On March 20, 2025, the Nigeria Data Protection Commission (“NDPC” or “the Commission”), pursuant to its powers in the Nigeria Data Protection Act (“NDPA” or “the Act”), issued the NDPA General Application and Implementation Directive (“GAID”), which is to take effect from September 19, 2025.
We have highlighted below some of the key provisions introduced by GAID that you need to know.
1. Applicability
With the issuance of the GAID, the Nigeria Data Protection Regulation (NDPR) 2019 will no longer govern data privacy and protection. However, actions taken pursuant to the NDPR prior to the implementation of GAID will remain unaffected. Additionally, as the NDPR 2019: Implementation Framework 2020 was introduced to supplement the NDPR, its applicability as a legal instrument will also cease with the introduction of the GAID. Therefore, the two main laws that will regulate data protection in Nigeria, with effect from September 19, 2025, are the NDPA and the GAID.
2. Material and Territorial Scope of the NDPA
The GAID mandates, as a constitutional obligation, a careful consideration of both the material and territorial scope of the NDPA vis-à-vis its objectives before decisions that affect individuals’ fundamental right to privacy are made.
The GAID directs that in determining the issues of the right of a data subject and question of domiciliation of the data controller or data processor, where the data controller or processor is not domiciled in Nigeria but processes the personal data of data subjects in Nigeria, Sub-Articles 3 and 4 of Article 1 of the GAID shall be relied upon for guidance as follows:
(i) In accordance with the principle of universality of civil liberties, every individual is entitled to the protection of their fundamental rights, including the right to privacy, no matter where they are located.
(ii) Accordingly, the following categories of people shall be entitled to the enjoyment of data subject rights under the NDPA:
(a) data subjects in Nigeria, regardless of nationality or immigration status,
(b) those whose data has been transferred to Nigeria,
(c) those whose data transits through the country (with limited obligations on controllers/processors); and
(d) Nigerian citizens abroad, subject to international law and mutual legal assistance.
(iii) The rights of the foregoing persons to protection under the Act shall, however, be subject only to the derogations permitted under the 1999 Constitution and any pre-emptory norm or international treaty applicable to Nigeria under International Law.
3. Material Context of Data Processing and the Priority of the NDPA
All individuals, bodies, or authorities involved in personal data processing have a duty of care to carefully assess the material context of personal data processing with a view to ascertaining whether such processing aligns with the constitutional right to privacy. The GAID indicates that the material context of data processing is essentially under the Exclusive Legislative List, 2nd Schedule to the 1999 Constitution, and mandates of Federal Executive Bodies.
Data controllers and processors must consider the material nature of data – including its value, volume, and speed – and implement technical and organizational measures to manage the associated risks, ensuring compliance with the privacy standards set by the NDPA.
4. Statutory Remedy for Double or Multiple Regulatory Frameworks on Data Protection
The GAID, with a view to ensuring clarity and effectiveness in regulating data protection, re-emphasises the clear priority of the NDPA over conflicting laws as enshrined in section 63 of the NDPA. It further directs that where any other law conflicts with the provisions of the NDPA concerning personal data processing, the NDPA takes precedence.
Furthermore, it is worth noting that, in the event of a conflict between the NDPA and the GAID, the provisions of the NDPA will take precedence.
5. Evaluation of Exemptions to the Act
Data controllers/processors that are desirous of relying on the exemptions from the applicability of the NDPA under section 3 of the Act are required to comply with those provisions of the Act that are not covered by the exemption, such as principles of personal data processing, lawful basis for data processing, designation of Data Protection Officers (where required), notification in the event of personal data breach, and protection of data subjects’ rights. The Commission will hold data controllers or processors accountable for any violation of these provisions.
In assessing data processing activities exempted under the Act, the Commission will consider factors such as the constitutional derogation allowed, the lawful basis for data processing, the impact on data subjects, compliance with data protection principles, the proportionality and necessity of the processing, and the ability of data subjects to lodge complaints with the Commission.
Individuals who process personal data solely for personal or household purposes are required to respect the privacy of the data subject. Such individuals may be held accountable for actions that put the privacy of others at risk, such as:
(a) granting permission to data controllers or processors to access phone contacts via software or apps,
(b) sharing or transferring personal data without consent,
(c) neglecting to properly safeguard devices storing personal data,
(d) disclosing personal data verbally or in writing, and
(e) unauthorized access to someone else’s personal data.
6. Compliance Measures for Data Controllers and Processors
The GAID provides a summarised list of compliance measures expected of data controllers and processors. Some of the key compliance measures include:
• Registration: Data controllers and processors of major importance must register with the Commission as applicable.
• Compliance Audit Report: Compliance audit is to be carried out within 15 months of commencing business, and annually. Thereafter, data controllers and processors of major importance (Ultra High Level and Extra-High Level) are to submit their Compliance Audit Returns (CAR) no later than March 31 of each year.
• Data Protection Officer: A Data Protection Officer (DPO) must be appointed by data controllers and processors of major importance, with additional support if necessary, especially where the data controller or the data processor carries out data processing or interfaces with data subjects on multiple platforms and places.
• Training & Sensitization: Carry out regular scheduled staff training and internal sensitization on data privacy is required.
• Compliance Schedules: Identify all obligations under the NDPA and prepare schedules of compliance.
• Privacy Policies: Organisations must develop and display privacy policies, ensuring transparency in data processing. The GAID also indicated the type of disclosures that will meet the transparency requirements.
• Breach Notifications: Prompt reporting of personal data breaches to the Commission and affected individuals is mandatory.
• Data Subject Rights: Systems must be designed to facilitate easy access, correction, and transfer of personal data for data subjects.
• Data Protection Impact Assessment: DPIAs are to be carried out when required under the NDPA, or when directed by the Commission.
• Semi-Annual Data Protection Reports: Organisations are to maintain semi-annual data protection reports containing a detailed analysis of data processing within six (6) months;
• Monitoring, Evaluation, and Maintenance of Data Security System: Data controllers and data processors are required to undertake scheduled monitoring, evaluation and maintenance of their data security systems in order to guarantee data confidentiality, integrity and availability.
This is an abridged version of the article. You can read the article in full on the author’s website.
DISCLAIMER: This article is only intended to provide general information on the subject matter and does not by itself create a client/attorney relationship between readers and our Law Firm or serve as legal advice. We are available to provide specialist legal advice on the readers’ specific circumstances when they arise.
