By Oladipupo Ige
Introduction
On the 20th day of March 2025, the Nigeria Data Protection Commission (NDPC) issued the long-awaited NDPA General Application and Implementation Directive (GAID), a key document aimed at providing further clarification and guidelines on the application of Nigeria Data Protection Act 2023 (NDPA). This directive is a crucial piece for data privacy professionals, businesses, and organizations engaged in processing personal data. Pronounced as “Guide,” this directive could not have come at a more critical time. With increasing regulatory sanctions on companies for non-compliance and a growing awareness among Nigerians about their right to privacy and the protection of their personal data, the need for clear guidance has never been more imminent.
As the foremost association of privacy lawyers in Nigeria, it is important to understand some
of the contents of the 117-page GAID and its implications for data protection practices in Nigeria.
Key Provisions of the GAID:
1 . Effect on the Nigeria Data Protection Regulation (NDPR):
With the release of the GAID, the NDPC has clarified that the NDPR will no longer be applied. However, this change does not affect actions or processes that have already been undertaken under the NDPR. Organizations should note that any ongoing or prior compliance actions under the NDPR will remain valid even as the new GAID takes effect (art. 3(3).
2. Exemption Provision under the NDPA:
The GAID stipulates that exemptions outlined under the Nigeria Data Protection Act (NDPA) do not apply to the entire Act. Despite these exemptions, controllers and processors are still bound by other salient provisions including:
- Principles of data processing,
- Lawful bases for processing,
- Designation of a Data Protection Officer (DPO),
- Data subjects’ rights, and
- Data breach notification.
This means that exemptions do not relieve organizations from adhering to core provisions of the NDPA, ensuring continued protection of personal data. (art. 5)
3. Household and Personal Purposes:
The GAID clarifies that processing for household or personal purposes is not exempt from the Act if it involves sharing personal data with others. This includes:
- Granting access to contact details through software,
- Data sharing,
- Verbal or written disclosures, and
- Unauthorized access to personal data.
Therefore, organizations engaging in such activities must comply with the data protection regulations even in a personal or domestic context. (art. 6)
4. Compliance Audits:
The GAID introduces a significant change regarding compliance audits.
- New companies must conduct their first compliance audit within 15 months of commencing business operations.
- Other organizations are required to submit their audit by 31st March annually.
These audits are crucial for ensuring ongoing compliance with data protection requirements. (art. 7)
5. Data Protection Officer (DPO) Requirements:
Data Controllers and Processors of Major Importance (DCMIs) are now required to designate a Data Protection Officer (DPO). In addition, companies may designate Associate DPOs or privacy champions to assist the DPO in fulfilling their responsibilities (art. 7). DPOs must report directly to senior management, be independent and avoid conflict of interest, conduct semi-annual data protection reports and are subject to annual credential assessment. (art. 12, 13 and 14).
6. Internal Data Protection Strategy for DCMIs:
DCMIs must draft an internal data protection strategy. Furthermore, the NDPC will conduct an annual assessment of DPO credentials. DPOs must be certified and listed in the official database of DPOs to ensure they meet the required standards.
7. Registration Requirements:
The registration process has been outlined as follows:
- UHL (Ultra-High-Level) and EHL (Extra High-Level) controllers/processors must register once but file compliance audits annually.
- OHL (Other High-Level) controllers/processors must renew registration annually but are not required to file an annual audit (art. 9).
8. Revised Audit Fees:
The GAID has revised the audit filing fees for different categories of data controllers and processors:
- UHL: One million Naira for 50, 000 plus data subjects; Seven hundred and fifty thousand Naira for less than 50, 000 data subjects and five hundred thousand Naira for below 25, 000 data subjects.
- EHL: Two hundred and fifty thousand Naira for 10, 000 data subjects; Two hundred thousand Naira for below 5000 and One hundred thousand Naira to below 2500 data subjects
- OHL: this is omitted in the schedule as the have been exempted from audit filing.
These fees apply to the filing of compliance audit returns only. (see schedule 10)
9. Data Protection Compliance Organizations (DPCO):
The GAID makes it mandatory for Data Protection Compliance Organizations (DPCOs) to file an annual compliance return (CAR). This provision was previously omitted in the NDPA but is now a requirement for DPCOs (art. 10(14).
10. Semi-Annual Data Protection Report by DPOs:
In addition to the CAR, DPOs are now required to submit a semi-annual report that forms part of the Record of Processing Activities (RoPA). This report must be filed annually alongside the compliance audit (art 13).
11. Consent Requirements:
The GAID acknowledges that constructive or implied consent is valid. However, explicit consent is still required for certain activities such as:
- Direct marketing,
- Processing children’s data,
- Cross-border data transfer, and
- Automated decision-making. (art. 18)
12. Processing for Contractual Purposes:
If a contract is not executed, personal data must be deleted within six months, except in specific cases where retention is justified (art. 21).
13. Data Privacy Impact Assessment (DPIA):
The GAID mandates that a DPIA must be conducted for the following activities:
- Profiling,
- Automated decision-making,
- Systematic monitoring,
- Development of software,
- Financial services,
- Healthcare services,
- E-commerce, surveillance cameras, and
- Educational services.
Additionally, the DPIA must be vetted by a certified DPO before processing can commence (art. 28).
14. High-Risk Notification:
The GAID defines high-risk processing activities as those that could expose data subjects to risks such as fraud, identity theft, or exposure of sensitive personal data. These activities must be promptly reported to the NDPC (art. 33(2).
15. Rectification of National Identification Number (NIN):
The rectification of National Identification Numbers (NIN) no longer requires an affidavit or publication in newspapers, simplifying the process for individuals seeking corrections (art. 36(3).
16. Right to Lodge a Complaint:
The right to lodge a complaint is not a condition for exercising the rights granted under Section 37 of the Constitution. The NDPC will establish an online platform to facilitate the lodging of complaints. Complainants may issue a Standard Notice to Address Grievance (SNAG), which must be responded to in a timely and transparent manner (art 39).
Conclusion:
The General Application and Implementation Directive (GAID) introduces several important updates and clarifications to the regulatory landscape in Nigeria. As privacy lawyers, it is essential that we understand these provisions to guide our organizations and clients towards achieving full compliance. We recommend that all members carefully review the GAID and assess its implications for their roles and responsibilities within the data protection ecosystem.
Oladipupo is the Policy & Advocacy Director, Data Privacy Lawyers Association of Nigeria (DPLAN)