Blog

Latest Updates and News

Home
UPDATE ON THE NEW GENERAL APPLICATION AND IMPLEMENTATION DIRECTIVE (GAID) 2025.

UPDATE ON THE NEW GENERAL APPLICATION AND IMPLEMENTATION DIRECTIVE (GAID) 2025.

Posted by Posted in Publications January 15, 2026

The General Application and Implementation Directive 2025 (GAID 2025) was issued under the Nigeria Data Protection Act, 2023 (the NDP Act). The Directive came into force on 20 March 2025 and became fully effective on 19 September 2025.

The purpose of the GAID is simple, it is to explain how the NDP Act should actually be applied in practice. It gives structure to compliance, especially at a time when technology is changing how people, businesses, and governments use personal data every day. At its core, it reinforces the right to privacy under Section 37 of the 1999 Constitution and supports the growth of a digital economy that people can trust.

HOW TO SET UP A NON-INTEREST BANK OR FINANCIAL INSTITUTION IN NIGERIA

Why the Nigeria Data Protection Act Matters

The NDP Act exists to protect people. It safeguards the rights and freedoms of individuals when their personal data is being processed and creates a proper legal framework for how organisations are expected to handle data of data subjects in Nigeria.

Objectives of the Act and GAID

The objective of the Act and GAID are as follows:

  1. To protect the fundamental rights of data subjects under the Constitution;
  2. To regulate how personal data is processed;
  3. To promote data security and privacy;
  4. To ensure that data is processed in a fair, lawful, and accountable manner;
  5. To provide remedies when data rights are breached;
  6. To hold data controllers and processors responsible for their obligations; and
  7. To establish an independent regulatory authority to supervise data protection and collection of personal data in Nigeria.

The Act also aims to strengthen Nigeria’s digital economy and ensure that personal data can be used in a beneficial and trusted way, both locally and internationally.

Where the Act Applies

The NDP Act applies to the processing of personal data whether done by automated systems or otherwise. It covers situations where:

  1. The data controller or processor is domiciled in, resident in, or operating in Nigeria;
  2. The processing takes place within Nigeria; or
  3. The organisation is outside Nigeria but processes or targets the personal data of people in Nigeria.

The GAID explains that even where a company is not physically present in Nigeria, it can still be subject to the Act and GAID if it processes the data of Nigerian data subjects. This makes it clear that data protection is not limited by borders.

KEY CONSIDERATIONS WHEN PURCHASING A MICROFINANCE BANK IN NIGERIA.

Universality of Data Subject Rights

The GAID reflects the principle that a person’s fundamental rights does not disappear simply because of location. A data subject is entitled to protection of their rights anywhere in the world, subject only to constitutional limits and applicable international law.

Under Article 1 of the GAID, data subject rights apply to:

  1. Anyone within Nigeria, regardless of nationality or migration status;
  2. Anyone whose personal data has been transferred to Nigeria;
  3. Anyone whose data is merely in transit through Nigeria, in which case obligations are limited to confidentiality, integrity, and availability; and
  4. Nigerian citizens outside the country, the Commission is empowered to seek mutual legal assistance where necessary under international law.

This reinforces the idea that privacy is a fundamental right and not just a local compliance issue.

Core Compliance Obligations for Organisations

To comply with the NDP Act and GAID, data controllers and processors are expected to take practical and documented steps, including:

  1. Registering with the Nigeria Data Protection Commission as a data controller and processor of major importance;
  2. Carrying out a compliance audit within fifteen (15) months of starting business and annually thereafter;
  3. Filing Compliance Audit Returns (CAR) where required;
  4. Identifying all obligations under the Act and preparing clear compliance schedules;
  5. Preparing semi‑annual data protection reports and maintaining data security systems to ensure confidentiality, integrity, and availability;
  6. Training staff regularly and sensitising employees on data protection responsibilities;
  7. Appointing a Data Protection Officer (DPO);
  8. Developing and publishing a compliant privacy policy;
  9. Providing visible and meaningful privacy and cookie notices on websites;
  10. Carrying out Data Privacy Impact Assessments (DPIAs) where required;
  11. Reporting data breaches to the Commission within 72 hours and notifying affected data subjects where the risk is high;
  12. Updating third‑party agreements to reflect NDP Act obligations;
  13. Designing systems that allow data subjects to access, correct, and transfer their data easily; and
  14. Clearly explaining complaint procedures to data subjects, including the right to approach the Commission.

These requirements are meant to make data protection part of everyday business operations, not just paperwork.

KEY REQUIREMENTS FOR PUBLIC ONLINE LOTTERY AND BETTING LICENCE IN LAGOS

Classification of Data Controllers and Processors of Major Importance

The GAID classifies major data controllers and processors based on scale and impact:

  1. UltraHigh Level (UHL)
  2. Tier A: 50,000 data subjects and above
  3. Tier B: 25,000–49,999 data subjects
  4. Tier C: below 25,000 data subjects
  • ExtraHigh Level (EHL)
  • Tier A: 10,000 data subjects and above
  • Tier B: 5,000–2,500 data subjects
  • Tier C: below 2,500 data subjects
  • OrdinaryHigh Level (OHL): Amount of data subject wasn’t specified by the commission.

Factors for Classification

UHL organisations are expected to meet global standards and typically qualify if at least four of the following apply:

  1. High sensitivity of personal data;
  2. Significant data-driven financial assets entrusted;
  3. Reliance on third-party servers or cloud services for substantial processing;
  4. Substantial involvement in cross-border data flows;
  5. Processing over 5,000 data subjects within six months;
  6. Requirement for international standard certifications for people, processes, and technologies.

EHL organisations meet global best practices and qualify if at least four of the following apply:

  1. High sensitivity of personal data;
  2. Significant financial assets entrusted;
  3. Functions as an establishment of government;
  4. Reliance on third-party servers for substantial processing;
  5. Involvement in cross-border data flows;
  6. Processing over 1,000 but less than 5,000 data subjects in six months;
  7. Requirement for reputable and standardised certifications.

OHL organisations typically qualify if at least four of the following apply:

  1. Sensitivity of data assets;
  2. Vulnerability of data subjects;
  3. High risk to privacy if processed systematically or automatically;
  4. Processing over 200 but less than 1,000 data subjects in six months;
  5. Need for adequate technical and organisational measures;
  6. Requirement for reputable and standardised certifications.

Fees Payable to the Commission for Audit Report

DCPMITierFee (N)
Ultra‑High Level (UHL)50,000 data subjects and above  25,000–49,999 data subjects  below 25,000 data subjects 1,000,000  750,000  500,000
ExtraHigh Level (EHL) 10,000 and above data subjects  5,000–2,500 data subjects  below 2,500 data subjects 250,000  200,000 100,000

Specific Types of Data Controllers and Processors

  • UHL (N250,000): Commercial banks, telecom companies, insurance companies, multinationals, electricity distribution companies, oil and gas companies, social media and email app developers, communication device manufacturers, payment gateway providers, fintechs, or any organisation processing over 5,000 data subjects in six months are all under the category.
  • EHL (N100,000): MDAs, microfinance banks, tertiary/higher institutions, hospitals providing secondary/tertiary care, mortgage banks, or any organisation processing 1,000–5,000 data subjects in six months are all under the category.
  • OHL (N10,000): Primary/secondary schools, corporate training providers, primary health centres, independent medical labs, hotels/guest houses with under 50 suites, or processors handling 200–1,000 sensitive data subjects commercially are all under the category.
HOW TO PREVENT A DEBTOR FROM ESCAPING LIABILITY THROUGH THE USE OF MAREVA INJUNCTION

Data Controllers that are Not of Major Importance

The following are a list of data controllers not of major importance by NDPC;

  1. Small traders or artisans who do not transmit personal data for business objectives;
  2. Traders with under 15 employees or artisans without structured filing systems, only routine contact information;
  3. Communities of friends, professionals, or groups interacting on social media.

Exemption of Establishments or Organisations that are Data Controllers and Data Processors of Major Importance

Under Section 44(6) of the NDP Act, the following are exempted from registration as a data controller and processor of major importance:

  1. Community-based associations;
  2. Faith-based organisations;
  3. Foreign embassies and high commissions;
  4. Judicial establishments or adjudicatory bodies;
  5. Multigovernmental organisations.

Registration as a Data Controller and Processor of Major Importance

UHL and EHL entities register once and file CAR annually. OHL entities renew registration annually but are not required to file CAR. Any significant change in registration information must be reported within 60 days. Organisations that no longer qualify may request removal but remain liable for outstanding fees. The Commission maintains a public register of all registered data controllers and processors.

Filing of NDP Act Compliance Audit Returns with the Commission

Article 10 of the GAID outlines audit and CAR requirements and it stipulates the following;

  1. Audits follow a risk-based approach considering people, processes, and technology;
  2. Controls must align with global best practices;
  3. Risk points are monitored at appropriate intervals;
  4. Online systems vulnerable to cyber threats are audited frequently;
  5. CAR is filed annually via the Commission’s portal;
  6. Late filing attracts a penalty of 50% of the fee payable to the commission;
  7. UHL/EHL CAR must be submitted through licensed DPCOs;
  8. The Commission may request further information and issue a Compliance Audit Returns Certificate.

The Designation of a Data Protection Officer (DPO)

The NDP Act and GAID place strong emphasis on the DPO and it stipulates the following:

  1. There must be a designated DPO by data controllers and processors of major importance;
  2. DPOs Can be an employee of the organisation or under a service contract;
  3. The contact details of the DPOs must be published and communicated to the Commission;
  4. The DPOs must be involved in all processing matters in respect to data subjects;
  5. Organisations must provide resources, access, and continuous training for their DPOs;
  6. DPOs must act independently without penalty for performing statutory duties;
  7. DPOs must reports directly to management;
  8. Data subjects may contact the DPOs;
  9. DPOs are bound by confidentiality and must avoid conflicts of interest;
  10. DPOs must have expert knowledge of data protection law and practice.

Credential Assessment of DPOs

Article 14 introduces formal oversight it stipulates that:

  1. The Commission maintains a database of certified DPOs meaning that all DPOs must be certified by NDPC;
  2. DPOs must undergo Annual Credential Assessment (ACA);
  3. DPOs must comply with the NDP Act, GAID, DPCO Code of Conduct, and professional ethics;
  4. Certification of DPOs is verified during CAR filing or registration;
  5. Verification may be declined if CPD evidence is unreliable;
  6. Verification fees may apply;
  7. Assessment ensures DPOs are fit to safeguard data subjects’ rights.

Conclusion

The GAID 2025 gives structure to Nigeria’s data protection framework. It explains how the NDP Act applies, how organisations are classified, what compliance looks like in practice, and how accountability is enforced through audits, registration, fees, exemptions, and the role of the DPO.

For any organisation processing personal data in or about Nigeria, the GAID is not optional. It is the standard for lawful, responsible, and trustworthy data use in Nigeria’s digital economy.

*********************************************************************************

About KORIAT & CO.

We are a commercial law firm in Nigeria with network of lawyers and consultants in Ghana, Kenya and Rwanda. The above article is not legal advice and does not automatically make our readers our clients unless they specifically instruct us to act or represent them in any way.

We assist local and foreign clients to process company registration and business licences in Nigeria, Ghana, Kenya and Rwanda.

Please contact Koriat & Co. through admin@koriatlaw.com or 09067842241 if you require additional information about or assistance in processing company incorporation or application for a money lender’s licence.

CBN RELEASES LIST OF LICENSED INTERNATIONAL MONEY TRANSFER OPERATORS (IMTO) IN NIGERIA
Tags
admin

See More Posts