Is Nigeria’s latest data protection directive a genuine step toward compliance, or just another bureaucratic burden? The Nigeria Data Protection Act (NDP Act) 2023 marked a significant step toward strengthening data privacy rights in Nigeria. In line with this, the Nigeria Data Protection Commission (NDPC) recently released the General Application and Implementation Directive (GAID) 2025 (NDPC/NDP ACT-GAID/01/2025), aiming to provide clarity on the Act’s implementation. However, while the GAID introduces useful guidance, it raises concerns regarding its alignment with international best practices, potential revenue-driven motives, and practical challenges for organisations seeking compliance.

The GAID attempts to cover a wide range of regulatory aspects, including data processing principles, data subject rights, cross-border data transfers, and obligations of data controllers and processors. While it elaborates on provisions of the NDP Act and provides templates for compliance (e.g., audit returns, DPO assessments, and cross-border transfer procedures), its structure and approach raise critical concerns.  I do not intend to go on a course of analyzing the details and the herculean task of summarizing the document; I only intend to point out important issues that need to be addressed.

Key Issues with the GAID

The implementation of the GAID has introduced significant concerns that go beyond its stated goal of enhancing data protection in Nigeria. Businesses, especially those processing large volumes of data, are now faced with increased financial burdens, unclear regulatory expectations, and heightened administrative demands. The directive, instead of clarifying ambiguities in the NDP Act, has deepened confusion, particularly regarding cross-border data transfers. Moreover, the drastic increase in audit filing fees raises suspicions that financial motives may be prioritized over fostering a robust data protection ecosystem.

This section explores key challenges stemming from the GAID’s provisions, highlighting areas where regulatory clarity is lacking and where compliance may become impractical or disproportionately costly for organizations.

Misalignment with International Standards

Although the GAID references international best practices (Article 42), certain aspects deviate from established global norms, particularly when compared to the EU’s General Data Protection Regulation (GDPR):

• Defining “Major Importance”: Article 8 primarily categorizes Data Controllers and Processors of Major Importance (DCP-MI) based on the number of data subjects processed. However, global best practices emphasize the sensitivity and potential risk of data rather than sheer volume. A hospital processing sensitive health data of 50 individuals presents a higher risk than a company handling basic contact information for thousands. The GAID’s volume-based approach risks overlooking high-risk processing activities.
• Vague Compliance Requirements: Many compliance obligations are broadly defined, lacking practical implementation guidance. For example, Article 10(3) mandates privacy audit controls “in line with global best practices,” yet it does not specify measurable benchmarks. Similarly, requiring systems to “make data requests and access seamless” (Article 7(s)) is aspirational but offers no concrete direction.

Revenue Generation Over Genuine Compliance?

The GAID’s fee structures and administrative obligations raise concerns that financial motives may be prioritized over fostering effective data protection:

• Increased Audit Filing Fees: A significant hike in mandatory audit filing fees (Schedule 10) raises serious concerns about affordability and fairness. Previously, UHL entities filed for NGN 20,000, but now, fees have drastically increased to NGN 1,000,000 for large data processors. The assumption that data volume equates to revenue is flawed—many organizations process vast amounts of data without generating the income necessary to meet these exorbitant fees. This could lead to non-compliance, financial strain, or forced prioritization of filing fees over operational sustainability.
• Excessive Emphasis on Registration and Filing: The directive places heavy focus on registering DCP-MIs (Article 9) and filing Compliance Audit Returns (CAR) (Article 10), with penalties attached. This administrative focus suggests an emphasis on procedural compliance rather than substantive data protection.

“Rather than fostering compliance, the NDPC appears more focused on monetizing data protection.”

Compliance as an Unclear and Onerous Concept

The GAID, despite its intent to provide clarity, leaves several ambiguities that complicate compliance efforts:

• Lack of Specificity: Many compliance mandates are described in broad terms without clear implementation guidance. Without sector-specific frameworks, businesses are left to interpret their obligations independently, increasing the risk of inconsistent compliance.
• Overemphasis on Documentation: The GAID mandates extensive documentation (e.g., semi-audit reports, DPIAs, etc.). While documentation is critical, an excessive focus without clarity on qualitative expectations could lead to a “checklist” approach rather than fostering substantive compliance.
• Subjectivity in Defining “Major Importance”: While Article 8 lists factors like “value or significance,” the ultimate designation of a DCP-MI appears discretionary. This lack of objective criteria creates uncertainty for organizations and opens the door to arbitrary regulatory decisions.

Cross-Border Data Transfers: A Missed Opportunity

The GAID provides little practical guidance on cross-border data transfers, despite their significance in a globalized digital economy. The directive has failed to clarify the position on cross-border transfers, leaving the situation as confusing as it was under the NDPA, if not more so. Many had anticipated that the GAID would provide much-needed clarity, but instead, it has led them further into uncertainty, akin to being trapped in a dark tunnel with PHCN holding the only light at the end, hopeless.

Specifically, the GAID falls short in several key areas:

• Absence of Concrete Mechanisms: The lack of explicit provisions outlining lawful procedures for cross-border data transfers creates a significant cloud of uncertainty for organizations that depend on the seamless flow of data across international borders.
• Lack of Standard Tools: Unlike many other jurisdictions that have established Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs), Nigeria’s data protection framework does not offer clear, standardised mechanisms for businesses to structure their international data transfers in a legally sound manner. This deficiency severely limits the compliance options available to organizations.
• Regulatory Inconsistencies: Businesses striving to comply with the regulations find themselves relying on limited derogations, yet the application and enforcement of these exceptions remain inconsistent. Furthermore, attempts to seek clarification from regulatory bodies have often been met with vague or unhelpful responses, rather than the substantive guidance that is desperately needed.
• Ambiguous Treatment of Multinational Operations and Cloud Services: The GAID fails to adequately address the complexities faced by multinational companies that often process data through centralized systems located in a single data center, regardless of geographical boundaries. Moreover, the legal standing of utilizing foreign-based cloud storage systems for data processing remains unclear, raising significant concerns about legal certainty for businesses that rely on such infrastructure.

“Nigeria has essentially enabled non-compliance by failing to establish a structured transfer mechanism.”

DPIA Expansion: A Burden on Small Businesses?

The GAID significantly broadens the requirement for Data Protection Impact Assessments (DPIAs). By expanding the triggers for DPIAs to include broad categories like “e-commerce” and “healthcare,” the directive imposes burdens on small businesses, such as Instagram vendors and small pharmacies, that may not have the resources for extensive assessments. This expansion raises concerns about unnecessary regulatory hurdles that could stifle small-scale digital enterprises, forcing them to navigate complex compliance obligations typically designed for larger corporations. The cost and administrative demands of conducting DPIAs may lead to reduced digital participation and discourage entrepreneurship, ultimately hindering economic growth and innovation in Nigeria’s emerging tech-driven economy.

Unequal Enforcement: Public Sector Compliance Overlooked?

Although Article 3 of the GAID seeks to replace the NDPR and its implementation framework, it fails to address the Guidelines for the Management of Personal Data by Public Institutions in Nigeria, 2020. This omission raises a critical question: Are only private sector organizations being targeted for compliance? Without clear directives on how public institutions will adhere to data protection standards, there is a risk of selective enforcement, undermining trust in the regulatory process.

Operationalizing SNAG Introduced the GAID: How?

The introduction of the Data Subject’s Standard Notice to Address Grievance (SNAG) under Article 40 raises operational concerns. While it provides a structured means for individuals to address privacy violations, its effectiveness depends on its implementation. Key questions arise: How will compliance be enforced? Will there be timelines for responding to SNAGs? How will the NDPC handle situations where organizations repeatedly ignore SNAGs? Under the GDPR and UK Data Protection Act, similar mechanisms exist, such as the right to lodge complaints with supervisory authorities (Article 77 GDPR, Section 165 UK DPA) and the obligation of data controllers to respond to data subject rights requests (Article 12 GDPR, Section 45 UK DPA). However, these are supported by clear enforcement actions and redress options, ensuring that violations are met with appropriate remedies and regulatory oversight. Without such measures, SNAG risks being an ineffective tool rather than a meaningful compliance mechanism.

Problematic Articles and Additional Compliance Concerns in the GAID

• Article 7(l) on Cookie Notices: The directive mandates specific cookie banner placements (“obstructing the middle, left, or right side of the home page”), a rigid and intrusive requirement that deviates from more flexible international standards.
• Article 6 on Individual Data Processing: While encouraging responsible data handling, the broad definitions of risky conduct (e.g., “lack of duty of care in handling any device storing personal data”) may create confusion and potential overreach.
• Interplay with Sectoral Regulations (Article 4): The GAID promotes cooperation on sectoral guidelines, but without harmonization, this could lead to regulatory fragmentation across industries.
• Benchmarking with Interoperable Data Privacy Measures (Article 35): The bureaucratic approval process, long approval timelines, and vague definitions could hinder innovation and increase compliance burdens, especially for smaller tech companies.
• Exercise of Data Subject Rights (Articles 36-39): Implementing rectification, portability, and erasure rights requires significant technical and operational adjustments. The lack of clear enforcement mechanisms, the complexity of data portability, and potential disruptions due to temporary orders from the Commission raise compliance risks for businesses.

Conclusion

The GAID 2025 represents an important step in implementing Nigeria’s data protection framework. However, its focus on numerical thresholds for “major importance,” increased filing fees, and broad compliance mandates suggests a framework that leans towards procedural formalities rather than substantive data protection.

“Without practical refinement, the GAID risks becoming a compliance nightmare rather than a safeguard for data privacy.”

To ensure an effective and sustainable data protection regime, the NDPC should refine its approach, focusing on proportionality, clarity, and global best practices. Only then can Nigeria truly establish a data protection framework that supports both regulatory oversight and digital innovation.

Disclaimer: The views and opinions expressed in this article are solely those of the author and do not necessarily reflect the official policy or position of the publishing organization or the author’s employer. This article is for informational and discussion purposes only and should not be construed as an official statement or endorsement by either entity.

Come with your calculator and log book because you may need them. Indeed, you will understand the “Measure of Central Tendency” and how you can use lean six sigma to drive business growth and accelerate productivity. Join Dr Charles Igwe as he teaches on the topic – “Driving Growth and Operational Excellence Using Lean Six Sigma” – at Tekedia Mini-MBA Live at 7pm WAT today. Zoom link in the Board.

This is one of the leading courses which our university partners have used extensively (we allow that provided it is for the good of the students). Dr Igwe, a zen-master, created about 160 slide-courseware to explain this zen-stuff. In the updated lecture (out today), you will master how AI can make Lean Six Sigma even better to drive business growth.

We are Tekedia Institute – the winner of University of Ilorin U-Inspire Award, the winner of Velocity Mhagic Award, and the winner in the knowledge systems of thousands of young people. We have one product and that is KNOWLEDGE. We just received a big endorsement from the Federal Ministry of Youth and Sports Dev in Nigeria; a really amazing and brilliant letter, commending our work. Thanks so much for recognising this Institute.

Pick your seat and let’s fulfil the cardinal mission encapsulated by University of Nigeria Nsukka: “to restore the dignity of man (and woman)”.  Register for the next edition of Tekedia Mini-MBA here.

Marathon Digital Holdings (now MARA Holdings Inc.) announced a $2 billion at-the-market (ATM) stock offering aimed at raising capital to purchase additional Bitcoin, among other general corporate purposes. This strategy involves selling shares incrementally through investment firms like Barclays, Cantor Fitzgerald, and others, with the proceeds intended to bolster its Bitcoin reserves and support operational needs. Marathon currently holds 46,376 BTC, making it the second largest publicly traded company in terms of Bitcoin ownership, behind MicroStrategy.

This move reflects a shift from relying solely on mining to direct market purchases, adapting to challenges like the 2024 Bitcoin halving, which reduced mining rewards, and rising operational costs. The company plans to allocate approximately 40% of the funds to acquire more Bitcoin, with the rest supporting working capital and corporate expenses. This follows a pattern of capital-raising efforts, including a prior $1.4 billion ATM offering and a $1 billion convertible notes issuance in November 2024, signaling Marathon’s aggressive “HODL” approach to amassing Bitcoin as a long-term asset.

Marathon Digital’s $2 billion stock offering to purchase additional Bitcoin carries several implications across financial, operational, and market dimensions. Issuing new shares via an at-the-market offering could dilute existing shareholders’ equity. The extent depends on the volume and price at which shares are sold, but with Marathon’s stock already up over 60% in 2025 (as of late March), the market seems to have absorbed prior dilution well. Still, this could pressure the stock price if investor confidence wavers. Adding roughly $800 million worth of Bitcoin (assuming 40% of the $2 billion is allocated as stated, at current prices around $90,000 per BTC) bolsters Marathon’s asset base.

This aligns with its treasury strategy, treating Bitcoin as a reserve asset, similar to MicroStrategy’s playbook. While Marathon has reduced debt (paying off $331 million in 2024), tying more of its capital to Bitcoin—a volatile asset—heightens exposure to price swings. A Bitcoin downturn could shrink its asset value faster than operational revenue can offset. The move underscores a pivot from Bitcoin mining as the primary growth driver to direct acquisition. Post-2024 halving, mining profitability has declined due to halved block rewards (from 6.25 to 3.125 BTC) and rising energy costs. Buying Bitcoin outright bypasses these constraints, signaling a long-term bet on price appreciation over mining yield.

Purchasing Bitcoin on the open market can be more cost-effective than mining it, especially with Marathon’s reported all-in energy cost of around $60,000-$70,000 per BTC (pre-halving estimates adjusted for current conditions). This could free up resources to optimize mining operations or diversify energy strategies. The remaining $1.2 billion for working capital and general purposes provides a buffer for operational expenses, potential acquisitions (e.g., more mining infrastructure), or weathering market downturns. Marathon’s aggressive Bitcoin accumulation reinforces its identity as a Bitcoin proxy stock, appealing to crypto bulls but potentially alienating traditional investors wary of crypto volatility.

It could drive further institutional interest in Bitcoin as a corporate treasury asset. An $800 million Bitcoin buy could add upward pressure to BTC prices, especially if executed in a compressed timeframe. While not massive relative to Bitcoin’s $1.9 trillion market cap (as of late March 2025), it contributes to demand in a market sensitive to large corporate moves. Marathon narrows the gap with MicroStrategy (holding over 250,000 BTC) in the race among public companies to amass Bitcoin. This could spark a trend among other crypto-adjacent firms to follow suit, intensifying competition for BTC supply.

Increased Bitcoin holdings might draw scrutiny from U.S. regulators, especially if crypto policies tighten under shifting political winds in 2025. With Bitcoin near all-time highs and speculation about a “supercycle” in 2025, Marathon’s timing could either pay off handsomely or expose it to a bubble burst if macroeconomic factors (e.g., interest rate hikes) shift sentiment. Marathon is doubling down on Bitcoin as a core strategy, betting on its long-term value while navigating short-term financial and operational trade-offs. The outcome hinges on Bitcoin’s trajectory and investor tolerance for this high-stakes pivot.