Review Of Nigeria Data Protection Act (NDPA) 2023 & GAID 2025 | Data Privacy In Nigeria

On March 20, 2025, the Nigeria Data Protection Act (NDPA), 2023 – General Application and Implementation Directive (GAID), 2025 was released by the Nigeria Data Protection Commission (NDPC) pursuant to its powers under Sections 1(a), 6(c), 61 & 62 of the NDPA, 2023.

Before the issuance of the GAID 2025, data privacy and protection in Nigeria were primarily governed by the provisions of the NDPA, the Nigeria Data Protection Regulation (NDPR), 201,9, and the NDPR Implementation Framework, 2020, made pursuant to the NDPR. Although the GAID has now repealed the NDPR and, by extension, the NDPR Implementation Framework, data privacy and protection in Nigeria will henceforth be governed by the provisions of the GAID and the NDPA.

The release of the GAID is a positive step in the right direction. The GAID aims to resolve many of the often-grey provisions of the NDPA as well as provide guidance, clarity and offer complementary provisions.

With that as background, this article aims to highlight some of the salient provisions of the GAID 2025 and how they affect data subjects, controllers, data processors, and businesses in Nigeria.

SCOPE OF APPLICATION

The GAID applies to the processing of personal data of data subjects with consideration to the derogation permitted under the 1999 Constitution and other pre-emptory norms or international treaties applicable in Nigeria as it relates to:

1. data subjects who are within the territory of Nigeria (regardless of nationality and migration status);
2. A data subject whose personal data has been transferred to Nigeria;
3. A data subject whose personal data is in transit through Nigeria, without more¹
4. A Nigerian citizen who is not within Nigeria, taking into account the universal right to privacy under the United Nations Universal Declaration of Human Rights, 1948, as well as the International Covenant on Civil and Political Rights, 1976²

The above suggests an extension of the scope of its application beyond those captured under the NDPA.³

Also read: The Principles guiding Data Privacy and Protection in Nigeria

REPEAL OF THE NIGERIA DATA PROTECTION REGULATION (NDPR)

With the release of the GAID, the NDPR ceases to apply to regulate the processing of personal data in Nigeria⁴. The criticisms of the NDPA included the fact that it did not explicitly repeal the NDPR. However, the GAID has in clear terms, clarified that the NDPR is no longer applicable to personal data processing in Nigeria. As the Nigeria Data Protection Regulation Implementation Framework, 2020, was made pursuant to the NDPR, it too would cease to apply.

This, however, does not affect the validity of any act done or carried out pursuant to the NDPR or the NDPR Implementation Framework prior to the release of the GAID.

CONFLICTING PROVISIONS

In the event of a conflict between the NDPA and the GAID, the former would prevail.⁵ This is further buttressed by the provisions of Section 63 of the NDPA.

COMPLIANCE OBLIGATIONS OF DATA CONTROLLERS AND PROCESSORS

Under the newly released GAID, data controllers and processors are expected to abide inter alia with the following data protection compliance obligations:

1. Register with the NDPC as a Data Controller or Data Processor of Major Importance (DCPMI) as the Commission may determine in accordance with the NDP Act.
2. Conduct NDPA compliance audit within fifteen (15) months of commencement of business and thereafter on an annual basis;
3. In the case of a DCPMI, to file NDP Act Compliance Audit Returns (CAR) with the NDPC not later than March 31 of each year;
4. Identify all its obligations under the NDP Act and prepare schedules of compliance;
5. Prepare and keep semi-annual data protection reports, which shall be a detailed analysis of data processing within six (6) months;
6. Prepare and follow schedules on Monitoring, Evaluation, and Maintenance of Data Security System in order to guarantee data confidentiality, integrity, and availability;
7. Prepare and follow schedules on organisation-wide, internal sensitisation and training on data privacy and protection;
8. Identify all obligations relating to data controllers or data processors under the NDP Act and prepare schedules of compliance;
9. In the case of a DCPMI, designate a Data Protection Officer (DPO)⁶;
10. Develop or review its organisational privacy policies to be in compliance with the NDP Act;
11. Publish its organisational privacy policies on its platforms with a view to sensitising data subjects on data processing activities as well as rights and duties in connection therewith;
12. Provide privacy and cookie notices at the homepage of its website.⁷
13. Ensure that the privacy policy and notice is transparent and appropriately provided on platforms/places where data processing is taking place;
14. Develop and circulate an internal data protection strategy or policy and basic privacy checklist to help members of staff and other relevant persons (such as vendors, agents and contractors) understand the organisation's direction in connection with the processing of personal data and outline the steps they are to take to ensure the organisation's direction is maintained;
15. Conduct a Data Privacy Impact Assessment (DPIA) when required under the NDP Act, or when directed by the NDPC;
16. Notify the NDPC of personal data breaches within seventy-two (72) hours of becoming aware of the breach;
17. Notify a data subject immediately after becoming aware of a personal data breach that may pose a high risk to his or her privacy;
18. Update agreements with third-party processors to ensure compliance with the NDP Act;
19. Design systems and processes to make data requests and access seamless for data subjects;
20. Design systems and processes to enable data subjects to easily correct or update their personal data;
21. Design systems and processes to enable data subjects to easily transfer data to another platform or person (natural or artificial);
22. Train its personnel on data protection law and practices at least within six (6) months of commencement of business and then, at a minimum, on an annual basis; and
23. Clearly explain the complaints process to data subjects, including the right to lodge a complaint with the NDPC.

Also read: An Overview of Legal Recourse for Data Privacy Violations in Nigeria

DESIGNATION OF DCPMIs AND REGISTRATION WITH THE NDPC

The GAID designates certain data controllers and processors as DCPMIs who are categorised into three categories and must register with the NDPC as highlighted above:

1. Ultra-High Level (UHL)
2. Extra-High Level (EHL)
3. Ordinary-High Level (OHL)⁸

EVALUATION OF EXEMPTIONS

The NDPA makes provisions for acts that are exempted from the operation of the Act, such as processing activities carried out in the interest of public health emergencies, national security, public interest, for educational, artistic, or literary purposes, investigation, detection, and prosecution of crimes, etc. The GAID provides parameters for evaluating such exemptions in addition to other salient sections of the Act that controllers and processors are still bound by⁹:

1. S. 24 Principles of personal data processing
2. S. 25 – Lawful basis of personal data processing
3. S. 32 – Designation of Data Protection Officers
4. S. 40 – Personal data breaches notification
5. Part VI – Data subjects' rights

This implies that while certain data processing activities are exempted under the NDPA, the NDPC shall hold a data controller or data processor accountable for the infraction of any other provision of the NDP Act not covered by the exemptions.

REGISTRATION OF DCPMIs WITH THE NDPC

Depending on the designated category, DCPMIs must comply with the following:

1. UHL and EHL are mandated to register with the NDPC once and file audit reports annually;
2. OHLs are to register with the NDPC annually without the need to file an audit report at the point of renewal.

The GAID further mandates that DCPMIs notify the NDPC within 60 days of any change in the information submitted to the NDPC for registration. They are also to make a request for the removal of their name from the register where they no longer qualify as a DCPMI.

In the event of removal from the register, DCPMIs shall remain responsible for outstanding fees from the current and/or prior annual registration period, where applicable. Additionally, a register of DCPMIs shall be kept by the NDPC on its website which shall be updated at least once every year.¹⁰

FILING OF COMPLIANCE AUDIT REPORTS (CAR)

Under the GAID, data controllers and processors are mandated to carry out periodic compliance audits by utilizing a risk-based approach and ensuring adequate technical and organizational measures to mitigate the risk of data breaches.

DCPMIs are mandated to file CAR annually. For DCPMIs established before June 12, 2023, their CAR shall be filed not later than March 31 of each year. DCPMIs established after June 12, 2023, on their own part, are to file their CAR not later than fifteen (15) months after establishment and shall subsequently file the same annually.

It is important to note that a 50% administrative penalty fee shall apply to data controllers and processors who file outside the specified time. This fee shall equal 50% of the stipulated filing fee for such a defaulting data controller or processor.

Additionally, DCPMIs within the categories of UHL and EHL shall file their CAR through a licensed Data Protection Compliance Organisation (DPCO).¹¹

SUBMISSION OF INTERNAL SEMI-ANNUAL DATA PROTECTION REPORTS BY DPOs

Data controllers and processors are to ensure their DPOs submit semi-annual data protection reports to them through an officer designated to receive such reports in the form of a Record of Processing Activities (ROPA).

The ROPA is to be verified by a DPCO in the course of filing CAR which will form part of the data controller or processor's processing activities to be submitted alongside the documents for CAR.¹²

DATA SUBJECT'S STANDARD NOTICE TO ADDRESS GRIEVANCE (SNAG)

A data subject may issue a SNAG to a data controller or processor who is reasonably believed to have violated the data subject's privacy. When this happens, the data controller or processor is expected to communicate its decision on the SNAG to the NDPC through an electronic platform created for such purposes.

It is imperative to mention that the SNAG is not a condition precedent to lodging a complaint for privacy infraction with the NDPC or instituting an action in court. Rather, it is a standardised template for demanding internal remediation in the case of an organisation that may be acting in violation of a data subject's privacy. Additionally, a SNAG may be initiated directly by the data subject, a representative, or a civil society organization acting in the public interest.¹³

JURISDICTION OF COURTS FOR PRIVACY INFRACTIONS

An aggrieved data subject may approach the courts to seek redress for data privacy infractions. Under the GAID, 2025, the Federal High Court or the State High Court is the appropriate court with jurisdiction to entertain such cases.¹⁴ This further provides clarity as opposed to the NDPA, which vests any court with jurisdiction to entertain such cases.¹⁵

CONCLUSION

The release of the GAID 2025 to complement the NDPA is a welcome development that aims to strengthen Nigeria's data privacy and protection landscape.

Given the NDPC's assurance to significantly ramp up enforcement and impose substantial fines on data controllers and processors who are in violation of the NDPA, stakeholders anticipate that the release of the GAID would foster further enforcement activities and an attendant increase in compliance by data controllers and processors in Nigeria. The GAID remains a step in the right direction and with the proper implementation and enforcement, will significantly impact data privacy and protection in Nigeria.

Footnotes

1. In this case, the obligation of the data controller or data processor responsible for the transmission through Nigeria to another jurisdiction shall be limited to data confidentiality, integrity, and availability;

2. See generally Article 1 (4) of the GAID, 2025

3. See Section 2 of the NDPA

4. See Article 3(3) of the GAID, 2025

5. See Article 3(2) of the GAID, 2025

6. It is important to state that where the data controller or processor carries out data processing or interfaces with data subjects on multiple platforms or places, an associate DPO or Privacy Champion may be designated to support or complement the DPO.

7. It is imperative to state that the cookie notice should give a data subject the opportunity to decline or accept the notice. Additionally, it must be displayed in such a way that it significantly obstructs the middle, the left or the right side of the home page of a website as displaying a cookie notice at the bottom of a webpage where it may be ignored or be unnoticed by a data subject is tantamount to lack of transparency in data processing.

8. See Article 8(4) of the GAID

9. See generally Article 5 of the NDP Act, GAID, 2025

10. See generally Article 9 of the GAID

11. See generally Article 10 of the GAID

12. See generally Article 13 of the GAID

13. See generally Article 40 of the GAID

14. See Article 47 (2) of the GAID

15. See Section 65 of the NDPA

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.