GAID 2025: A Summary of Nigeria’s New Data Protection Directive

Barbara Mettle-Olympio

September 1, 2025

Nigeria has taken a significant step toward strengthening digital rights and accountability with the General Application and Implementation Directive (GAID) 2025, which comes into force on September 19 this year. The directive outlines the detailed framework for implementing the Nigeria Data Protection Act (NDPA) 2023 across both the public and private sectors.

For many businesses, the principles of data protection and privacy are already familiar. The challenge, however, has often been translating those principles into consistent practice. GAID 2025 aims to close that gap by providing clearer guidance, establishing practical obligations, and expanding the scope of accountability. It represents not only a regulatory requirement but also an opportunity for businesses to demonstrate transparency and strengthen trust with customers.

In this article, we’ll outline the directive’s key features while exploring the implications for organisations operating in or targeting Nigeria. We’ll also provide a practical checklist of steps companies can take to prepare.

Note: This article is for general information only and does not constitute legal advice. For guidance tailored to your operations, please consult qualified legal counsel.

Summary of GAID 2025 Key Features

The NDPA 2023 established the principles of data protection in Nigeria. GAID 2025 (the directive), builds on this by providing detailed rules for compliance and enforcement.
It provides detailed guidance on how to comply with the NDPA as well as:

Replaces the older Nigeria Data Protection Regulation (NDPR) 2019

The NDPR 2019 will be repealed in its entirety. Going forward, all organisations must comply with the NDPA 2023 as implemented through GAID 2025. Businesses that previously relied on NDPR compliance should review and update their data protection frameworks to meet the new requirements.

New Obligations for Companies and Individuals

GAID makes it clear that even when individuals handle personal data for personal or household reasons, they must still follow basic data protection principles. This shift also has direct implications for businesses. By placing obligations on individuals, the directive raises public awareness of privacy rights, which in turn means organisations can expect closer scrutiny of how they collect, process, and safeguard personal data. This heightens both compliance risks and reputational risks, reinforcing the need to adopt transparent and responsible data management practices.

Expanded Reach to Foreign Businesses and Nigerians Abroad

Foreign organisations that intentionally target Nigerians are now directly within scope, regardless of whether they maintain a physical presence in the country. Importantly, the directive also confirms that Nigerian citizens living abroad continue to be recognised as data subjects under the NDPA. This means that businesses collecting, monitoring, or otherwise processing the personal data of Nigerians, whether at home or overseas, must comply with NDPA/GAID requirements. In practice, international companies offering services directed at Nigerians will be expected to meet the same compliance standards as domestic organisations.

Mandatory Data Protection Officers (DPOs) and Impact Assessments (DPIAs)

Every organisation that processes personal data must designate a DPO, either internally or through an outsourced service, to oversee compliance with the NDPA and serve as a point of contact with the Nigeria Data Protection Commission (NDPC). In addition, organisations engaged in high-risk activities such as, large-scale collection, or processing sensitive categories of data are required to conduct DPIAs to identify, assess, and mitigate potential risks to data subjects. GAID makes clear that smaller organisations are not exempt. SMEs are expected to plan, allocate resources, and ensure they have the necessary structures in place to demonstrate compliance when called upon by the regulator.

Easier Complaint Mechanisms for Citizens (SNAG)

A key feature of GAID is the introduction of the Standard Notice to Address Grievance (SNAG), a tool designed to allow individuals to report concerns or request remedies without needing legal expertise. With SNAG, data subjects can submit complaints directly to organisations in a structured format, and if issues remain unresolved, escalate them to the Nigeria Data Protection Commission (NDPC). This change lowers barriers for citizens, making it easier to hold organisations accountable. For businesses, it creates a higher likelihood of receiving formal complaints and the need to respond effectively.

The Risk of Non-Compliance

A common question is whether GAID 2025 will be enforced consistently. Historically, enforcement of Nigerian laws, including the earlier NDPR 2019, was uneven, with compliance often deprioritised outside large corporations and multinationals. Awareness among smaller organisations was also limited, and in some cases, entities with resources or influence were perceived to avoid accountability. However, there are growing indications that GAID 2025 marks a shift and should be treated with greater seriousness:

The establishment of the Nigeria Data Protection Commission (NDPC) provides a dedicated regulatory body with clearer authority and capacity to oversee compliance. Unlike in the past, the NDPC is expected to take a more structured approach to audits, investigations, and penalties.

The NDPC has already shown a willingness to enforce data protection rules. Under the earlier NDPR framework and continuing into the NDPA era, regulators have imposed significant penalties and launched investigations into non-compliance:

In 2021, Electronic Settlement Limited was fined ₦5 million for personal data breaches following a 16-month investigation by NITDA, the NDPC’s predecessor.

In 2024, Fidelity Bank received the largest penalty to date, ₦555.8 million for collecting customer data without informed consent and using cookies and apps without a lawful basis.

In mid-2025, MultiChoice Nigeria was fined ₦766.24 million for intrusive data practices and unlawful cross-border data transfers.

Since August 2025, regulators have expanded their scrutiny to over 1,300 Nigerian firms, including banks, insurers, pension operators, and gaming companies, placed under investigation and given 21 days to demonstrate compliance.

Building Trust through Compliance

Businesses should consider the broader context. While enforcement in Nigeria may not initially match the scale or intensity of regions like Europe, compliance is about more than avoiding fines. It is about building trust with customers, protecting brand reputation, and meeting international business expectations. Many multinational companies and financial institutions already require evidence of compliance before partnerships or contracts are signed.

For Africa more broadly, taking data protection seriously is part of strengthening digital economies and ensuring citizens’ rights are respected. If organisations dismiss these laws as optional, it undermines not only consumer confidence but also the continent’s ability to compete globally in a data-driven world.

Get the latest updates

Subscribe for all the latest marketing news, analysis, and practical tips and guides

By submitting this form, you consent to us using your details as requested, per our Privacy Policy.