Key Highlights of the Nigeria Data Protection Act - General Application Implementation Directive.

Not all drafts remain drafts. Some evolve, take shape, and become Law. After almost a year of deliberation, the Nigerian Data Protection Act (NDPA) General Administrative and Implementation Directive (GAID) has completed the journey from a proposal to an enforceable regulation. The draft NDPA GAID was published by the Nigerian Data Protection Commission (NDPC) on May 31, 2024 to establish implementation frameworks for enforcing the provisions of the NDPA. On the 20th of March, 2025, the NDPC issued the GAID as a legal instrument to provide guidance to data processors and controllers for the implementation of the NDPA. In this newsletter, we examine some of the key provisions of the GAID and its implications for the data protection space in Nigeria.

Highlights of the GAID

1. Categories of Data Subjects: The GAID clarifies the scope of individuals entitled to enjoy data subject rights under the NDPA by defining them into four distinct categories:

● data subjects within Nigeria, regardless of citizenship or immigration status

● data subjects whose personal data has been transferred to Nigeria

● data subjects whose personal data is transmitted through Nigeria, and

● Nigerian citizens living outside Nigeria.

2. Revocation of the NDPR: The NDPA preserved regulations made by the National Information Technology Development Agency (NITDA) and the Nigeria Data Protection Bureau (NDPB), including the Nigeria Data Protection Regulation (NDPR) 2019, to the extent they didn't conflict with the NDPA. In cases of conflict, the NDPA would prevail. However, the GAID now explicitly directs that the NDPR ceases to be a legal instrument for regulating data protection in Nigeria. Importantly, this directive does not invalidate actions taken under the NDPR prior to the GAID's issuance.

3. Compliance Provisions: The GAID outlines crucial compliance measures for data controllers and processors. Entities of major importance must register with the Commission and conduct a compliance audit within 15 months of commencing business, followed by annual audits. They are also required to develop and publish organisational privacy policies, ensure transparency with prominent privacy and cookie notices, and provide clear data processing explanations. A robust data protection strategy, staff training every six months, and maintained compliance reports are essential internal measures. Data Privacy Impact Assessments (DPIAs) must be conducted when necessary, and systems should facilitate seamless data access and transfers for data subjects. Agreements with third-party processors must be updated for compliance. In the event of a personal data breach, the Commission must be notified within 72 hours, and data subjects informed immediately if a high risk exists. Additionally, the GAID also provides that controllers and processors of major importance must file Compliance Audit Returns (CAR) annually by March 31st and establish data security maintenance schedules. Lastly, they must clearly communicate the complaints process to data subjects, emphasizing their right to file complaints with the Commission.

4. Categorisation and Compliance of Data Controllers and Processors: The NDPC has classified data controllers and processors into three categories of data processing: Ultra High Level (UHL), Extra High Level (EHL), or Ordinary High Level (OHL). The GAID clarifies that while UHL and EHL entities register once and then file an annual Compliance Audit Report (CAR), OHL entities renew their registration annually, without needing to file a CAR. All registered entities must notify the Commission of significant changes to their registration information within 60 days.

5. Lawful Bases for Data Processing: The GAID requires data controllers to carefully determine the appropriate lawful basis for processing personal data. It recognizes several lawful bases for data processing, including consent, contractual obligation, legal obligation, vital interest, public interest, and legitimate interest.

Additionally, the GAID introduces Special Rule of Law Indexes (SRLI) concerning consent as a lawful basis for data processing. Under these indexes, if a complaint is made to the Commission regarding the absence of consent before data processing, the Commission must assess whether relying on consent would undermine the rule of law. In making this determination, the Commission will consider factors such as the potential risk to fundamental rights and freedoms of the data subject and third parties, security implications, equality, neutrality, and public welfare. Other considerations include any prior relationship between the data controller and the data subject, as well as the proportionality and necessity of the data processing..

6. Schedules: Data controllers and processors are mandated to establish comprehensive schedules for the monitoring, evaluation, and maintenance of their data security systems. These schedules must encompass personnel, processes, and technologies, incorporating specific technical and organizational measures. These measures include regular training, certifications, software updates, database vulnerability tests, hardware assessments, authentication checks, encryption reviews, and quality assurance for data confidentiality, integrity, and availability. Designated officers must execute these tasks within stipulated timeframes. Crucially, these schedules need to be vetted and certified by a qualified information security officer. Additionally, continuous monitoring, evaluation, and maintenance of data security systems should be conducted as frequently as possible, with the frequency determined by the inherent risks associated with the data processing activities.

7. Emerging Technologies: Data controllers and processors deploying Emerging Technologies (ETs) like AI, IoT, and Blockchain for personal data processing are required to establish technical and organizational parameters for processing, ensuring ET tools comply with legal thresholds. They are obliged to:

● Consider relevant laws and public policy.

● Conduct a Data Protection Impact Assessment (DPIA).

● Test ETs in low-risk environments.

● Assess and address potential disparate outcomes.

● Retool and re-test ETs until satisfactory results are achieved.

● Implement continuous monitoring and evaluation for safe ET.

Conclusion

The GAID marks a significant step in strengthening Nigeria’s data protection framework, providing clear guidelines for compliance, enforcement, and responsible data processing. By establishing structured obligations for data controllers and processors, the directive enhances regulatory certainty and aligns Nigeria’s data protection landscape with global best practices.