cmdev
Compliance Guide

NDPA and GAID: What Every Nigerian Organization Must Know

cmdev9 min read
NDPA and GAID: What Every Nigerian Organization Must Know
Share
~14 min

NDPA 2023: what changed

Nigeria spent five years operating under the Nigeria Data Protection Regulation (NDPR), a subsidiary instrument issued by NITDA in 2019. The NDPR was never legislation. It was a regulation issued under the NITDA Act, and its legal standing was challenged repeatedly. Organizations treated it accordingly — as guidance, not law.

That ended on June 12, 2023, when President Bola Tinubu signed the Nigeria Data Protection Act (NDPA) into law. The NDPA is primary legislation. It supersedes the NDPR and establishes data protection as a statutory right for every person in Nigeria.

The NDPA does three things the NDPR could not:

Creates an independent regulator. The Nigeria Data Protection Commission (NDPC) replaces NITDA as the enforcement body. NDPC operates independently with its own funding, rulemaking authority, and enforcement powers. This matters because NITDA was a technology agency tasked with data protection as a side function. NDPC exists for one purpose.

Establishes lawful basis for processing. Organizations must identify and document a lawful basis before processing personal data. The NDPA recognizes six bases: consent, contract performance, legal obligation, vital interests, public interest, and legitimate interests. "We have always collected this data" is not a lawful basis.

Codifies data subject rights. Nigerian residents have the right to access their personal data, request correction, demand deletion, object to processing, and receive their data in a portable format. These rights are enforceable. Data subjects can complain directly to NDPC, and NDPC can investigate.

The NDPA also introduces Data Protection Impact Assessments (DPIAs) for high-risk processing, mandatory Data Protection Officer (DPO) appointments for qualifying organizations, and a framework for cross-border data transfers. But the Act itself is a framework. The operational details — the how, the when, the thresholds — were left to the regulator.

GAID: the implementation framework

The General Application and Implementation Directive (GAID), issued by NDPC and effective September 19, 2025, fills in those operational gaps.

Where the NDPA says organizations must report breaches, GAID specifies 72 hours. Where the NDPA says DPIAs are required for high-risk processing, GAID defines what high-risk means and how assessments must be conducted. Where the NDPA creates registration obligations, GAID establishes the registration process, timelines, and fees.

GAID is structured around five operational pillars:

  1. Breach notification — 72-hour reporting window to NDPC, with prescribed content requirements for notifications.
  2. Data protection audits — Annual or biennial audit obligations depending on organizational size and processing volume, conducted by licensed auditors.
  3. DPIA framework — Mandatory assessments before processing that involves profiling, large-scale processing of sensitive data, systematic monitoring of public areas, or automated decision-making with legal effects.
  4. Registration — Data controllers and processors must register with NDPC, providing details of processing activities, data categories, transfer mechanisms, and DPO contact information.
  5. Record-keeping — Organizations must maintain records of processing activities, consent records, DPIA reports, breach logs, and audit reports. NDPC can request these at any time.

Think of the NDPA as the constitution and GAID as the operating manual. You need both.

Who must comply

Every organization that processes personal data of individuals in Nigeria. There is no revenue threshold. There is no employee count minimum. There is no small business exemption.

This includes:

  • Banks and fintechs processing customer KYC data, transaction records, and credit assessments
  • Telecoms holding subscriber data, call records, and location data
  • Hospitals and clinics maintaining patient records and health data (classified as sensitive personal data under NDPA)
  • Schools and universities processing student records, staff data, and parent information
  • Government agencies at federal and state levels processing citizen data
  • E-commerce platforms collecting customer profiles, purchase histories, and payment data
  • International companies with no Nigerian office but processing data of Nigerian residents — if you serve Nigerian customers, you are in scope

The NDPA applies based on the location of the data subject, not the location of the organization. A company headquartered in London that processes personal data of Nigerian residents through its app is subject to the NDPA and GAID. NDPC has made this jurisdictional reach explicit.

Organizations that process data of fewer than 2,000 data subjects within a 12-month period have reduced compliance obligations under certain GAID provisions, but they are not exempt. They still need a lawful basis, must respect data subject rights, and are subject to breach notification requirements.

The 72-hour breach notification rule

This is GAID's most immediately consequential provision, and the one most organizations are unprepared for.

When an organization discovers a personal data breach — unauthorized access, disclosure, alteration, or destruction of personal data — it must notify NDPC within 72 hours of becoming aware of the breach. Not 72 hours from the breach occurring. From the moment the organization knows about it.

The notification must include:

  • Nature of the breach — what happened, how it was discovered, the attack vector if known
  • Categories of personal data affected — names, financial data, health records, biometric data, etc.
  • Estimated number of affected data subjects — with updates as the investigation progresses
  • Likely consequences — what harm could result from the breach
  • Measures taken — containment actions, remediation steps, whether affected individuals have been notified
  • DPO contact details — the person NDPC can contact for follow-up

If the breach is likely to result in high risk to the rights and freedoms of data subjects, the organization must also notify the affected individuals directly without undue delay.

Failure to notify within 72 hours is a separate offense. An organization can face penalties for both the underlying security failure and the failure to report it. This changes the calculus for organizations that have historically preferred to handle breaches quietly.

The practical problem: Most Nigerian organizations cannot detect a breach within 72 hours, let alone report it. The average dwell time — the period between initial compromise and detection — across the African continent exceeds 150 days. Organizations need detection capabilities before notification procedures matter.

DPO requirements

The NDPA requires certain organizations to appoint a Data Protection Officer (DPO). GAID clarifies who, what qualifications are needed, and how the role must operate.

When a DPO is required:

  • Public authorities and government bodies (always)
  • Organizations whose core activities involve regular and systematic monitoring of data subjects on a large scale
  • Organizations whose core activities involve large-scale processing of sensitive personal data (health, biometric, genetic, financial, criminal records)
  • Organizations that process data of more than a threshold number of data subjects as specified by NDPC registration categories

Qualifications:

The DPO must have demonstrable knowledge of data protection law and practice. NDPC recognizes certifications from accredited training providers. The DPO does not need to be a lawyer, but they must understand both the legal framework and the technical realities of data processing within their organization.

Independence requirements:

This is where most organizations fail. The DPO must:

  • Report directly to the highest level of management (board or CEO level)
  • Not receive instructions on how to perform their tasks — they exercise independent judgment
  • Not be dismissed or penalized for performing their duties
  • Not hold a position that creates a conflict of interest (the CTO, CIO, or head of IT cannot also serve as DPO)

The DPO is not an advocate for the organization. They are an internal watchdog with a direct line to the regulator. Organizations that appoint a DPO in name only — assigning the title to an existing IT manager with no independence, no budget, and no authority — are not compliant.

Cross-border data transfers

The NDPA restricts the transfer of personal data outside Nigeria unless specific conditions are met. For organizations using cloud infrastructure hosted outside the country, international SaaS platforms, or centralized data processing in foreign headquarters, this section is directly relevant.

Permitted transfer mechanisms:

  1. Adequacy decision — NDPC certifies that the destination country provides an adequate level of data protection. As of January 2026, NDPC has not issued adequacy decisions for any country. Not the EU. Not the US. Not the UK. This mechanism is currently unavailable.

  2. Standard contractual clauses (SCCs) — Approved contractual terms between the data exporter in Nigeria and the data importer abroad. NDPC has published template clauses. Organizations must execute these before transferring data and must be able to produce them on request.

  3. Binding corporate rules (BCRs) — For multinational organizations transferring data between group entities. BCRs must be approved by NDPC.

  4. Explicit consent — The data subject gives specific, informed consent to the transfer after being told about the risks of transferring data to a country without adequate protection. This is a fallback, not a primary mechanism. Regulators globally view consent-based transfers with skepticism when other mechanisms are available.

  5. Contractual necessity — The transfer is necessary for the performance of a contract with the data subject. Narrow in scope — it covers the specific transaction, not ongoing data processing.

The practical reality: Most Nigerian organizations transfer personal data internationally — to AWS, Google Cloud, Microsoft Azure, Salesforce, HubSpot, Stripe, or a hundred other platforms with no Nigerian data centers. Every one of these transfers needs a lawful mechanism. SCCs are currently the most viable option, and most organizations have not executed them.

Penalties and enforcement reality

The NDPA authorizes NDPC to impose fines of up to 2% of annual gross revenue or NGN 10 million, whichever is higher. For major organizations — banks, telecoms, large fintechs — the revenue-based calculation produces significant numbers.

Beyond fines, NDPC can:

  • Order organizations to stop processing data
  • Require specific remedial actions within defined timelines
  • Publish enforcement decisions (reputational damage)
  • Refer criminal violations to law enforcement

Current enforcement posture: NDPC issued its first enforcement actions in late 2025 and early 2026, primarily against organizations that failed to register or that ignored data subject access requests. These early cases establish precedent but have targeted relatively straightforward violations. The penalties have been modest — signaling intent rather than maximum force.

Where enforcement is heading: NDPC has stated publicly that proactive audits will begin in mid-2026. The commission is building its enforcement capacity — hiring investigators, training auditors, and establishing relationships with sector regulators like CBN, NCC, and NAICOM. The complaint-driven model of 2025 will shift toward systematic compliance monitoring.

What organizations should do now:

  1. Conduct a data mapping exercise. You cannot protect or govern data you have not inventoried. Identify every personal data processing activity — what data, from whom, for what purpose, stored where, shared with whom, retained for how long.

  2. Document your lawful basis. For every processing activity, record which of the six lawful bases applies and why. If the answer is "we have not thought about it," that is the gap.

  3. Appoint a DPO. If you meet the thresholds, this is mandatory. If you are close to the thresholds, appoint one anyway. The cost of a competent DPO is a fraction of the cost of a regulatory investigation.

  4. Execute SCCs for international transfers. If you use any cloud service or SaaS platform that stores or processes personal data outside Nigeria, you need contractual coverage.

  5. Build a breach response procedure. Not a document on a shelf. A tested procedure with assigned roles, communication templates, NDPC notification forms pre-drafted, and a decision tree for determining whether individual notification is required. Run a tabletop exercise.

  6. Register with NDPC. The registration process is live. Failure to register is one of the easiest violations for NDPC to detect and enforce.

The window between GAID taking effect and NDPC conducting proactive audits is closing. Organizations that use this period to build genuine compliance programs will be in a defensible position. Organizations that wait for enforcement to reach them will not.

Sources: Nigeria Data Protection Act 2023, NDPC General Application and Implementation Directive 2025, NDPC enforcement notices, NDPC registration guidelines.

nigeriandpagaiddata-protectioncomplianceregulatory

Ready to strengthen your security posture?

We help organizations across Africa build resilient infrastructure, deploy AI at scale, and navigate complex regulatory environments.

Start a conversation
← PreviousMulti-Model AI on Amazon Bedrock: How We Deploy the Right Model for Every TaskNext →From Discovery to Production: Building a Bedrock Document Pipeline for a London Insurance Broker