NIGERIA DATA PROTECTION ACT: GENERAL APPLICATION AND IMPLEMENTATION DIRECTIVE (GAID) 2025: What Every Business Needs to Know about Nigeria’s Data Protection Directive.

On 20th March 2025, the Nigeria Data Protection Commission (NDPC) issued the Nigeria Data Protection Act (NDPA) General Application and Implementation Directive, 2025 (GAID). After a six-month transition, the GAID took effect on 19 September 2025. It operationalizes the NDPA 2023 and sets the NDPC’s detailed compliance framework for controllers and processors operating in Nigeria or targeting Nigerian data subjects.
Scope of the General Application and Implementation Directive (GAID)
The GAID clarifies territorial and subject-matter scope: it applies to controllers and processors that target Nigerian data subjects (including foreign entities), to personal data that transits or is processed in Nigeria, and to Nigerian data subjects abroad where processing implicates Nigerian regulatory interests. The GAID provides in Article 3(3) that, upon its application, the Commission will cease to apply the Nigeria Data Protection Regulation (NDPR) 2019 as the operative regulatory instrument and will implement the NDPA together with the GAID. This, however, does not affect any act done under the NDPR before the issuance of the GAID.
Essential Compliance Requirements for Organisations

1. Increased Obligation for Individuals Processing Data for Household or Personal Purposes
   The NDPA provides that it shall not apply to processing of personal data solely for personal or household purposes, subject to certain exceptions (Section 3 of the NDPA). The GAID reiterates that individuals processing data solely for personal or household purposes must still respect the privacy of data subjects and can be held accountable for any actions that put the privacy of a data subject at risk.
2. Compliance Audit Returns – CARs (filing cycles, fees and penalties)
   i. New Audit Template:
   • Data controllers/processors of major importance (Ultra-High Level and Extra-High Level) must file CARs.
   ii. Filing Timelines:
   iii. Data controllers and processors of major importance (Ultra High Level and Extra-High Level) must now file CARs not later than 31st of March each year (previously 15th of March). However, Ordinary-High Level (OHL) entities are required to renew their registration annually with the Commission and are not required to file annual CAR upon renewal. Fees and Penalties:
   • The GAID introduces a tiered filing-fee regime (Schedule 10) based on the Data Controller and Processor of Major Importance (DCPMI) classification and the volume of data subjects processed. It also prescribes an administrative penalty equal to 50% of the applicable CAR fee for late filing.
   • Tiered filing fees now range from ₦100,000 to ₦1,000,000, depending on the classification of the data controller/processor (Ultra-High Level or Extra-High Level).
   • Entities established after June 12, 2023, must submit their first CAR within 15 months of incorporation and annually thereafter.
3. Data Protection Officers (DPOs): Expanded Role and Accountability
   The NDPA establishes the statutory basis for DPO designation; the GAID expands on this by requiring that controllers/processors of major importance ensure DPO autonomy, resources and access to processing activities. The GAID also requires semi-annual internal DPO reports to management and establishes an Annual Credential Assessment framework administered by the NDPC (including CPD verification and a certified-DPO database). Training and credentials will be verified as part of CARs.
   Organisations are advised to establish clear compliance calendars, empower DPOs, and allocate budgets for training and credential assessments.
4. Provisions for Emerging Technologies
   The GAID establishes clear compliance requirements for organisations seeking to deploy emerging technologies such as Artificial Intelligence (AI), Internet of Things (IoT) and blockchain. Under the Directive, organisations are required to:
   • conduct a Data Protection Impact Assessment DPIA;
   • ensure anonymisation of data collected either from the data subject or a legitimate third party;
   • test the technology in a low-risk environment to evaluate its potential impact;
   • evaluate the likelihood of disparate or discriminatory outcomes and the possibility of addressing them;
   • carry out periodic re-testing to mitigate emerging privacy risks; and
   • establish structures for continuous monitoring of the emerging technology
5. Privacy Policies and Data Retention
   i. Accessible Privacy Information
   Privacy notices must be clear, accessible, and understandable, particularly for vulnerable or low-literacy data subjects. Data controllers are encouraged to use infographics, translated versions, or audio-visual formats.
   ii. Cookie and Privacy
   • Necessary cookies, which do not process sensitive data, financial data or any data stored privately by a data subject, do not need the ticking of a box or similar methods for explicit consent. However, all non-essential cookies must have a specific selection of “yes” or “no,” “accept” or “reject” options presented to data subjects.
   • Cookie banners must be conspicuous and presented in the first visible section of the web page (the GAID expressly discourages placing cookie banners at the bottom where they may be overlooked).

iii. Retention (Storage limitation)
Where no law provides a time-bound retention, the GAID prescribes that personal data should not be stored for longer than six (6) calendar months after the original purpose is achieved. However, limited retention may be permitted for lawful purposes such as archiving or the defence of legal claims, provided that appropriate safeguards are implemented to protect the data.

6. Data Privacy Impact Assessment (DPIA):
   The GAID prescribes circumstances that require a DPIA (for example: communication software, digital financial services, health-care processing, e-commerce, educational records, public surveillance and cross-border transfer scenarios). A DPIA must be signed by a certified DPO, follow the GAID template (Schedule 4), and its outcome must be included in the CAR. Where processing predates the GAID, a DPIA must be conducted and submitted within the GAID’s transitional timelines.
7. Third Party Relationships and Cross-Border Data Transfer
   i. Data Processing Agreements (DPA)
   DPAs must explicitly identify the parties, the purpose, the scope, and the lawful basis for processing. Even sole proprietors or agents handling sensitive data must undergo training in data protection.
   ii. Cross-border Transfers
   Part VIII of the NDPA governs all cross-border transfers of personal data from Nigeria. Cross-border transfers are permitted on specific grounds: an adequacy decision by the NDPC, an approved Cross-Border Data Transfer Instrument (CBDTI), or other lawful bases (e.g., explicit consent, necessity for legal claims). The GAID provides a Schedule for assessing adequacy and interim guidance pending formal instruments.
8. Enforcement and complaints
   If the Commission opens an investigation, it will issue a notice and expect the respondent to reply (typically within 21 days). The GAID also introduces a Standard Notice to Address Grievance (SNAG) for data subjects and civil society to issue complaints before regulatory escalation.
   Practical Compliance Checklist
   • Organisations are advised to determine their classification under the GAID as Ultra-High Level, Extra-High Level, or Ordinary-High Level, since classification determines applicable compliance obligations.
   • Entities established before 12th June 2023 shall file their Compliance Audit Returns (CARs) not later than 31st March each year, while entities established thereafter shall file their first CAR within fifteen months of incorporation and subsequently on an annual basis.
   • A qualified Data Protection Officer (DPO) with adequate authority and resources must be appointed to submit semi-annual internal compliance reports.
   • Data Privacy Impact Assessments (DPIAs) are to be conducted for high-risk processing operations identified by the GAID, endorsed by a certified DPO, and incorporated into the CAR.
   • Privacy notices, cookie consent mechanisms, and retention policies should be reviewed to ensure conformity with GAID requirements on visibility, consent, and the six-month storage limitation, except where lawful grounds justify extended retention.
   Conclusion
   The GAID materially raises sectoral and procedural expectations for organisations handling Nigerian data. It combines prescriptive administrative requirements (CARs, fees, credential verification) with substantive controls (DPIA, storage limitation, cookie consent). While the GAID sharpens enforcement clarity, some interpretive issues remain (notably the NDPR transition). Businesses should treat the GAID as binding operational guidance and align policies, DPO resourcing, DPIA practice and CAR calendar without delay.