Navigating the Nigeria Data Protection Act – GAID: Compliance Strategies for Data Processors & Data Controllers.

Introduction.

On 20 March 2025, the Nigeria Data Protection Commission (NDPC) issued the General Application and Implementation Directive (GAID) pursuant to its powers under the Nigeria Data Protection Act 2023 (NDPA 2023).¹ This directive serves as a comprehensive framework guiding compliance with the NDPA 2023, ensuring that data protection obligations are clearly understood and effectively implemented across various sectors, including startups and small and medium enterprises (SMEs).

The GAID, structured into 52 Articles and 10 Schedules, replaces the Nigeria Data Protection Regulation (NDPR) 2019 and its Implementation Framework 2020, as such, acts carried out during their subsistence, remain valid. For businesses, particularly startups and SMEs, aligning with the GAID is crucial for data compliance, regulatory approval, and market competitiveness. This article examines the implementation requirements and effectiveness of the GAID, drawing comparative insights from the United Kingdom, Australia, and Canada, and outlining practical compliance strategies for startups and SMEs.

Key Implementation Requirements Under the GAID.

The GAID mandates data controllers/data processors to comply with twenty-three key compliance measures, including registration as a Data Controller or Data Processor of Major Importance (DCPMIs), annual compliance audits for Ultra-High and Extra-High-Level DCPMIs before 31 March each year, and semi-annual data protection reports assessing data processing activities every six months.² In the United Kingdom, data controllers must register with the Information Commissioner’s Office (ICO) and conduct periodic Data Protection Impact Assessments (DPIAs) under the UK GDPR and the Data Protection Act 2018.³ Similarly, Australia’s Privacy Act 1988 mandates that businesses handling personal data implement Privacy Management Plans (PMPs) to regularly assess compliance.⁴ For the Nigerian data processor, data controller or business/body  determining the purposes and means of processing personal data, adopting similar risk-based assessments ensures readiness for audits and regulatory compliance.

The GAID further introduces a revised template for conducting annual compliance audits, with filing fees up to NGN1,000,000 for Ultra-High-Level DCPMIs processing over 50,000 data subjects.⁵ In Canada, under the Personal Information Protection and Electronic Documents Act (PIPEDA), organizations must submit privacy audit reports to the Office of the Privacy Commissioner (OPC).⁶ This provision is similar with Nigeria’s GAID, which mandates transparent reporting mechanisms to maintain compliance. For Nigerian startups and SMEs processing personal data, the increased filing fees require budgetary planning to avoid defaults which attracts regulatory penalties.

The GAID clarifies that reliance on legitimate interest as a lawful basis for processing personal data requires a Legitimate Interest Assessment (LIA).⁷ In the UK, the ICO’s Legitimate Interests Assessment (LIA) Framework requires organizations to document assessments before relying on legitimate interest.⁸ In Australia, organizations must demonstrate proportionality when relying on legitimate interest, ensuring data protection rights remain uncompromised. The Legitimate Interest Guidance provided by the Office of the Australian Information Commissioner (OAIC) plays a crucial role in regulating fairness and reasonableness requirements for entities. It emphasizes that data handling practices must be reasonable, necessary, and proportionate, aligning with principles recognized under the Privacy Act 1988. This ensures that entities do not override individuals’ rights without proper justification.⁹ For Nigerian the startups and SMEs, this means conducting thorough assessments before relying on legitimate interest is essential to avoid the risk attached to non-compliance.

Another key provision of the GAID is the introduction of the Standard Notice to Address Grievance (SNAG), a mechanism allowing data subjects to formally notify a data controller or processor if they reasonably believe that their right to data privacy has been violated. However, the submission of a SNAG is not a condition precedent for lodging a complaint with the NDPC or instituting legal action in court. Rather, it serves as a structured means for seeking internal redress from an organization suspected of infringing on a data subject’s privacy rights. Upon receiving a SNAG, the data controller or processor is required to communicate its decision on the matter to the NDPC through the electronic portal set up by the Commission.¹⁰ This provision is similar to Canadian provision, under PIPEDA, where individuals must first seek resolution with the organization before lodging complaints with the OPC.¹¹ For Nigerian startups/SMEs, implementing internal data subject complaint mechanisms if well managed reduces and enhances consumer trust whilst eliminating the cost of securing the intervention of the Commission or instituting a lawsuit in addressing personal data infringement.

Aligning Startups and SMEs with the GAID: Compliance Strategies.

Data Controllers and Processors within the Nigerian Startups and SMEs ecosystem must develop an internal data protection compliance framework through data audits to manage personal data flows whilst designating Data Protection Officers (DPOs).¹² Implementing risk-based data protection measures, such as encryption and access control mechanisms, is essential. Compliance with Data Breach Notification within 72 hours should be prioritized.¹³

Data Processing Software Compliance Under GAID.

The GAID imposes strict compliance obligations on Data Controllers and Processors deploying data processing software that enables tracking or facilitates swift personal data processing while establishing a communication link with data subjects, by mandating any data controller or processor using such software to conduct a Data Privacy Impact Assessment (DPIA) before deployment.¹⁴ Software must be designed in line with the principles of privacy by design and by default, adhere to data security guidelines, and include a privacy policy within the software interface. Additionally, the directive requires data controllers and processors to provide a privacy statement before installation, explicitly informing users of the types of personal data to be processed, the lawful purpose for processing, and the security measures in place to protect their data.¹⁵

By mandating these measures, the GAID aligns with global best practices. For instance, the UK’s Information Commissioner’s Office (ICO) requires DPIAs for software used to track or profile users, ensuring compliance with GDPR principles.¹⁶ Also in Australia, privacy-by-design principles are emphasized under the Privacy Act 1988, mandating software developers and organizations to integrate privacy safeguards at every stage of development. It is therefore required of Nigerian Data Processors utilizing data processing software to ensure compliance with these regulations to avoid reputational risks.

The NDPC is committed to an open-door policy that balances individual rights with economic progress. To strengthen compliance, the Commission will issue guidance notices, advisories, and capacity-building programs to promote a robust data privacy culture across Nigeria, although the full implementation of the GAID 2025 will commence in September 2025, following a six-month transition period. Provisions related to fees and financial obligations will take effect in January 2026, allowing data controllers and processors ample time to comply with regulatory requirements. These measures aim to ensure a smooth transition while reinforcing Nigeria’s evolving data protection framework.

Conclusion

The GAID provides a structured compliance roadmap for data processors and controllers, ensuring alignment with the NDPA 2023 by incorporating international best practices from the UK, Australia, and Canada. With the GAID 2025, Nigerian businesses can be consistent with regulatory compliance, strengthen consumer trust, and mitigate data risks. Startups and SMEs must take proactive steps to implement data protection policies to secure long-term sustainability in Nigeria’s digital economy.

Endnotes

1. Nigeria Data Protection Act 2023, ss 1(a), 6(c), 61, and 62
2. Nigeria Data Protection Act 2023, s 2.
3. Data Protection Act 2018 (UK), s 16.
4. Privacy Act 1988 (Cth) (Australia), s 33.
5. Nigeria Data Protection Act – General Application and Implementation Directive 2025, art 10(6).
6. Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (Canada).
7. GAID 2025, art 26(1), Schedule 8.
8. Information Commissioner’s Office, ‘Guide to the UK GDPR: Legitimate Interests’ (ICO, 2024) < https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/a-guide-to-lawful-basis/legitimate-interests/&gt; Accessed 23 March 2025.
9. Office of the Australian Information Commissioner, ‘Legitimate Interests Guidance’ (OAIC, 2024) <https://www.oaic.gov.au/privacy/the-privacy-act/review-of-the-privacy-act/privacy-act-review-issues-paper-submission/part-6/&gt; Accessed 23 March 2025.
10. GAID 2025, art 40(2),(5) & (6).
11. PIPEDA (Canada), s 13.
12. GAID 2025, art 11
13. GAID 2025, art 33
14. GAID 2025, art 31
15. Ibid
16. Information Commissioner’s Office, ‘Guide to the UK GDPR: When Do We Need A DPIA’ (ICO, 2024) <https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/data-protection-impact-assessments-dpias/when-do-we-need-to-do-a-dpia/> Accessed 23 March 2025

#DataProtection #GAID2025 #NDPA2023 #DataProtectionCompliance

Written by Adeola Osifeko LLB, LLM, BL, ACIS, ABR