Nigeria’s New Data Protection Framework: GAID Comes Into Effect

Nigeria’s New Data Protection Framework: GAID Comes Into Effect

Home / law / Nigeria’s New Data Protection Framework: GAID Comes Into Effect

Nigeria’s New Data Protection Framework: GAID Comes Into Effect

On 19 September 2025, the General Application and Implementation Directive (GAID) officially came into force, marking a significant stride in Nigeria’s data protection and privacy landscape. The GAID was issued on 20 March 2025 by the Nigeria Data Protection Commission (NDPC) in exercise of its powers under Sections 6, 61, and 62 of the Nigeria Data Protection Act (NDPA).

This new regulatory framework reflects Nigeria’s commitment to strengthening data governance, capacity development, and the protection of fundamental rights in an increasingly digital economy. Importantly, Article 3 of the GAID repeals the Nigeria Data Protection Regulation (NDPR), consolidating Nigeria’s data protection regime under the NDPA and GAID.

Scope of Application

The GAID applies to all situations in which personal data is processed, whether by Nigerian entities or by foreign organisations targeting Nigerian residents.

  • Personal data is defined under Section 65 of the NDPA as “any information relating to an identified or identifiable natural person.”

  • Data processing is defined as “any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organisation, storage, adaptation, retrieval, use, disclosure, dissemination, alignment, or erasure.”

  • Data controllers are persons or entities who determine the purpose and means of processing, while data processors are those who process personal data on behalf of a controller.

Lawful Bases for Processing Personal Data

Personal data may only be processed on one of six lawful bases recognised under the NDPA and GAID:

  1. Consent of the data subject
  2. Contractual necessity
  3. Compliance with a legal obligation
  4. Protection of vital interests of a data subject
  5. Performance of a task in the public interest

Legitimate interest pursued by the data controller/processor (A Legitimate Interest Assessment Report is required when relying on this). 

Mandatory Registration of Data Controllers/Processors of Major Importance (DCMIs)

The GAID categorises entities into three main levels based on the volume and sensitivity of data processed:

  1. Ordinary Data Controllers/Processors of Major Importance (DCMIs): Entities controlling or processing data of at least 200 persons.
    • Must register and renew registration annually with the NDPC.
  2. Extra-High Level DCMIs: Entities controlling or processing data of at least 1,000 persons.
    • Register once, but must file annual Compliance Audit Reports (CARs).
  3. Ultra-High Level DCMIs: Entities controlling or processing data of 5,000 persons or more.
    • Register once, but are also required to file annual CARs.

Compliance Audit Reports must be prepared under the supervision of a Data Protection Officer (DPO).

Appointment of Data Protection Officers (DPOs)

The GAID makes it mandatory for data controllers/processors of major importance to appoint a qualified Data Protection Officer. The DPO is responsible for ensuring ongoing compliance, supervising DPIAs, and liaising with the NDPC.

Why This Matters

The coming into force of the GAID represents a critical shift in Nigeria’s data protection ecosystem. Organisations across all sectors,  from healthcare and fintech to e-commerce and logistics must now re-evaluate their data practices and compliance strategies. Additionally, the implementation of this directive represents another laudable step in bringing into alignment Nigerian data practices with globally accepted standards. Companies and Organisations that align with these standards are better positioned to harness global opportunities and find themselves more amenable to collaboration, investments and partnerships from international entities.  Additionally, failure to comply exposes businesses to regulatory sanctions, reputational damage, and loss of customer trust.

How Primrose Den Partners Can Help

At Primrose Den Partners, we are committed to guiding organisations through these new compliance obligations. Our services include:

  • Registration of entities as DCMIs
  • Outsourcing/appointment of DPOs
  • Conducting Data Protection Impact Assessments (DPIAs)
  • Preparing Compliance Audit Reports (CARs) and periodic reports
  • Developing/updating privacy and cookie policies
  • Delivering Data Protection Trainings to staff and executives
PREV
DIGITAL FOOTPRINT OF AfCFTA IN NIGERIA
NEXT
International Commercial Law (ICL): Trade Digitization

Recent Posts

Recent Comments

Address List

  • 3rd Floor, H-medix complex, Yakubu Gowon Crescent, Beside Ecobank, Asokoro, Abuja
  • 08121584880, 08140285428
  • primrosedenpartners@gmail.com

Connect with us

Facebook Twitter Youtube

USEFUL Links

Primrose Den