BY SEUN TIMI-KOLEOLU AND EBIKENIYE BEST
Introduction
As businesses in Nigeria increasingly leverage technology including social media platforms such as LinkedIn, Instagram, and Medium; and Emerging Technologies including Artificial Intelligence to expand their customer reach both locally and internationally, such businesses must adhere to Data Protection provisions in Nigeria.
In view of the foregoing, it is important to note recent updates to the protection of Personal Data in Nigeria. The most recent update is the Nigeria Data Protection Act – General Application and Implementation Directive (the “GAID”) issued on March 20, 2025, by the Nigeria Data Protection Commission (the “Commission”).
In this newsletter, we have set out useful information on the GAID to guide businesses.
1. What is the effect of the GAID on the Nigeria Data Protection Regulation (NDPR), 2019?
With the adoption of the GAID, the NDPR shall no longer regulate data in Nigeria. Data Protection in Nigeria is now regulated by the existing Nigeria Data Protection Act and the GAID.
Please note, however, n that any act done under the NDPR prior to the issuance of the GAID remains valid.
2. What are the obligations under the GAID for data controllers and processors?
Under the GAID, data controllers and processors of major importance are required to adhere to certain obligations including:
a. engaging a licensed Data Protection Compliance Organisation (DPCO) to carry out an audit of their business within 15 (fifteen) months of commencing business and subsequently annually before March 31 of each year;
b. filing a compliance audit report not later than March 31 of each year through a DPCO;
c. appointing associate/assistant Data Protection Officers (DPOs) and privacy champions to support the DPO where the data controller or processor interfaces with data subjects on multiple platforms;
d. storing personal data for not more than 6 (six) months after the purpose of processing the data has been achieved. Please note that this would only apply where no existing law has specified a retention period.
3. In what circumstances is explicit consent required under the GAID?
The GAID acknowledges that consent as a lawful basis for processing personal data could be constructive or implied. It, however, states that explicit consent is required for certain activities like – direct marketing, processing children’s data and sensitive personal data, automated decision making and cross-border data transfer.
4. Are there provisions for Emerging Technologies?
Yes, the GAID now provides explicit provisions on Emerging Technologies such as Artificial Intelligence, Blockchain, and the Internet of Things. It requires that any data controller or processor deploying or planning to deploy Emerging Technologies for personal data processing must adhere to the provisions of the NDPA, public policies, the GAID, and any other regulations issued by the Commission.
In addition, a data controller or processor must do the following:
a. develop and implement technical and organizational frameworks for the design of Emerging Technologies tools, ensuring that these frameworks are properly documented and submitted to the Commission; and
b. conduct a Data Privacy Impact Assessment, considering factors such as how data processing might unfairly affect different groups and the level of risk faced by vulnerable individuals, to access and reduce privacy risks effectively.
5. Are there provisions on Data Ethics under the GAID?
Yes. In auditing data controllers and processors, DPCOs are required to confirm if data controllers and processors apply global best practices on Data Ethics when handling personal data. The DPCO must ensure that data controllers and processors possess: (i) organizational policy on ownership of data; (ii) demonstrable transparency and accountability; (iii) fairness of intention; and (iv) respect for data subjects’ rights to control the use of their personal data.
6. What are the requirements for Cross-Border Data Transfer?
Under the GAID, a data controller or processor must obtain approval from the Commission before transferring personal data outside Nigeria. The Commission will grant approval based on an adequacy decision, which considers whether the receiving country has enforceable data subject rights; a robust data protection law; and a competent supervisory authority with sufficient enforcement powers.
In the absence of an adequacy decision, the data controller or processor will be required to prepare and submit a Cross-Border Data Transfer Instrument (the “Instrument”) for approval by the Commission. This Instrument may be in the form of (i) code of conduct; (ii) certification, (iii) binding corporate rules; or (iv) standard contractual clauses.
7. Are data subject’s rights provided for under the GAID?
The GAID reinforces data subjects’ rights, including the right to access, right to rectification, right to data portability, right to be forgotten, right to lodge a complaint, and right to objection. Businesses are required to create transparent and easy to use processes to respond to these rights promptly.
8. What is the procedure for lodging complaints under the GAID?
The GAID now allows data subjects who believe that their right to privacy has been violated to seek redress directly from data controllers by sending a document titled “Standard Notice to Address Grievance” to the relevant data controller or processor. A format of this document has been provided in the GAID. This action is to be taken without prior notification to the Commission.
9. When will the GAID come into effect?
The Commission noted that for ease of doing business, the GAID shall take effect 6 (six) months from the date of publication, that is, September 2025.
Conclusion
To ensure compliance with Nigeria’s evolving data protection landscape, organizations should carefully review the key updates introduced by the GAID. To align with applicable data protection laws, organisations should engage the services of licensed DPCOs.