Welcome again to another week in our Data Protection and Privacy Knowledge Management Series. We are steadily building our understanding of data protection and privacy, and in this article, we will take a closer look at the General Application and Implementation Directive 2025 (GAID 2025/the Directive). The Directive is a critical instrument issued by the Nigeria Data Protection Commission (NDPC/the Commission), formerly the Nigeria Data Protection Bureau (NDPB), to guide the implementation of the Nigeria Data Protection Act 2023 (NDPA).
While the NDPA establishes the substantive rights and obligations of data subjects, controllers, and processors, the GAID 2025 provides clarity on how these obligations should be interpreted and operationalised. If you think of the NDPA as the law itself, the GAID 2025 is the manual that shows you how to comply in practice.
What is the GAID?
The GAID 2025 provides guidelines, clarifications, and practical steps to help organisations comply with the NDPA. It is binding in nature, which means that organisations cannot treat it as optional. It is not unusual for data protection authorities to issue such guidance. For example, the European Data Protection Board (EDPB) issues guidelines and recommendations to interpret the EU GDPR. In South Africa, the Information Regulator issues practice notes under the Protection of Personal Information Act (POPIA). In the United Kingdom, the Information Commissioner’s Office publishes guidelines and directives to guide compliance with the UK GDPR. The GAID 2025 performs a similar function in Nigeria by addressing grey areas and aligning local practice with international standards.
Key Areas Covered by the GAID
1. Clarification of Key Terms
The GAID 2025 defines and clarifies concepts introduced in the NDPA. For example, it provides a detailed clarification of data protection concepts such as:
Consent: the GAID 2025 specifies circumstances where consent is valid, including for direct marketing, processing of sensitive data, and processing children’s data.
Classification of Data Controllers and Processors of Major Importance (DCPMIs): the GAID 2025 specified the criteria for classifying DCPMIs and their compliance obligations.
2. Lawful Basis of Personal Data Processing
The GAID 2025 builds on section 25 of the NDPA by giving examples of when each legal basis can be relied upon. For instance, it states that:
– Consent is required for direct marketing or when processing sensitive data.
– Contractual necessity should not be used unless the processing is objectively required to perform the contract.
– Vital interest should be interpreted narrowly, limited to life and death or urgent health emergencies.
This guidance is crucial for avoiding misuse of any stated legal basis and ensuring that controllers choose the most appropriate ground.
3. Special Categories of Personal Data
The GAID 2025 confirms that sensitive personal data in Nigeria can only be processed based on the consent of the data subject. This differs from the EU GDPR, which provides multiple grounds for processing sensitive data under Article 9.
4. Data Protection Impact Assessments (DPIAs)
The GAID 2025 outlines when DPIAs are mandatory, such as:
– introduction of new technologies,
– large-scale processing of sensitive personal data,
– processing that involves profiling or automated decision-making with legal or significant effects,
– systematic monitoring of publicly accessible areas.
This aligns closely with EU GDPR Article 35 but adds Nigeria-specific thresholds. The GAID 2025 also prescribes that DPIAs must be filed with the NDPC in certain high-risk cases, which is not a requirement under the GDPR.
5. Cross-Border Data Transfers
The GAID 2025 introduces a more detailed framework for cross-border transfers, building on section 41 of the NDPA. It specifies:
– conditions for adequacy decisions by the NDPC,
– appropriate safeguards where adequacy does not exist (such as standard contractual clauses), and
– limited derogations for exceptional circumstances.
This provision ensures Nigeria aligns with global expectations while protecting data subjects against unlawful transfer of data outside the country.
6. Accountability and Governance Measures
The GAID 2025 requires data controllers and processors to implement governance structures to demonstrate compliance. These include:
– appointing Data Protection Officers (DPOs) in certain circumstances,
– maintaining records of processing activities,
– conducting regular audits and training, and
– adopting privacy by design and default in system development.
This moves Nigerian organisations towards international best practice and ensures they are proactive rather than reactive in managing compliance.
Key New and Codified Obligations Under GAID 2025
Below is a summary of the new or clarified obligations introduced by GAID 2025, with references to the directive and commentary sources.
Practical Steps for Data Protection Officers
Below is a non-exhaustive list of practical steps for Data Protection Officers (DPOs) to take note of based on the GAID 2025:
– Review your classification (Ultra-High, Extra-High, or Ordinary High Level). Your classification determines how much oversight and reporting you must do.
– Audit your DPAs. Make sure your data processing contracts contain the GAID-mandated clauses. If not, update them quickly.
– Update your privacy assessments, especially Data Protection Impact Assessments (DPIAs), to conform with the standard of the NDPA-GAID. Consider adopting the NDPA-GAID template in Schedule 4.
– Adapt your privacy notices. Ensure they are clear, accessible, and if necessary, available in alternative formats for vulnerable users.
– Prepare for SNAGs. Build internal processes to log, respond to, and resolve complaints under the new SNAG procedure.
– Stay responsive to NDPC notifications. If the Commission reports misuse of your platform, act quickly to restrict access and avoid liability.
– Schedule regular security reviews. GAID requires ongoing monitoring and evaluation of your data security measures.
– Budget for fees and CAR filing. Especially if you fall into UHL or EHL categories, compliance comes with both procedural and financial implications.
Conclusion
The GAID 2025 represents a maturing of Nigeria’s data protection landscape. It brings clarity, harmonisation, and new burdens. For DPOs and compliance teams, the Directive is not optional guidance but a playbook for lawful operations in Nigeria.
In our next article, we will explore how the GAID provisions intersect with cross-border data transfers, a topic that has become particularly important for African tech companies that operate across jurisdictions.
Short Test
-
True or False: The NDPR remains valid alongside the GAID and NDPA.
-
Which GAID mechanism allows data subjects to lodge complaints directly with controllers?
a) CAR
b) SNAG
c) DPIA
- What classification system does GAID introduce for data controllers and processors, and why does it matter?
- Why must organisations schedule regular security reviews under GAID?
ABOUT NEXA ADVISORY
Nexa Advisory is a boutique legal, compliance, and data protection consultancy bridging the gap between operational growth and regulatory integrity. Nexa exists at the nexus of law, governance, and business.
‘Tife Ekundayo is a lawyer and privacy consultant with multi-jurisdictional experience spanning Africa, Europe, and the United States. She advises businesses and institutions on data protection, privacy compliance, and technology law, with a focus on bridging the gap between global best practices and Africa’s evolving digital landscape. Through Nexa Advisory, ‘Tife helps organisations build practical and scalable regulatory and privacy programmes that foster trust and innovation.
email: info@nexaadvisory.co
instagram: @nexa_advisory