avoid fragmentation in data regulation, Article 3 declares the NDPA the prevailing legal standard in cases of conflict with other laws.[4] It also formally retires the 2019 Nigeria Data Protection Regulation (NDPR). However, all actions taken under the NDPR before the issuance of GAID, remain valid. This includes annual audit returns filed prior to the release of GAID.
3. Duties of Data Controllers and Processors
The GAID places heavy emphasis on compliance and accountability. It requires entities handling personal data to:
- Register with the NDPC.
- Appoint Data Protection Officers (DPOs).
- Conduct regular audits and submit reports.
- Publish transparent privacy policies.[5]
Non compliance with these requirements can lead to administrative penalties. The GAID requires DPO’s to:
- Submit semi-annual reports
- Undergo credential assessments
- Ensure internal privacy training.[6]
These measures institutionalize a culture of privacy and encourage proactive risk management.
4. Principles and Lawful Bases of Data Processing
Central to the directive are the eight core principles of data protection, including fairness, transparency, purpose limitation, and accountability.[7] The GAID outlines six lawful bases for processing data:
- Consent
- Contract
- Legal obligation
- Vital interest
- Public interest
- Legitimate Interest [8]
The GAID stresses the importance of informed consent and offers guidance for situations where implied consent may be acceptable.[9] It further provides detailed criteria for consent in the use of cookies on websites, marketing, and sensitive data handling.[10]
5. Risk Assessment and Emerging Technologies
The GAID mandates Data Privacy Impact Assessment (DPIA) for high-risk data activities, especially where new technologies or large-scale processing of personal data is involved.[11] It lists sectors such as healthcare, finance, education, hospitality and e-commerce as priorities for DPIA. The framework also considers cross-border data flows and data ethics, providing guidance for balancing innovation with privacy.[12]
6. Standard Notice to Address Grievance (SNAG)
The GAID introduces a Standard Notice to Address Grievance (SNAG) template for data subjects to report potential data privacy breaches to data controllers or processors. This notice can be submitted via email, postal address, or courier service. The SNAG serves as an internal dispute resolution tool and is not mandatory for filing complaints directly with the Commission. Data controllers or processors who receive a SNAG must notify the Commission of their response through a designated electronic platform.
7. Filing of Compliance Audit Returns (“CAR”)
Pursuant to the General Application and Implementation Directive (GAID), data controllers and processors are mandated to conduct periodic compliance audits of their data processing activities. These audits are intended to ensure the establishment and maintenance of processes and systems that implement appropriate technical and organisational measures to mitigate the risk of data breaches. Compliance audits must adopt a risk-based approach, taking into account the people, processes, and technologies engaged across the data processing value chain.
For Data Controllers and Processors of Major Importance (DCPMIs), the submission of Compliance Audit Returns (“CAR”) is an annual statutory obligation.
- DCPMIs incorporated on or before 12 June 2023 are required to file their CAR with the Nigeria Data Protection Commission (NDPC) no later than 31 March of each year.
- DCPMIs incorporated after 12 June 2023 must file their first CAR within fifteen (15) months of commencing operations and thereafter submit annually by 31 March.
Furthermore, organisations classified as Ultra-High Level (UHL) or Extra-High Level (EHL) DCPMIs are generally required to submit their CAR through a licensed Data Protection Compliance Organisation (DPCO), except where the NDPC directs otherwise.
8. Filing Fees
The fees for filing Compliance Audit Returns (CAR) have been upwardly revised. Schedule 10 of the GAID provides the new filing fees as follows:
| SN | DCPMI | TIER | FEE (₦) |
| 1. | Ultra-High Level – UHL | A – 50,000 data subjects and above. | 1,000,000 |
| B – 25,000-49,999 data subjects. | 750,000 | ||
| C – below 25,000 data subjects. | 500,000 | ||
| 2. | Extra-High Level – EHL | A – 10,000 data subjects and above. | 250,000 |
| B – 5,000-2,500 data subjects. | 200,000 | ||
| C – below 2,500 data subjects. | 100,000 |
Conclusion
The GAID 2025 represents a significant milestone in Nigeria’s data protection landscape; it reinforces Nigeria’s position as a proactive player in global data governance. By setting clear guidelines, strengthening compliance obligations and promoting a culture of privacy, it sets a framework for a trusted, secure and ethically governed digital economy. For data controllers and processors, the message is clear: privacy is not just policy—it is law.
As part of our Data Protection series, we will be releasing serial publications on GAID compliance, we will also provide practical insights into the NDPA-GAID framework, exploring key provisions, implications for businesses, and implementation strategies.
Lex Luminar is a licensed Data Protection Compliance Organization (DPCO). We are available to offer comprehensive support for GAID and NDPA compliance. For personalized advice or specific guidance tailored to your business, consult our team at support@lexluminar.com.
FOOTNOTES
[1] GAID Preamble; Section 37, 1999 Constitution; NDPA Sections 1(a), 6(c)
[2] GAID Article 1(2-4); NDPA Section 2(c)
[3] GAID Article 2(b); Exclusive Legislative list, 2nd Schedule of the 1999 Constitution
[4] GAID Article 3(1); NDPA Section 63 – Legal Supremacy Clause
[5] GAID Article 7,8,9; NDPA Sections 32, 65
[6] GAID Article 12 -14 – Responsibilities and Credentialing of DPOs
[7] GAID Article 15; NDPA Section 24 – Principles of Personal Data Protection
[8] GAID Article 16; NDPA Section 25
[9] GAID Article 17-18;
[10] GAID Article 19 – Use of Cookies and Tracking Tools
[11] GAID Article 28 – DPIA Guidelines; Schedule 4
[12] GAID Article 43 -45 – Emerging Technologies & Cross- Border Transfers