Dear Clients and Partners,
The General Application and Implementation Directive (GAID) 2025, will take effect from September 19, 2025. From that date the Nigeria Data Protection Regulation (NDPR) 2019 and the NDPR 2019: Implementation Framework 2020 will cease to be applicable. The GAID establishes the framework for implementing the Nigeria Data Protection Act (NDPA) 2023. It imposes structured compliance obligations on data controllers and processors, significantly raising the bar for data governance across both public and private sectors.
Below is a brief summary of the key provisions:
- Classification, Registration & Audits - Organisations designated as Data Controllers/Processors of Major Importance (DCPMIs) must register with the NDPC. DCPMIs are classified as Ultra-High, Extra-High, or Ordinary-High Level, based on specific criteria. Under GAID, these entities are required to complete an initial data protection audit within 15 months of registration and submit annual Compliance Audit Returns (CARs) thereafter. The Directive also introduces new tiered filing fees.
- Appointment of Data Protection Officers (DPOs) - DCPMIs must appoint qualified DPOs, supported by associate DPOs or privacy champions, and submit internal compliance reports semi-annually.
- Strengthened Data Subject Rights & Redress Mechanisms - Clear, accessible privacy notices are now mandatory. The introduction of a Standard Notice to Address Grievance (SNAG) for data subjects enhances internal complaint resolution processes.
- Data Protection Impact Assessments (DPIAs) - Mandatory DPIAs are required for high-risk processing activities, especially where emerging technologies (such as blockchain and IoT) or sensitive personal data are involved. These assessments must be properly documented and may be submitted to the NDPC upon request.
- Cross-Border Transfers & Consent – All data transfers outside Nigeria require adequate safeguards or prior approval. Specific, informed consent is mandatory for sensitive processing scenarios.
- Creation Of Detailed Schedules of Compliance – These will serve as structured roadmaps outlining each NDPA obligation, the required actions, responsible personnel, and specific timelines for implementation. These schedules are intended to serve as essential tools for monitoring progress, ensuring accountability, and demonstrating a deliberate and organized approach to data protection compliance.
- Semi-Annual Data Protection Report – This report is to be prepared by the DPO and should outline a data controller or processor’s compliance status under the NDPA. The report should be incorporated into the organisation’s Record of Processing Activities (RoPA) and is subject to verification by a licensed DPCO during the annual compliance audit. Accordingly, RoPAs must be updated to include this report on a biannual basis.
- Annual Credential Assessment (ACA) for DPOs – The ACA is a separate but complementary process to the CAR, as the ACA aims to verify the DPO’s credentials and Continuous Professional Development (CPD) activities. These are to be reported in the CAR. All formally designated DPOs must complete the ACA, earn at least four Commission-recognized CPD credits annually and pass a certification exam. The Commission currently maintains a central database of certified DPOs and offers training programs such as the Virtual Privacy Academy.
With the issuance of the GAID, it is anticipated that the NDPC will be stricter in its enforcement of the provisions of the NDPA. The NDPC has already begun issuing compliance notices and directives to organisations found in breach of the NDPA – well ahead of GAID's formal commencement. Sanctions for non-compliance range from monetary fines (penalties of up to ₦10,000,000 or 2% of annual gross revenue) and suspension of data processing activities to criminal prosecution of key officers, including CEOs, COOs, CFOs, and CTOs of defaulting entities.
With the GAID now firmly placing data protection at the heart of regulatory compliance, full alignment with the NDPA is essential for businesses across all sectors. We would be pleased to support your organisation in navigating GAID 2025 and building a strong, future-proof compliance regime.
How B&I Can Support You
Our Data Protection team offers end-to-end support in aligning business operations with GAID 2025, including:
- Designing and implementing NDPA-compliant data protection frameworks
- Conducting gap analyses and compliance audits
- Advising on cross-border data transfers and lawful bases for processing
- Managing NDPC classifications, registrations and regulatory filings
- Appointment and training of Data Protection Officers (DPOs)
- Facilitating DPO support and internal staff training
- Preparation and filing of Compliance Audit Returns (CARs)
- Advising on responses and resolution of issued SNAGs
- Conducting DPIAs, TIAs, and LIAs
- Advising on cross-border data transfers and consent frameworks
- Ongoing regulatory updates and audit readiness support
To assess your organisation’s readiness or develop a tailored compliance strategy, please contact our team. We look forward to supporting your compliance journey.
For further information on the General Application and Implementation Directive (GAID) 2025, kindly read our recent article, “Synoptic Analysis of the Nigeria Data Protection Act General Application and Implementation Directive (GAID) 2025”, which outlines the scope and implications of the GAID.
Disclaimer: This article is only intended to provide general information on the subject matter and does not by itself create a client/attorney relationship between readers and our Law Firm or serve as legal advice. We are available to provide specialist legal advice on the readers’ specific circumstances when they arise.
