Nigeria’s data protection landscape entered a new phase in 2025 with the issuance of the Nigeria Data Protection Commission’s General Application and Implementation Directive (GAID) under the Nigeria Data Protection Act (NDPA) 2023 — ushering in detailed obligations for organisations across sectors.
Effective from 19 September 2025, the GAID provides operational clarity on how the NDPA should be interpreted and applied — replacing the older Nigeria Data Protection Regulation (NDPR) 2019 as the regulatory framework for data privacy in Nigeria.
Here’s a breakdown of the latest compliance requirements organisations must prioritise under the NDPA and GAID:
1. Transition to GAID and Full Compliance
The GAID formalises the full implementation of the NDPA across public and private sectors. Organisations that were compliant with the NDPR must now align with the NDPA and GAID’s requirements — ensuring governance systems, policies, and practices are current and enforceable.
2. Registration & Classification of Data Controllers/Processors
Under GAID, organisations that process personal data at scale — referred to as Data Controllers and Data Processors of Major Importance (DCPMIs) — must register with the NDPC. Classification tiers include Ultra-High Level, Extra-High Level, and Ordinary-High Level, determining the nature and frequency of compliance reporting obligations.
3. Mandatory Compliance Audits & Reporting
All registered organisations must conduct an initial data protection compliance audit within 15 months of starting operations, and thereafter file annual Compliance Audit Returns (CARs) with the NDPC. Ultra-High and Extra-High entities must submit these filings through licensed compliance partners, while Ordinary-High Level entities follow a tailored submission process.
4. Appointment and Empowerment of DPOs
Organisations are required to designate a qualified Data Protection Officer (DPO) — either internally or via service contract — and communicate their details to the NDPC. DPOs must be involved in governance decisions, report regularly (including semi-annual compliance reports), and drive privacy risk management activities.
5. Privacy Notices & Transparency Obligations
Clear, accessible privacy notices are now mandatory. Organisations must publish privacy policies detailing how personal data is collected, used, stored, shared, and protected — including explicit consent mechanisms for digital tracking, cookies, and data subject rights.
6. Data Subject Rights & Grievance Mechanisms
The GAID reinforces data subject rights such as access, correction, erasure, and portability. Organisations must also establish internal grievance resolution mechanisms (including the Standard Notice to Address Grievance – SNAG) so individuals can seek remediation without immediately engaging the Commission.
7. Breach Notification Requirements
Personal data breaches must be reported to the NDPC within 72 hours of discovery, with immediate notification to affected data subjects where the breach poses a high risk. Having defined breach response processes is now a regulatory expectation, not an option.
8. Data Protection Impact Assessments (DPIAs)
Where processing activities pose high risks to data subjects’ rights and freedoms, organisations are required to conduct Data Protection Impact Assessments and document findings. Even where risk assessments indicate no high risk, organisations should explicitly document the rationale for not conducting a DPIA.
9. Cross-Border Data Transfer Safeguards
Any transfer of personal data outside Nigeria must be safeguarded — either through adequacy frameworks, contractual protections, or prior NDPC approval, depending on risk and sensitivity.
Why These Matter for Your Organisation
The NDPA and GAID shift data privacy compliance from a legal obligation to an operational imperative. Non-compliance can trigger enforcement actions, reputational harm, and financial penalties. Organisations must now:
✅ Integrate structured privacy governance systems
✅ Strengthen data lifecycle management practices
✅ Embed risk-based audits and reporting cycles
✅ Empower leadership with accountability frameworks
As regulatory expectations evolve, organisations that proactively adapt will not only avoid sanctions but also build trust with customers, partners, and regulators — strengthening their competitive edge in an increasingly data-driven economy.
If you need expert guidance in aligning your organisation with the NDPA/GAID framework, Haastrup Advisory can help you navigate complex compliance obligations and build robust privacy governance structures.
Request for FREE compliance check!
aa