GIAD 2025 and the Future of Digital Trust in Nigeria

The Nigerian digital ecosystem, previously marked by varied data governance practices, is now undergoing a transformative shift. There is no gainsaying that the Nigeria Data Protection Act 2023 (NDPA), a landmark legislative achievement, laid the foundation for a comprehensive data protection framework. However, the subsequent promulgation of the General Application and Implementation Directive (GAID) 2025 by the Nigeria Data Protection Commission (NDPC) represents a critical step in implementing the NDPA, providing detailed guidance and addressing the practical challenges of implementation. This article delves into the intricacies of the GAID 2025, offering a detailed analysis of its key provisions and their implications for stakeholders operating within the Nigerian legal framework.

The GAID 2025, far from being a mere repetition of the NDPA, is focused on the practicalities of implementation, addressing ambiguities and providing prescriptive guidance on various aspects of data protection. This directive, issued by the NDPC, seeks to foster a strong data protection ecosystem, ensuring both compliance and fostering public trust. It is worth noting that the GAID 2025 is set to take effect six months from the date of publication, that is, September 2025. However, actions taken under the NDPR prior to the coming into operation of the GAID 2025 will not be invalidated.

Now, let us consider some of the key changes introduced by the GAID 2025.

Key Changes and Implications

• Global Reach and Foundational Rights: The GAID 2025 begins by establishing a fundamental principle – before any decision affecting personal data in Nigeria is made, organisations must carefully assess the "material scope" and "territorial scope" of the NDPA. This is not merely a suggestion, but a constitutional obligation, ensuring that data protection is treated as a foundational right. This proactive approach mandates that organisations understand the full implications of the NDPA before processing any personal information, elevating data privacy from an afterthought to a core operational consideration. 

Furthermore, the directive extends the NDPA’s reach beyond Nigeria’s territory. It mandates that even foreign entities processing the personal data of Nigerian residents or targeting them for data collection must comply with the NDPA. This acknowledges the global nature of data flows and protects Nigerians from privacy violations by international actors. To reinforce the universality of data privacy, the GAID 2025 affirms that everyone, regardless of location, possesses fundamental rights to privacy as enshrined by Section 37 of the 1999 Constitution of the Federal Republic of Nigeria. This principle aligns Nigerian law with international human rights standards, emphasizing that privacy is not a privilege, but an inherent right.

• Establishing Legal Hierarchy and Clarity: The GAID 2025 aims to establish a clear and unambiguous legal framework for data protection in Nigeria by addressing potential conflicts between existing regulations. To ensure certainty, harmony, and effectiveness in the regulation of fundamental privacy rights, data sovereignty, national and international data flows, and treaty obligations, the directive mandates strict adherence to Section 63 of the NDPA. This section explicitly states that in any instance where another law or enactment contradicts the provisions of the NDPA, the NDPA will take precedence. This provision is crucial for preventing potential confusion and ensuring a unified approach to data protection across all sectors and activities.

Additionally, the directive clarifies the relationship between the NDPA and the GAID itself. It explicitly states that in the event of any conflict between the two, the NDPA will prevail. This reinforces that the GAID serves as an implementation directive, providing practical guidance for the NDPA, rather than an independent legal framework. Finally, to streamline Nigeria’s data privacy landscape, the directive mandates the immediate cessation of the Nigeria Data Protection Regulation (NDPR) 2019 as a legal instrument upon the GAID's issuance. This transition, in accordance with Section 64 of the NDPA, ensures a seamless shift to the new framework, while preserving the validity of actions taken under the NDPR before the GAID's effective date. This move also eliminates potential confusion and establishes a clear, singular regulatory path for data protection in Nigeria.

• Individual Responsibility in Personal Data Handling: The GAID 2025 addresses the often-overlooked area of individual responsibility in data processing, particularly when done for personal or household purposes. While Section 3(1) of the NDPA generally exempts individuals engaged in such activities, the GAID 2025 emphasizes that this exemption does not absolve individuals from respecting the privacy of data subjects under the guise of personal use. In other words, individuals are held accountable for actions that could violate another person's privacy. This provision acknowledges that privacy risks can arise even from innocuous personal activities, and it seeks to cultivate a culture of responsible data handling at the individual level regardless of the purpose for processing.
• Comprehensive Compliance Obligations for Data Controllers and Processors: Article 7 of the GAID outlines a comprehensive set of compliance measures that data controllers and processors must implement to adhere to the NDPA. These measures are designed to ensure accountability, transparency, and the protection of data subject rights. Firstly, organisations may be required to register with the Commission as a "data controller or data processor of major importance," as determined by the NDPC. They must also conduct annual NDPA compliance audits, with those designated as "major importance" filing Compliance Audit Returns (CAR) with the Commission by March 31st each year. Furthermore, organisations must identify their obligations under the NDPA and prepare compliance schedules, as well as generate semi-annual data protection reports detailing their data processing activities.

Furthermore, to maintain data security, organisations must establish policies and procedures for monitoring, evaluating, and maintaining their data security systems to ensure data confidentiality, integrity, and availability. They are also required to conduct organisation-wide training and sensitization programs to cultivate a culture of compliance. If designated as a "data controller or data processor of major importance," they must appoint a Data Protection Officer (DPO), and potentially Associate DPOs or Privacy professionals to manage data processing across multiple platforms. Organisations are also required to develop or review their privacy policies, ensuring they align with the NDPA, and publish these policies on their platforms to inform data subjects.

• Defining and Categorizing Major Data Controllers and Processors: Article 8 of the GAID establishes the criteria for designating "data controllers or data processors of major importance" (DCPMI), a classification that invites heightened compliance obligations under the NDPA. Pursuant to Section 65 of the NDPA, the directive defines DCPMI as entities domiciled, resident, or operating in Nigeria that process or intend to process the personal data of a substantial number of Nigerian data subjects, as prescribed by the NDPC. This classification also extends to data controllers or data processors processing highly sensitive personal data that have an impact on Nigeria's economy, society, or security, as determined by the Commission.

The GAID further clarifies that "operating in Nigeria" includes targeting Nigerian data subjects, regardless of the entity's physical presence in the country. This provision, in line with Sections 2(2)(a), 24(3), and 44 of the NDPA, ensures that entities whose processing activities significantly affect Nigerians are held accountable, even if they are based abroad.

• Cross-Border Data Transfers: Article 45 of GAID 2025, in line with Schedule 5 of the GAID, sets the legal framework for cross-border data transfers, prioritizing NDPA's Part VIII. Schedule 5 details permissible grounds, including adequacy decisions and Commission-approved Cross-Border Data Transfer Instruments (CBDTI). Adequacy assessments consider factors like enforceable data subject rights, judicial redress, and robust regulatory oversight. When adequacy is absent, CBDTIs, such as Binding Corporate Rules or Standard Contractual Clauses, are utilized to ensure data flow monitoring and accountability.
• Integrating Ethics and Technology in Data Handling: The GAID 2025 also introduced a new focus on proactive data ethics, as outlined in Article 41, demanding organisations prioritize the dignity of individuals in personal data handling. It acknowledges that transparency and fairness form the bedrock of ethical data handling and underscores the commitment to impartiality and equity. Articles 43 and 44 address the complex risks associated with emerging technologies, mandating comprehensive Data Protection Impact Assessments (DPIAs) that include disparate outcome analysis and stringent testing procedures. The framework's emphasis on ethical conduct and responsible technology deployment signifies a forward-thinking approach, acknowledging the ethical complexities of modern data processing and the potential risks of emerging technologies.

Conclusion

The GAID 2025 represents a critical advancement in Nigeria's digital landscape, transcending prior regulations to establish a secure and reliable data privacy ecosystem. By clarifying compliance obligations and addressing the ethical implications of emerging technologies, it signals a proactive approach to data governance that aligns with global best practices. It also promotes a culture of shared data responsibility, enhancing regulatory oversight to balance innovation with rights protection. Ultimately, the GAID 2025's successful implementation will shape Nigeria's ability to navigate the digital age, harmonising innovation, trust, and individual rights. To support stakeholders in understanding and navigating this evolving compliance landscape, Forvis Mazars is committed to assisting organisations with the development of robust compliance frameworks that adapt to the new digital landscape.

Authors

Desiree Erugor, Manager, Legal Service & Irene Chukwukelu, Senior, Legal Service