Navigating GAID 2025: Key Shifts in Nigeria’s Data Protection Framework

INTRODUCTION

The Nigeria Data Protection Act (NDP Act) 2023, augmented by the Nigeria Data Protection Act General Application and Implementation Directive (GAID) 2025, represents a significant stride in safeguarding the fundamental right to privacy and fostering a trusted digital economy in Nigeria. The GAID, issued pursuant to Section 37 of the 1999 Constitution of the Federal Republic of Nigeria and Sections 1(a), 6(c), 61 & 62 of the Nigeria Data Protection Act 2023 by the Nigeria Data Protection Commission (the Commission), serves as a crucial guide for the implementation of the NDP Act, particularly amidst the evolving landscape of disruptive technologies and personal information processing.

Notably, the GAID is set to take effect from the 19th of September 2025, replacing the Nigeria Data Protection Regulation (NDPR) 2019 and the NDPR 2019: Implementation Framework 2020. As a result, this review highlights some of the key provisions under the GAID and their implications for businesses.

SCOPE AND APPLICATION OF THE NDP ACT AND GAID

The NDP Act, and by extension the GAID, applies to the processing of personal data, whether automated or not, where the data controller or data processor is domiciled in, resident in, or operating in Nigeria. It also applies if the data controller or processor is not domiciled or resident in Nigeria but processes the personal data of a data subject in Nigeria or targets data subjects in Nigeria. This broad territorial scope underscores Nigeria’s commitment to protecting its citizens’ data globally.

KEY PROVISIONS OF THE GAID

General NDP Act Compliance Measures (Article 7)

Under the NDP Act, data controllers and processors must adopt a range of compliance measures. These include registering with the Commission as a Data Controller or Data Processor of Major Importance (DCPMI), conducting annual compliance audits, and filing Compliance Audit Returns. DCPMIs must also prepare semi-annual data protection reports and designate a Data Protection Officer (DPO). Organizations are further required to maintain robust data security systems, conduct internal training on data privacy, and develop clear privacy policies and cookie notices.

Designation and Registration of DCPMI (Articles 8-9)

A Data Controller or Processor of Major Importance (DCPMI) is designated based on the scale, sensitivity, and significance of data processing in relation to Nigeria’s economy, society, or security. Factors include the number of data subjects, risks to rights, data sovereignty, sensitivity, financial assets handled, reliance on third-party servers, and extent of cross-border flows. The GAID classifies DCPMIs into three levels: Ultra-High Level (UHL) for strategic sectors such as banking, telecoms, insurance, oil and gas, fintech, and payment gateways; Extra-High Level (EHL) and Ordinary-High Level (OHL) which covers government bodies, banks and schools, small industries respectively.

UHLs and EHLs are to register once and file annual Compliance Audit Returns, while OHLs must renew yearly but are exempt from annual CAR filing. The Commission maintains a public register of DCPMIs, with exemptions granted to groups such as faith-based bodies, community associations, embassies, judicial entities, and multigovernmental organizations.

Data Privacy Impact Assessment (DPIA) (Article 28)

A DPIA is mandatory when data processing is likely to result in a high risk to data subjects’ rights and freedoms, especially with new technologies, large-scale processing of sensitive data, systematic monitoring, or automated decision-making with significant effects. DPIAs

must detail the processing, its purpose, necessity, proportionality, risks to data subjects, and measures to address those risks. The outcome of a DPIA forms part of the NDP Act Compliance Audit Returns (CAR). Failure to conduct a DPIA can lead to restrictions on data processing platforms.

Cross-Border Data Transfer (Article 45)

Personal data may only be transferred outside Nigeria if the recipient country ensures an adequate level of protection, meaning principles substantially aligned with the NDP Act. Adequacy is determined by factors such as enforceability of rights, legal instruments like mutual assistance treaties, limits on public authority access, effective data protection laws, an independent regulator, and international commitments. Where no adequacy decision exists, transfers may still occur under specific conditions such as informed consent of the data subject, necessity for a contract, benefit to the data subject with implied consent, important public interest grounds, legal claims, or protection of vital interests where consent is impossible.

You may read the full article here.