If you are a data controller hearing about the GAID 2025 for the first time,  here’s a quick overview. The General Application and Implementation Directive i..e  (GAID) recently released by the NDPC is a guide for stakeholders to understand the Nigeria Data Protection Act (NDPA).  It is essential for organizations that handle personal data as it clarifies their responsibilities to data subjects under the NDPA.

Here’s what you should know about GAID 2025 and how it affects your organization.

It’s Effect on the NDPR

Upon publication of the GAID, the Nigeria Data Protection Regulation (NDPR) 2019 and its Implementation Framework, NDPR 2020 ceases to be applicable as the operational framework for the NDPA.^[1] However, this does not affect the validity of procedures that have already been undertaken under the NDPR.

The GAID Practicalizes the Provisions NDPA

As a data controller, you’re probably familiar with some of the provisions of the NDPA. Well, the GAID translates these provisions into actionable compliance requirements. It builds on the extant NDPA  as an operational framework for actualizing its provisions.  It sets out practical steps on how data controllers and processors should fulfill their obligations in handling personal data.

Appointment of Data Protection Officers

The GAID makes it mandatory for organizations classified as Data Controllers and Processors of Major Importance (DCMIs) to appoint a Data Protection Officer (DPO). They can also appoint Associate DPOs or privacy champions to assist in managing data protection responsibilities within an organization.^[2]  DPOs must report directly to senior management, operate independently, and submit data protection reports twice a year. Additionally, they must undergo an annual credential assessment to ensure compliance.^[3]

Requirements on Cross-Border Data Transfers

For data controllers planning to transfer personal data outside Nigeria, the GAID now mandates stricter compliance measures to safeguard Nigerians’ data abroad. Data controllers must take the following precautions:

• Seek approval of the NDPC confirming that the destination country has similar data protection laws.
• Draft legally binding agreements between the data exporter and importer, compliant with Nigeria’s Data Protection Act (NDPA).
• Seek explicit consent of data subjects unless there is another legal basis that justifies the transfer.

 The Introduction of SNAG for Addressing Grievances

One of the novel introductions of the GAID is a more efficient mode of addressing grievances known as SNAG, Standard Notice to Address Grievance.^[4] Data subjects are now encouraged to formally demand action regarding their data rights from any organization handling their data. They no longer need to get in touch with the NDPC first before these rights can be enforced. Internal resolution of complaints is encouraged and data controllers are mandated to acknowledge any SNAG notice and address it within a specific time. Where the organization fails to do this, such matters can then be escalated to the NDPC. Data controllers are expected to be accountable and create a transparent process of responding promptly to these notices.  Failure to comply, data controllers would be in breach of this regulation.  

Lawful Basis for Processing Data

Building on the NDPA, the GAID expands on what constitutes a lawful basis for data processing. It introduces the concept of Special Rule of Law Indexes (SLI) to address cases where consent is unclear or obtained in a way that violates individuals’ fundamental rights.  It specifies some cases when consent is mandatory like for direct marketing purposes, processing sensitive data or minors’ personal information, and international data transfers to non-whitelisted countries. In some cases, consent may also be implied.

Data Breach Notification

The directive also clarifies issues regarding when a data breach becomes a high risk to individuals’ rights and the necessity to notify NDPC. A breach is considered high-risk if it exposes individuals to fraud, identity theft, or the disclosure of sensitive personal data. Data Controllers are mandated to report such breaches to the NDPC within 72 hours and also notify relevant authorities immediately to ascertain if early intervention could help contain the breach.^[5]

Compliance of Data Processing Software

The GAID further mandates data controllers and processors using data processing software to handle personal data to maintain obligations like conducting a data protection impact assessment (DPIA) before deployment, ensuring the software is designed with privacy in mind, follow security guidelines set by app stores and including a privacy policy within the software.^[6]

Implementation of the GAID Provisions

The implementation of the GAID is scheduled to begin in September 2025.^[7] This gives about a six-month moratorium for organizations to adapt and get their policies in line. Also, enforcement of provisions regarding registration fees, all penalties, and levies will be enforced as of January 2026.

Enforcement of  Compliance by the NDPC

Although the GAID is mainly an operational framework, it carries legal implications, meaning that the consequences of non-compliance can lead to penalties to be enforced by the NDPC.  Data controllers are therefore advised to familiarize themselves with its provisions, and seek guidance from data privacy professionals when necessary.

^[1] Article 3(3)

^[2] Article 7

^[3] Articles 12, 13, and 14

^[4] Article 34(4) of the GAID

^[5] Article 34(4) of the. GAID

^[6] Article 32(1) of the GAID

^[7] EBusinesslife, “NDPC To Start Full Implementation Of NDP Act In September”, <https://ebusinesslife.com.ng/ndpc-to-start-full-implementation-of-ndp-act-in-september/#:~:text=Vincent%20Olatunji%2C%20at%20a%20media%20briefing%20in,an%20implementation%20guideline%20for%20the%20NDP%20Act.