GAID 2025 Unpacked: Critical Updates On Data Processing, Individual Obligations, And Compliance Measures

Introduction

On March 20, 2025, the Nigeria Data Protection Commission ("NDPC") released the General Application and Implementation Directive 2025 ("GAID"), superseding the Nigeria Data Protection Regulation (NDPR) 2019. The GAID operationalizes the Nigeria Data Protection Act, (NDPA) 2023, introducing a more structured and comprehensive framework for data processing activities in Nigeria. our initial publication provided an overview of its key features and the broader implications for data governance under the NDPA.

In this follow-up, we shift our focus from general highlights to a more detailed analysis of three critical provisions introduced under the GAID that carry significant implications for data controllers, processors, and even individuals: (a) increased obligations for individuals processing personal data for household or personal purposes, (b) detailed compliance measures for data controllers and processors, and (c) reinforcing categorization of data processing activities based on their level of risk.

A. Increased Obligations for Individuals Processing Personal Data for Household or Personal Purposes

Section 3(1) of the NDPA exempts personal data processing carried out solely for personal or household purposes, provided it does not violate the fundamental right to privacy of a data subject. However, the GAID emphasizes that even personal data processed for household or personal purposes must be handled in a way that minimizes risks to the privacy and security of individuals. Individuals may still be held accountable if their processing activities cause harm or lead to a violation of privacy rights.

Behaviours that might risk the privacy of others include:

1. Granting access to contacts on phones through the use of software or digital applications.
2. Sharing or transferring personal data to any person or platform for any reason.
3. Lack of duty of care in handling any device that stores personal data.
4. Verbal or written disclosure of personal data.
5. Unauthorized access to personal data of any person.¹

Notably, the increased responsibility for processing personal data by private individuals – particularly the obligation to take adequate measures before granting access to phone contacts via digital applications – was decided in the case of Olumide Babalola LP et al. v. True Software Scandinavia et al.² In this case, the Court agreed that the respondent did not unilaterally collect or harvest the applicant's phone numbers. Rather, it was the users of the Truecaller application – acting as data controllers – who consented to and enabled access to those contacts. The Court held that the burden lies with individuals who share phone numbers to ensure they do not violate the privacy rights of the persons whose data is disclosed. As stated in the judgment: "The fault here, if any, is on the data controllers (users who downloaded the Truecaller application) and not the 1st Respondent. Without the actions of the data controllers, the 1st Respondent would have no access to these personal details." This provision reflects a growing recognition that personal data, even when processed for non-commercial reasons, is still sensitive and must be safeguarded.

B. Compliance Measures for Data Controllers and Processors under GAID 2025

The GAID reinforces and expands the compliance obligations outlined in the NDPA. Key highlights include:

• Mandatory Registration and Periodic Audits: Data controllers/processors of major importance must register with the NDPC and conduct compliance audits within 15 months of commencing operations, and annually thereafter. Compliance Audit Reports ("CAR") are to be submitted by March 31 each year.
• Privacy Governance Frameworks: Organizations are required to maintain up-to-date privacy policies, publish them clearly (including cookie notices), and circulate internal data protection strategies among staff, vendors, and partners.
• Internal Controls and Record-Keeping: Semi-annual data protection reports, schedules for security monitoring and staff sensitization, and detailed compliance trackers are mandatory for structured data oversight.
• Designation of a Data Protection Officer (DPO): High-level data controllers and processors must designate a DPO, and where necessary, associate privacy champions to support across platforms.
• Third-Party Contracts and System Design: Agreements with third-party processors must be updated to ensure NDPA compliance. Organizations are also expected to design systems that make it easy for data subjects to access, correct, or port their data.
• Incident Management and Breach Notification: Controllers and processors must notify the NDPC of any personal data breach within seventy two (72) hours, and alert affected data subjects immediately where a high risk to their privacy is involved.
• Training and Complaint Channels: Data privacy training must occur within six months of starting operations and be repeated at least annually. The complaints process must be clearly communicated to data subjects, including their right to escalate concerns to the NDPC.

These measures represent a significant step toward embedding data protection into the fabric of corporate governance in Nigeria.

C. Risk-Based Categorization of Data Processing Activities

The GAID outlined a risk-based classification of data controllers and processors, aligning data protection obligations with the nature, scale, and impact of their data processing activities. Under Section 65 of the NDPA, a "data controller or processor of major importance" refers to any entity—whether domiciled, resident, or merely operating in Nigeria—that processes personal data of a large number of Nigerian data subjects or handles data considered of particular value or significance to the economy, society, or security of the country.

To support regulatory precision, the GAID mandates an objective assessment of what qualifies as "major importance," taking into account factors such as: (a) the risk to data subjects if such processing is left unregulated; (c) the possibility of cross-border data transfer that undermines Nigeria's data jurisdiction; (d) the sensitivity of data involved (e.g., health, biometric, or financial data); (e) the use of third-party servers or cloud infrastructure; (f) the volume of data subjects impacted; (g) the extent of automation or AI used in processing; (h) the degree of international data exchange or cross-border flow; and (i)the need for internationally recognized data security standards.

To ensure proportional application of compliance obligations, the GAID classifies major data processing entities into three tiers:

1. Ultra-High Level (UHL): UHL's include commercial banks operating at national or regional level, telecom companies, multinational companies, electricity companies, public social media app developers and proprietors, fintechs, oil and gas companies, among others. They are required to register once and file a CAR annually with the NDPC.³
2. Extra-High Level (EHL): EHLs include Ministries, Departments and Agencies of government, microfinance banks, universities, mortgage banks and hospitals providing tertiary or secondary medical services. Just like the UHLs, they are required to register once and file a CAR annually with the NDPC.⁴
3. Ordinary-High Level (OHL): OHLs include primary and secondary schools, corporate training service providers, primary health centres, independent medical laboratories, and hotels and guest houses with less than fifty (50) suites. They are required to renew their registration with the NDPC annually but need not file a CAR annually with the NDPC.⁵

Each classification comes with differentiated obligations, reporting expectations, and fee structures, outlined in Schedule 7 of the GAID. These categories serve to prioritize regulatory focus on high-impact processors, while encouraging smaller or lower-risk data controllers to adopt good practices without being overburdened by compliance overheads.

Why It Matters

The GAID marks a fundamental evolution in Nigeria's data governance regime. It shifts from broad policy statements to operational, measurable obligations that align with both the realities of Nigeria's digital economy and global best practices.

Key takeaways:

• Individuals are no longer invisible actors in the data chain—they are expected to exercise care and accountability, even in personal settings.
• Organizations must internalize data protection as an ongoing, strategic function, not just a legal formality.
• Risk-based categorization ensures smarter oversight, where entities that handle more sensitive or impactful data are held to higher standards.

In an age where data breaches, misinformation, and surveillance risks abound, these measures are not merely bureaucratic. They are about building trust, securing digital rights, and ensuring that Nigeria's data protection architecture is resilient enough to support innovation without compromising fundamental freedoms. Compliance is no longer optional. It is the foundation of digital legitimacy.

Footnotes

1. GAID, art. 6(2).

2. Unreported: FHC/ABJ/CS/195/2024

3. GAID, art. 9(2)

4. ditto.

5. GAID, art. 9(3)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.