Regulatory Update: NDPC Issues General Application and Implementation Directive (GAID): Practical Compliance Considerations for Data Controllers and Processors

A New Era of Data Compliance

On March 20, 2025, the Nigeria Data Protection Commission (NDPC) issued the General Application and Implementation Directive (GAID), a key regulatory framework designed to operationalise the Nigeria Data Protection Act 2023 (NDPA). The GAID repeals the Nigeria Data Protection Regulation 2019 (NDPR) and sets out detailed compliance obligations for data controllers and processors who operate in Nigeria or process the personal data of Nigerian residents.

With the directive set to take effect in September 2025 and regulatory filing fees applicable from January 2026, organisations have a limited window to identify compliance gaps and implement corrective action.

Key Highlights Under the GAID

1. Repeal of the NDPR: The GAID expressly repeals the NDPR 2019. The NDPA 2023 and the GAID 2025 now form the exclusive legal basis for data protection regulation and enforcement in Nigeria. Actions and enforcement taken under the NDPR before the GAID remain valid under transitional provisions.

2. Classification of DCPMIs: DCPMIs are entities that process high volumes of personal data or operate in sensitive or critical sectors (e.g., finance, healthcare, telecoms, digital platforms). These organisations are subject to enhanced compliance obligations including registration, reporting, and audit requirements.

3. Mandatory Compliance Measures The GAID sets out detailed obligations for all data controllers and processors, with enhanced requirements for DCPMIs. These include:

• Registration of DCPMIs with the NDPC.
• Appointment of a Data Protection Officer (DPO). Organization’s with complex data interfaces may designate Associate DPOs or Privacy Champions.
• Conduct of Compliance Audits:
  • New organisations must conduct a compliance audit within 15 months of incorporation.
  • Existing entities must file annual Compliance Audit Returns (CARs) by March 31.
• Maintenance of detailed biannual reports on data processing activities.
• Review of privacy policies and cookie notices for compliance with NDPA and platform-specific requirements.
• Implementation of user access controls for data rectification, portability, and erasure.
• Incident response and breach notification within 72 hours of awareness.
• Execution of Data Protection Impact Assessments (DPIAs) where processing poses high risks or is required by the NDPC.
• Vendor and processor contract compliance, ensuring third parties meet NDPA standards.

4. Standard Notice to Address Grievance (SNAG): A significant new feature of the GAID is the introduction of the SNAG, allowing data subjects to issue a formal grievance notice to controllers or processors. This must precede any complaint escalation to the NDPC. Organisations must establish internal grievance mechanisms to manage SNAGs promptly and effectively.

5. Cross-Border Data Transfers and Transfer Impact Assessments (TIAs): The GAID requires organisations to conduct TIAs prior to cross-border data transfers, demonstrating adequate safeguards consistent with global data protection norms. These measures are critical for multinationals, fintechs, cloud-based service providers, and any business operating transnationally.

6. Updated CAR Filing Obligations and Fees: DCPMIs are required to file Compliance Audit Returns (CARs) annually through a licensed Data Protection Compliance Organisation (DPCO). The NDPC has introduced a fee structure (Schedule 10 of the GAID) based on the number of data subjects processed:

Note: A 50% penalty applies to late filings, making timely preparation and submission critical.

To ensure compliance, organisations are advised to urgently:

• Evaluate DCPMI status using the GAID’s classification criteria.
• Appoint and train a qualified DPO or designate internal Privacy Champions.
• Review and update internal policies, privacy documentation, and data protection notices.
• Conduct DPIAs for sensitive processing activities and cross-border data flows.
• Develop internal SNAG management protocols to respond to data subject grievances.
• Implement robust audit readiness processes, including record keeping, risk assessments, and control testing.
• Engage a licensed DPCO to support CAR filings and audit submissions.

This update is the first in our GAID Compliance Series, a continuing publication offering practical analysis of the NDPA-GAID framework. Over the coming weeks, we will explore key provisions of the directive, assess implications for corporate operations, and share implementation strategies.

As a licensed DPCO, Duale, Ovia & Alex-Adedipe offers full-spectrum support for GAID and NDPA compliance. For advice on how the NDPA and GAID apply to your operations, or to discuss tailored compliance support, please contact our Data & Technology Practice team at info@doa-law.com.

Disclaimer: This publication is provided for general information only and does not constitute legal or regulatory advice. It reflects our interpretation of the GAID issued by the NDPC as of April 2025 and may evolve as further clarifications or regulations are issued. For advice tailored to your specific business context, please consult our team.