On 20 March 2025, the Nigeria Data Protection Commission (Commission), issued the General Application and Implementation Directive (GAID).  The GAID serves as a regulatory framework for implementing the Nigeria Data Protection Act (NDPA) 2023. It provides practical guidance for organisations handling personal data and aims to ensure uniform compliance across various industries The below sets out a high-level summary of some of its key provisions:

Key Provisions:

  • NDPR Ceases to Apply: With the promulgation of GAID, the Nigeria Data Protection Regulation (NDPR) is no longer in effect, bringing greater uniformity to Nigeria’s data protection landscape. As a result, the NDPR Implementation Framework may also cease to apply, given its basis in the NDPR.
  • Compliance Measures: The GAID outlines key compliance obligations for data controllers and processors, including registration with the Commission as a data controller or data processor of major importance, conducting a compliance audit within 15 months of commencing business and annually thereafter, identifying obligations under the NDPA and preparing a compliance schedule, etc.
  • Data Controllers and Processors of Major Importance: The GAID introduces an updated Guidance Notice on Registration, exempting certain organizations from classification as Data Controllers or Processors of Major Importance. In addition, it removes some metrics previously used for classification, moving away from the broader and all-encompassing approach of earlier Guidance Notice.
  • Filing of Compliance Audit Returns (CAR): The GAID clarifies that only Data Controllers and Processors of Major Importance are required to file CAR. It further provides that ultra-high-level and extra-high-level data controllers and processors of major importance must file CARs through a Data Protection Compliance Organisation (DPCO). This implies that ordinary high-level data controllers and processors of major importance are not required to engage a DPCO for filing CARs. New official filing fees have been introduced, ranging from a minimum of ₦100,000 to a maximum of ₦1,000,000, depending on the volume of data processed.
  • Data Protection Officers (DPOs): The GAID provides further clarity on DPOs, including their role within an organization, resources and support that must be provided by the organization, responsibilities, and credential assessment criteria for DPOs, etc.
  • Lawful Basis for Processing: The GAID expands on the various lawful bases for processing personal data, detailing when each basis applies. It also introduces a Legitimate Interest Assessment (LIA) template for organizations relying on legitimate interest as a lawful basis for processing.
  • Rights of Data Subjects: The GAID provides further guidance on the mechanisms for exercising data subject rights, including right to rectification, right to data portability, right to be forgotten and right to lodge complaints with the Commission. Notably, the clarification on data portability enhances understanding of the scope of this right.
  • Information to Data Subjects: The GAID mandates that information provided via privacy policies to data subjects must be clear, considering vulnerable individuals. If a privacy policy cannot be provided or understood in physical events, interviews or interactions, the data controller or processor must ensure the information is accessible in a comprehensible format. Providing this information does not equate to obtaining consent, which must be specifically requested and given when legally required.
  • Cross-Border Transfers: The GAID outlines factors the Commission considers for adequacy decisions but does not list approved countries. It also clarifies that data controllers and processors using cross-border transfer instruments, such as binding corporate rules and standard contractual clauses, must obtain the Commission’s approval. Where neither an adequacy decision nor a transfer instrument applies, other bases (e.g., consent, public interest) are valid only when tied to jural or fiduciary obligations. Jural obligations refer to a legal duty of the data controller or processor, distinct from business interests.
  • Data Protection Impact Assessment (DPIA): The GAID provides additional details on DPIAs, including when a DPIA is mandatory, vetting mechanisms for DPIAs, and a DPIA template included as a schedule.
  • Implementation Timeline: Although the GAID does not explicitly provide an implementation timeline, we have received confirmation from the Commission that it will have a six-month transition period from the date of publication, taking effect on 19 September 2025. The implementation of the new official audit filing fees will commence with the 2026 audit cycle.

Other Key Provisions

  • The GAID also addresses emerging technologies, data processing agreements, data breach notifications, capacity building, and jurisdiction of the courts, among other important matters.

For further insights, detailed advice and or assistance in aligning your practices with the new framework, please contact us via data.protection@oo.dlapiperafrica.com