Key Highlights of the Nigerian Data Protection Act - General Application Implementation Directive (GAID)
After almost a year of deliberation, the Nigerian Data Protection Act (NDPA) General Administrative and Implementation Directive (GAID) has completed the journey from a proposal to an enforceable regulation. The draft NDPA GAID was published by the Nigerian Data Protection Commission (NDPC) on May 31, 2024 to establish implementation frameworks for enforcing the provisions of the NDPA. On the 20th of March, 2025, the NDPC issued the GAID as a legal instrument to provide guidance to data processors and controllers for the implementation of the NDPA. In this article, we examine some of the key provisions of the GAID and its implications for the data protection space in Nigeria.
Highlights of the GAID
Categories of Data Subjects
The GAID clarifies the scope of individuals entitled to enjoy data subject rights under the NDPA by defining them into four distinct categories:
- data subjects within Nigeria, regardless of citizenship or immigration status,
- data subjects whose personal data has been transferred to Nigeria,
- data subjects whose personal data is transmitted through Nigeria, and
- Nigerian citizens living outside Nigeria.
Compliance Provisions
The GAID outlines crucial compliance measures for data controllers and processors. Entities of major importance must register with the Commission and conduct a compliance audit within 15 months of commencing business, followed by annual audits. They are also required to develop and publish organisational privacy policies, ensure transparency with prominent privacy and cookie notices, and provide clear data processing explanations. A robust data protection strategy, staff training every six months, and maintained compliance reports are essential internal measures. Data Privacy Impact Assessments (DPIAs) must be conducted when necessary, and systems should facilitate seamless data access and transfers for data subjects. Agreements with third-party processors must be updated for compliance. In the event of a personal data breach, the Commission must be notified within 72 hours, and data subjects informed immediately if a high risk exists. Additionally, the GAID also provides that controllers and processors of major importance must file Compliance Audit Returns (CAR) annually by March 31st and establish data security maintenance schedules. Lastly, they must clearly communicate the complaints process to data subjects, emphasizing their right to file complaints with the Commission.
Categorisation and Compliance of Data Controllers and Processors
The NDPC has classified data controllers and processors into three categories of data processing: Ultra High Level (UHL), Extra High Level (EHL), or Ordinary High Level (OHL). The GAID clarifies that while UHL and EHL entities register once and then file an annual Compliance Audit Report (CAR), OHL entities renew their registration annually, without needing to file a CAR. All registered entities must notify the Commission of significant changes to their registration information within 60 days.
Lawful Bases for Data Processing
The GAID requires data controllers to carefully determine the appropriate lawful basis for processing personal data. It recognizes several lawful bases for data processing, including consent, contractual obligation, legal obligation, vital interest, public interest, and legitimate interest. Additionally, the GAID introduces Special Rule of Law Indexes (SRLI) concerning consent as a lawful basis for data processing. Under these indexes, if a complaint is made to the Commission regarding the absence of consent before data processing, the Commission must assess whether relying on consent would undermine the rule of law. In making this determination, the Commission will consider factors such as the potential risk to fundamental rights and freedoms of the data subject and third parties, security implications, equality, neutrality, and public welfare. Other considerations include any prior relationship between the data controller and the data subject, as well as the proportionality and necessity of the data processing.
Schedules
Data controllers and processors are mandated to establish comprehensive schedules for the monitoring, evaluation, and maintenance of their data security systems. These schedules must encompass personnel, processes, and technologies, incorporating specific technical and organizational measures. These measures include regular training, certifications, software updates, database vulnerability tests, hardware assessments, authentication checks, encryption reviews, and quality assurance for data confidentiality, integrity, and availability. Designated officers must execute these tasks within stipulated timeframes. Crucially, these schedules need to be vetted and certified by a qualified information security officer. Additionally, continuous monitoring, evaluation, and maintenance of data security systems should be conducted as frequently as possible, with the frequency determined by the inherent risks associated with the data processing activities.
Emerging Technologies
Data controllers and processors deploying Emerging Technologies (ETs) like AI, IoT, and Blockchain for personal data processing are required to establish technical and organizational parameters for processing, ensuring ET tools comply with legal thresholds. They are obliged to:
- Consider relevant laws and public policy.
- Conduct a Data Protection Impact Assessment (DPIA).
- Test ETs in low-risk environments.
- Assess and address potential disparate outcomes.
- Retool and re-test ETs until satisfactory results are achieved.
- Implement continuous monitoring and evaluation for safe ET.
Conclusion
The GAID marks a significant step in strengthening Nigeria’s data protection framework, providing clear guidelines for compliance, enforcement, and responsible data processing. By establishing structured obligations for data controllers and processors, the directive enhances regulatory certainty and aligns Nigeria’s data protection landscape with global best practices.
Related publications
Protecting Your Business Edge: Enforcing Confidentiality and Non-Compete Clauses in Nigerian Employment Contracts
Confidentiality and non-compete clauses in employment contracts remain essential tools for safeguarding a company’s competitive advantage during such transitions. However, enforcing these provisions in Nigeria requires careful attention to common law principles and the Federal Competition and Consumer Protection Act (FCCPA) 2018.
CBN Issues Baseline Standards for Automated AML Solutions: A New Compliance Paradigm for Financial Institutions
On March 10, 2026, the Central Bank of Nigeria (CBN) introduced a significant regulatory development with the issuance of its Baseline Standards for Automated Anti-Money Laundering (AML) Solutions. This framework represents a decisive shift in how financial institutions are expected to detect, prevent, and report financial crimes, particularly in an increasingly digitised financial ecosystem.
The SEC’s Revised Capital Requirement and What It Means for Nigeria’s Market Operators
Nigeria’s capital market is entering a more stringent regulatory phase following the SEC’s issuance of Circular No. 26-1 on January 16, 2026. The circular introduces sweeping increases in minimum capital requirements across virtually all operator categories, signalling a clear shift from broad market participation to financial resilience and institutional stability. Rather than a routine update, the framework represents a structural reset that compels operators to reassess their capital strength, operational scale, and long-term viability.
