Is Nigeria’s latest data protection directive a genuine step toward compliance, or just another bureaucratic burden? The Nigeria Data Protection Act (NDP Act) 2023 marked a significant step toward strengthening data privacy rights in Nigeria. In line with this, the Nigeria Data Protection Commission (NDPC) recently released the General Application and Implementation Directive (GAID) 2025 (NDPC/NDP ACT-GAID/01/2025), aiming to provide clarity on the Act’s implementation. However, while the GAID introduces useful guidance, it raises concerns regarding its alignment with international best practices, potential revenue-driven motives, and practical challenges for organisations seeking compliance.
The GAID attempts to cover a wide range of regulatory aspects, including data processing principles, data subject rights, cross-border data transfers, and obligations of data controllers and processors. While it elaborates on provisions of the NDP Act and provides templates for compliance (e.g., audit returns, DPO assessments, and cross-border transfer procedures), its structure and approach raise critical concerns. I do not intend to go on a course of analyzing the details and the herculean task of summarizing the document; I only intend to point out important issues that need to be addressed.
Key Issues with the GAID
The implementation of the GAID has introduced significant concerns that go beyond its stated goal of enhancing data protection in Nigeria. Businesses, especially those processing large volumes of data, are now faced with increased financial burdens, unclear regulatory expectations, and heightened administrative demands. The directive, instead of clarifying ambiguities in the NDP Act, has deepened confusion, particularly regarding cross-border data transfers. Moreover, the drastic increase in audit filing fees raises suspicions that financial motives may be prioritized over fostering a robust data protection ecosystem.
This section explores key challenges stemming from the GAID’s provisions, highlighting areas where regulatory clarity is lacking and where compliance may become impractical or disproportionately costly for organizations.
Misalignment with International Standards
Although the GAID references international best practices (Article 42), certain aspects deviate from established global norms, particularly when compared to the EU’s General Data Protection Regulation (GDPR):
- Defining “Major Importance”: Article 8 primarily categorizes Data Controllers and Processors of Major Importance (DCP-MI) based on the number of data subjects processed. However, global best practices emphasize the sensitivity and potential risk of data rather than sheer volume. A hospital processing sensitive health data of 50 individuals presents a higher risk than a company handling basic contact information for thousands. The GAID’s volume-based approach risks overlooking high-risk processing activities.
- Vague Compliance Requirements: Many compliance obligations are broadly defined, lacking practical implementation guidance. For example, Article 10(3) mandates privacy audit controls “in line with global best practices,” yet it does not specify measurable benchmarks. Similarly, requiring systems to “make data requests and access seamless” (Article 7(s)) is aspirational but offers no concrete direction.
Revenue Generation Over Genuine Compliance?
The GAID’s fee structures and administrative obligations raise concerns that financial motives may be prioritized over fostering effective data protection:
- Increased Audit Filing Fees: A significant hike in mandatory audit filing fees (Schedule 10) raises serious concerns about affordability and fairness. Previously, UHL entities filed for NGN 20,000, but now, fees have drastically increased to NGN 1,000,000 for large data processors. The assumption that data volume equates to revenue is flawed—many organizations process vast amounts of data without generating the income necessary to meet these exorbitant fees. This could lead to non-compliance, financial strain, or forced prioritization of filing fees over operational sustainability.
- Excessive Emphasis on Registration and Filing: The directive places heavy focus on registering DCP-MIs (Article 9) and filing Compliance Audit Returns (CAR) (Article 10), with penalties attached. This administrative focus suggests an emphasis on procedural compliance rather than substantive data protection.
“Rather than fostering compliance, the NDPC appears more focused on monetizing data protection.”
Compliance as an Unclear and Onerous Concept
The GAID, despite its intent to provide clarity, leaves several ambiguities that complicate compliance efforts:
- Lack of Specificity: Many compliance mandates are described in broad terms without clear implementation guidance. Without sector-specific frameworks, businesses are left to interpret their obligations independently, increasing the risk of inconsistent compliance.
- Overemphasis on Documentation: The GAID mandates extensive documentation (e.g., semi-audit reports, DPIAs, etc.). While documentation is critical, an excessive focus without clarity on qualitative expectations could lead to a “checklist” approach rather than fostering substantive compliance.
- Subjectivity in Defining “Major Importance”: While Article 8 lists factors like “value or significance,” the ultimate designation of a DCP-MI appears discretionary. This lack of objective criteria creates uncertainty for organizations and opens the door to arbitrary regulatory decisions.
Cross-Border Data Transfers: A Missed Opportunity
The GAID provides little practical guidance on cross-border data transfers, despite their significance in a globalized digital economy. The directive has failed to clarify the position on cross-border transfers, leaving the situation as confusing as it was under the NDPA, if not more so. Many had anticipated that the GAID would provide much-needed clarity, but instead, it has led them further into uncertainty, akin to being trapped in a dark tunnel with PHCN holding the only light at the end, hopeless.
Specifically, the GAID falls short in several key areas:
- Absence of Concrete Mechanisms: The lack of explicit provisions outlining lawful procedures for cross-border data transfers creates a significant cloud of uncertainty for organizations that depend on the seamless flow of data across international borders.
- Lack of Standard Tools: Unlike many other jurisdictions that have established Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs), Nigeria’s data protection framework does not offer clear, standardised mechanisms for businesses to structure their international data transfers in a legally sound manner. This deficiency severely limits the compliance options available to organizations.
- Regulatory Inconsistencies: Businesses striving to comply with the regulations find themselves relying on limited derogations, yet the application and enforcement of these exceptions remain inconsistent. Furthermore, attempts to seek clarification from regulatory bodies have often been met with vague or unhelpful responses, rather than the substantive guidance that is desperately needed.
- Ambiguous Treatment of Multinational Operations and Cloud Services: The GAID fails to adequately address the complexities faced by multinational companies that often process data through centralized systems located in a single data center, regardless of geographical boundaries. Moreover, the legal standing of utilizing foreign-based cloud storage systems for data processing remains unclear, raising significant concerns about legal certainty for businesses that rely on such infrastructure.
“Nigeria has essentially enabled non-compliance by failing to establish a structured transfer mechanism.”
DPIA Expansion: A Burden on Small Businesses?
The GAID significantly broadens the requirement for Data Protection Impact Assessments (DPIAs). By expanding the triggers for DPIAs to include broad categories like “e-commerce” and “healthcare,” the directive imposes burdens on small businesses, such as Instagram vendors and small pharmacies, that may not have the resources for extensive assessments. This expansion raises concerns about unnecessary regulatory hurdles that could stifle small-scale digital enterprises, forcing them to navigate complex compliance obligations typically designed for larger corporations. The cost and administrative demands of conducting DPIAs may lead to reduced digital participation and discourage entrepreneurship, ultimately hindering economic growth and innovation in Nigeria’s emerging tech-driven economy.
Unequal Enforcement: Public Sector Compliance Overlooked?
Although Article 3 of the GAID seeks to replace the NDPR and its implementation framework, it fails to address the Guidelines for the Management of Personal Data by Public Institutions in Nigeria, 2020. This omission raises a critical question: Are only private sector organizations being targeted for compliance? Without clear directives on how public institutions will adhere to data protection standards, there is a risk of selective enforcement, undermining trust in the regulatory process.
Operationalizing SNAG Introduced the GAID: How?
The introduction of the Data Subject’s Standard Notice to Address Grievance (SNAG) under Article 40 raises operational concerns. While it provides a structured means for individuals to address privacy violations, its effectiveness depends on its implementation. Key questions arise: How will compliance be enforced? Will there be timelines for responding to SNAGs? How will the NDPC handle situations where organizations repeatedly ignore SNAGs? Under the GDPR and UK Data Protection Act, similar mechanisms exist, such as the right to lodge complaints with supervisory authorities (Article 77 GDPR, Section 165 UK DPA) and the obligation of data controllers to respond to data subject rights requests (Article 12 GDPR, Section 45 UK DPA). However, these are supported by clear enforcement actions and redress options, ensuring that violations are met with appropriate remedies and regulatory oversight. Without such measures, SNAG risks being an ineffective tool rather than a meaningful compliance mechanism.
Problematic Articles and Additional Compliance Concerns in the GAID
- Article 7(l) on Cookie Notices: The directive mandates specific cookie banner placements (“obstructing the middle, left, or right side of the home page”), a rigid and intrusive requirement that deviates from more flexible international standards.
- Article 6 on Individual Data Processing: While encouraging responsible data handling, the broad definitions of risky conduct (e.g., “lack of duty of care in handling any device storing personal data”) may create confusion and potential overreach.
- Interplay with Sectoral Regulations (Article 4): The GAID promotes cooperation on sectoral guidelines, but without harmonization, this could lead to regulatory fragmentation across industries.
- Benchmarking with Interoperable Data Privacy Measures (Article 35): The bureaucratic approval process, long approval timelines, and vague definitions could hinder innovation and increase compliance burdens, especially for smaller tech companies.
- Exercise of Data Subject Rights (Articles 36-39): Implementing rectification, portability, and erasure rights requires significant technical and operational adjustments. The lack of clear enforcement mechanisms, the complexity of data portability, and potential disruptions due to temporary orders from the Commission raise compliance risks for businesses.
Conclusion
The GAID 2025 represents an important step in implementing Nigeria’s data protection framework. However, its focus on numerical thresholds for “major importance,” increased filing fees, and broad compliance mandates suggests a framework that leans towards procedural formalities rather than substantive data protection.
“Without practical refinement, the GAID risks becoming a compliance nightmare rather than a safeguard for data privacy.”
To ensure an effective and sustainable data protection regime, the NDPC should refine its approach, focusing on proportionality, clarity, and global best practices. Only then can Nigeria truly establish a data protection framework that supports both regulatory oversight and digital innovation.
Disclaimer: The views and opinions expressed in this article are solely those of the author and do not necessarily reflect the official policy or position of the publishing organization or the author’s employer. This article is for informational and discussion purposes only and should not be construed as an official statement or endorsement by either entity.