Examining Nigeria’s Evolving Data Protection Landscape: Key Insights From The General Application And Implementation Directive (Gaid) 2025.

Introduction

On the 12th of June 2023, the President signed into law the Nigeria Data Protection Act 2023 (“NDPA”). The NDPA succeeded the Nigeria Data Protection Regulation 2019 (“NDPR”).

The objective of the NDPA was to safeguard the fundamental rights, freedom, and interest of data subjects guaranteed under Section 37 of the 1999 Constitution of the Federal Republic of Nigeria (as amended), regulate and promote data processing practices that safeguard the security of personal data, among other things. However, this piece of legislation was criticized for being too general in application without providing a granular regulatory framework key among them being the failure to provide a metric for classifying a data controller or data processor of major importance, lack of provisions on annual audit filings. Additionally, the NDPA is also not clear as to which court has jurisdiction in the event of disputes arising from the NDPA.

Hence, the Nigeria Data Protection Commission (The Commission), on the 20th of March 2025, issued the Nigeria Data Protection Act – General Application and Implementation Directive (“GAID”), in response to some of the issues highlighted above as well as to provide a comprehensive regulatory framework for data protection in Nigeria.

Key Highlights of the NDPA-GAID

1. Addressing Overlaps in Data Protection Regulations: GAID clarifies the hierarchy of data protection laws in Nigeria. Article 3 provides that where there is a conflict between the Nigeria Data Protection Act (NDPA) and any other law or directive, the NDPA shall prevail. The GAID has also repealed the Nigeria Data Protection Regulation (NDPR), and same is no longer in use.

2. Clarity on Circumstances Exempted from the Application of the NDPA: The NDPA exempts its application to certain instances of personal data processing, such as activities related to the prevention, investigation, detection, prosecution, or adjudication of criminal offences, the execution of criminal penalties, and the management of national public health emergencies, among others. However, the GAID provides further clarity by confirming that, despite these exemptions, data controllers and processors must still comply with non-exempted obligations under the NDPA. These non-exempted obligations include the Principles of Personal Data Processing, the Lawful Basis for Processing Personal Data, and Rights of Data Subjects.

3. General Compliance Measures by Data Controllers and Data Processors: The GAID requires data controllers and processors to comply with key obligations, including registration with the Commission, conducting NDPA compliance audits, and submitting semi-annual data protection reports.

It defines a “data controller” and “data processor of major importance” as entities domiciled, resident, or operating in Nigeria that process or intend to process personal data of a significant number of Nigerian data subjects. In determining major importance, the Commission will consider factors such as:
a.the sensitivity of the personal data involved; and
b. the risks posed to data subjects if the entity is not subject to the enhanced obligations under the NDPA.

4. Classification of Data Controllers and Data Processors: The GAID classifies data controllers and processors into three levels of major data processing: Ultra-High Level (UHL), Extra-High Level (EHL), and Ordinary-High Level (OHL). UHL includes entities like commercial banks and telecommunications companies, while EHL covers organizations like ministries and hospitals, and OHL includes schools and small health centres. Note that under the GAID, some establishments or organisations that are Data Controllers and Data Processors of Major Importance may be exempted from registration

5. Filing of NDPA Compliance Audit Returns (CAR) with the Commission: GAID mandates periodic compliance audits and imposes penalties for non-filing of returns. Data controllers are required to adopt a risk-based approach in assessing their data processing activities. Non-compliance with this directive attracts an administrative penalty equivalent to 50% of the prescribed CAR filing fee, in addition to the original filing fee.

5. Data Protection Officer (DPO): Under GAID, a Data Protection Officer “DPO”. Can be a member of staff of the data controller or data process or even an external third party. Additionally, data controllers and data processors are mandated to publish the contact details of the DPO and forward their details to the Commission.

7. Reliance on Consent: Article 17 of the GAID explains that consent can be expressly provided or constructive in certain situations. For example, images taken at public events can be used in reports but require clear consent if they are to be used for commercial purposes or advertisements. The article also introduces the Special Rule of Law Indexes (SRLI), which allows for other legal grounds to be used when obtaining consent is not practical. These grounds include situations where there is a risk to the data subject’s rights, security concerns, or public welfare.

8. Consent to Cookies and Other Tracking Tools: The GAID mandates that websites that process sensitive data obtain consent from users before using cookies, ensuring that the cookie banner is visible and does not require scrolling to view.

9. Data Privacy Impact Assessment (DPIA): The GAID mandates that a Data Protection Impact Assessment (DPIA) be conducted prior to starting any data processing activities. For those already processing data before the GAID’s issuance, a six-month deadline is provided to complete the DPIA. Schedule 4 of the GAID outlines the procedure for conducting the DPIA, and it must be signed by a certified Data Protection Officer (DPO) accredited by the Commission.

10. Data Processing Agreement: GAID outlines terms for the Data Processing Agreement between data controllers and processors, including obligations under Section 29 of the NDPA and details of data processing purposes and locations.

11. Exercise of Right to Rectification: The GAID ensures that platforms provide data subjects an opportunity to correct errors in their personal data at no cost if the error was made by the data controller or processor.

12. Right to be Forgotten: GAID allows individuals to request the deletion of their personal data if the data is no longer needed, if they withdraw their consent, or if they object to its use and there’s no strong reason to keep it.

Conclusion

The issuance of the GAID reflects Nigeria’s strong commitment to upholding data protection and citizens’ privacy rights under Section 37 of the Constitution. By clarifying the implementation of the NDPA, the GAID provides clear guidance for data controllers and processors while strengthening the rights of data subjects. Organizations must prioritize understanding and complying with the GAID to ensure full regulatory compliance in Nigeria’s evolving data protection landscape.

Berkeley Legal is a leading full-service business law firm in Nigeria. We provide comprehensive and sophisticated range of specialized and personalized legal services that are designed to meet the various needs of a highly diversified local and international businesses.

If you would like to know more about GAID 2025, or intend to implement any of the directives in your organization, please contact info@berkeleylp.com.

The information provided in this article is for general informational purposes only and does not constitute legal advice.