From principles to practice: Operationalizing Nigeria's Data Protection Act through the GAID

In March 2025, Nigeria's Data Protection Commission published the General Application and Implementation Directive of the Nigeria Data Protection Act 2023, which took effect 19 Sept. 2025.  

As the directive expressly replaced the Nigeria Data Protection Regulation 2019, organizations are working to understand how to transition from the NDPR era into the NDPA-GAID compliance framework. It marks a significant milestone as the first official implementation guideline under the NDPA and is designed not just as a legal document but as a practical roadmap for organizations looking to embed data protection into their day-to-day operations. 

The GAID offers clear, practical guidance on the obligations and compliance expectations set out in the primary legislation. 

Scope analysis: Examining applicability, reach of the GAID

The GAID begins by situating itself firmly within the scope of the NDPA. Article 1 underscores that all processes and transactions relating to the personal data of data subjects in Nigeria must take into account both the material and territorial scope of the NDPA, in line with constitutional obligations.

Importantly, the GAID directly ties the material scope to the Constitution of the Federal Republic of Nigeria, 1999, as amended, emphasizing that privacy is not merely a statutory right but a constitutionally protected interest. 

The GAID offers explanations to Section 2(c) of the NDPA, which states the act applies to processing of personal data even where the data controller or processor is not domiciled in Nigeria, but processes the personal data of data subjects in Nigeria. In line with the principle of universality on civil liberties which guarantees that a natural person's fundamental rights are protected anywhere in the world, Article 1(3-4) of the GAID clarifies the residency rules governing the territorial scope of data subject rights under the NDPA, "regardless of nationality and migration status." 

These rights can only be limited in specific cases allowed by Nigeria's 1999 Constitution, as amended, or by binding international treaties. For organizations, this means even foreign operations or globally distributed teams must evaluate whether their activities touch Nigerian data subjects and if so, ensure full compliance with NDPA-GAID requirements.

Obligations: Responsibilities of data controllers, processors 

Under the GAID, data controllers and processors retain the baseline obligations from the NDPA while also facing a more structured and measurable compliance framework. Core obligations include registration with the NDPC for data controllers or processors of major importance, annual audits, submission of compliance audit returns, appointment of a data protection officer, maintenance of privacy policies, cookie notices, updated contracts, timely breach notifications, and mechanisms for data subjects to exercise their rights to access, rectification, erasure and portability. 

These obligations are not just about ticking boxes once a year, they are about embedding routines, clear accountability and ongoing monitoring into daily operations. Through compliance with these obligations, organizations can turn a legal requirement into a living, operational practice that everyone within the organization can understand and contribute to.

Introduction of semi-annual data protection report

A key introduction within the GAID is the semi-annual data protection report, to be prepared by an organization's DPO and verified by a licensed data protection compliance organization. These reports must review data processing activities within six months, covering privacy notices, categories of data processed, lawful bases, data privacy impact assessment or legitimate interest assessment requirements, ease of exercising rights, complaint handling, data security measures, legal grounds for cross-border data transfer and breach notifications.

Organizations should establish a structured reporting timetable that incorporates input from relevant departments, such as information technology, human resources, legal, data and sales, and ensure the DPO's report corresponds with their regular internal reviews. This approach helps to embed the six-month reporting cycle into routine compliance processes instead of treating it as a last-minute task. 

Mandatory data privacy impact assessment 

In addition to requiring a DPIA where processing presents a high risk to the rights of data subjects, the GAID makes DPIAs a mandatory safeguard for certain high-risk activities. These include large-scale processing of sensitive data, public area monitoring, automated decision-making with significant effects, deployment of software or innovative technological processes for data processing, processing data for financial services via digital platform, data processing in the health and e-commerce industries, and cross-border data transfers. 

The GAID's release coincides with the rise of disruptive technologies such as artificial intelligence, blockchain and advanced cloud computing, which introduce complex privacy, security and regulatory challenges, and equips organizations in Nigeria with a compliance blueprint that is both operationally rigorous and internationally credible.

Organizations are encouraged to integrate the DPIAs as part of their "privacy by design" approach, therefore, they must be completed before any processing activity begins. Where risks remain unmitigated, the NDPC must be consulted before proceeding. A practical step is to create a DPIA workflow integrated into project management systems, ensuring no high-risk processing occurs without documented assessment and approvals, maintain all DPIA records and train staff to identify high-risk processing, and monitor mitigation measures on an ongoing basis.

Records of processing activities

The GAID requires a record of processing activities to be kept. This is a document used by organizations to track the processing of personal data. It typically includes the categories of personal data collected and processed, the principles and purposes of processing, recipients of personal data, retention periods, and security measures in place to protect the data. 

Maintaining a ROPA helps organizations stay accountable, demonstrate compliance with data protection laws, and support audits or regulatory reviews. It should be kept up to date and reviewed regularly, especially when new processing activities are introduced.

To embed this requirement, organizations can implement ROPA templates and integrate periodic reviews into operational routines. 

Broader impact, cross-border relevance on compliance strategies in Nigeria

Schedule 5 of the GAID regulates cross-border data transfers pending the issuance of dedicated regulations. It establishes adequacy criteria, lawful transfer mechanisms and required safeguards. Where adequacy is absent, data transfers must rely on approved cross-border data transfer instruments and authorization from the NDPC. 

The GAID anticipates stronger international cooperation of the NDPC with foreign regulators for joint investigations, coordinated enforcement and mutual oversight. This strengthens protection for individuals from Nigeria abroad and reinforces Nigeria's credibility in global privacy governance.

For multinationals and digital platforms, the GAID imposes higher due diligence requirements, stricter vendor oversight, and potential data localization measures where adequacy or cross-border data transfer instrument approval is lacking. The GAID balances enabling lawful international data flows with asserting Nigeria's data sovereignty by integrating adequacy principles, human rights protections, vulnerability considerations and enforcement cooperation into one framework.

Data privacy training and awareness

The GAID further mandates structured staff sensitivity and training, the distribution of internal privacy strategies and checklists, the development of systems enabling seamless data portability, and clear communication of complaint-handling procedures, including escalation to the NDPC.

In essence, while the NDPA sets the legal foundation, the GAID makes compliance proactive, requiring ongoing reporting, built-in safeguards, verifiable controls, and a strong organizational privacy culture. This moves organizations beyond simply meeting compliance checklists to building an organizational culture where privacy is embedded into everyday decision-making.

Provision of statutory templates

The GAID takes a practical approach by supplying statutory templates on privacy and data protection for many of the key documents and records that organizations are now required to maintain. They serve as authoritative models for compliance, reducing ambiguity and ensuring uniform standards across sectors.

The significance of these templates becomes even more clear when considering that the GAID addresses some of the NDPA's most debated and unclear areas. In doing so, the GAID lays down operational guardrails that will shape how organizations, data controllers and processors, interpret and fulfill their legal duties. Organizations should abide by these templates not just as examples but as working documents, updating and integrating them into internal policies and procedures so they are consistently applied across departments.

Consequences for noncompliance

The GAID serves as the operational framework for the NDPA and compliance is mandatory. Any failure to adhere to its provisions constitutes a breach of the NDPA itself. The NDPC is vested with broad powers, ranging from powers of investigation to corrective directives and where necessary, financial and criminal sanctions.

When the NDPC identifies that an organization has violated, or is likely to violate, any provision of the NDPA or the GAID, it may issue a compliance order, which formally requires the organization to take specific remedial actions within a prescribed timeframe. These measures may include warnings, mandatory corrective steps, or directives to stop processing activities that contravene the law. Compliance orders are designed to ensure organizations address risks proactively and prevent further breaches.

However, where an organization fails to comply with a compliance order, or where a breach is confirmed following an investigation, the NDPC may escalate its actions by issuing an enforcement order. Enforcement orders compel organizations to remedy violations, compensate affected data subjects, account for any profits derived from unlawful processing, or even pay monetary penalties. 

Failure to comply with an enforcement order constitutes a criminal offense. Upon prosecution and conviction, the organization, and where applicable its responsible officers, may be liable. Data controllers or processors of major importance are liable for up to NGN10 million or 2% of annual gross revenue from the preceding financial year, while other categories of data controllers or processors face a lower yet significant penalty of up to NGN2 million or 2% of annual gross revenue from the previous financial year. 

In addition to these fines, the law also provides for criminal liability. An offender may be subject to a term of imprisonment not exceeding one year, or, in some cases, both imprisonment and a monetary penalty may be imposed. 

Beyond statutory penalties, noncompliance may also lead to reputational damage, loss of consumer trust and other commercial consequences. The enforcement framework underscores that adherence to the GAID is not merely a legal formality but a fundamental aspect of organizational accountability, governance and responsible data management.

Looking ahead

The GAID is not a static rulebook but a living framework. Beyond mere compliance, the GAID drives a cultural shift in which the management of organizations must recognize data protection as an enterprise risk, invest in expertise and integrate privacy by design into all operations. Ongoing enforcement and future regulatory instruments will continue to shape organizational and technical obligations. 

To stay ahead, organizations should move quickly to operationalize the GAID's requirements, invest in data governance structures, and build adaptive compliance systems that can evolve with technological shifts and regulatory updates, to position themselves for a competitive advantage in an increasingly data-driven economy.

Kodichi Anigbogu, CIPP/E, is a senior associate at Jackson, Etti & Edu, and leads the firm's data protection practice.