Nigeria’s Data Protection Commission’s General Application and Implementation Directive (GAID) 2025 is set to operationalise the primary data protection legislation - the Nigeria Data Protection Act (NDPA) 2023 - from September 19, 2025. This will regulate the interpretation and implementation of the NDPA across public and private sector data processing activities in Nigeria.  

The primary focus of GAID is to aid the implementation of the NDPA by providing practical guidance and detailing obligations of organisations, including conducting data protection impact assessments (DPIAs) and the appointment of Data Protection Officers (DPOs). It also introduces user‑friendly complaint mechanisms, such as the Standard Notice to Address Grievance (SNAG), which will allow citizens to raise complaints or requests without needing specific legal knowledge.  

Key takeaways from the GAID are as follows: 

  • It repeals the Nigeria Data Protection Regulation (NDPR) 2019 as a governing framework. 

  • It imposes obligations on individuals processing personal data for household or personal use. Individuals must respect data protection and privacy principles and can be held accountable for endangering or failing toensurethe security of other data subjects’ data. 

  • It introduces detailed compliance duties for data controllers and processors to ensure accountability and transparency in data processing activities. 

  • It expands on the interpretation of “operating in Nigeria” to include foreign data controllers and processors targeting Nigerian data subjects. 

The GAID strives to uphold data dignity and privacy and implements clear obligations and data protection enforcement mechanisms. However, it may present compliance challenges, such as cross-border data transfers, andconcerns for startup businesses. While the NDPA previously applied to foreign entities processing personal data of Nigerian residents, the GAID expands this to apply to foreign entities which intentionally target Nigerian data subjects. Additionally, the GAID establishes that any Nigerian citizen outside of Nigeria can now be considered a “data subject” under the NDPA.  

Organisations and individuals must begin implementing practices and obligations ahead of the GAID’s commencement on September 19, 2025. 

HewardMills’ global team of expert DPOs can help implement practical solutions and work closely with organisations to ensure compliance with local regulatory requirements, such as Nigeria’s GAID. From reviewing data processing activities and impact assessments to providing specialist outsourced data protection services, we can provide strategic advice to mitigate risks wherever your organisation operates.