The General Application and Implementation Directive (GAID): Key Compliance Updates

Following a recent engagement with the Nigeria Data Protection Commission (“NDPC”), we have received a number of clarifications from the NDPC regarding compliance with requirements of the The General Application and Implementation Directive (GAID).

Background

The GAID was issued pursuant to the Nigeria Data Protection Act, 2023 (the “Act”) and came into effect as of September 2025. The GAID is a critical document because it operationalizes the statutory obligations imposed by the Act by prescribing the governance structures, accountability mechanisms, risk management processes, and documentary standards that data controllers and processors must implement to demonstrate lawful and responsible processing of personal data.

In particular, the GAID is significant because it:

1. Transforms broad statutory principles into enforceable compliance expectations, providing practical direction on how organizations should implement data protection by design and by default.

2. Establishes a clear accountability framework, requiring documented policies, records of processing activities, data protection impact assessments (DPIAs), vendor management controls, and demonstrable oversight by senior management.

3. Defines the minimum governance architecture, including the designation, role, independence, and reporting lines of Data Protection Officers (DPOs) or equivalent functionaries.

4. Sets regulatory benchmarks for audits, investigations, and enforcement, thereby serving as the primary reference point for the Nigeria Data Protection Commission when assessing organizational compliance.

Accordingly, the GAID is not merely guidance in a soft-law sense as it also functions as the practical compliance blueprint for entities subject to the Nigeria Data Protection Act, 2023, and should be treated as the authoritative standard for building and defending a defensible data protection posture.

We set below some of the clarifications received on the NDPC platform limitations and obligations of Data Controllers and Data Processors.

1. Ordinary–High Level (OHL) Registration Renewal

Article 9(3) of the GAID requires Ordinary–High Level (OHL) data controllers and data processors to renew their registration annually. The NDPC has now clarified that the renewal functionality on its platform is currently under development. 

For data controllers and data processors looking to comply, it is important to note that the legal obligation to renew remains in force, notwithstanding that the technical mechanism for renewal filing is not yet operational.

2. Data Protection Impact Assessment (DPIA) Filing

Section 28 of the Act and Article 28 of the GAID require Data Controllers and Data Processors to conduct a DPIA for high-risk processing activities, and in certain circumstances; and to file such DPIA with the Commission.

The NDPC has now clarified that the obligation to file a DPIA, only arises in instances where the measures envisaged are not sufficient to mitigate the risks identified. 

The NDPC has also clarified that the Commission is currently automating the filing of a DPIA. In the meantime, DPIAs are to be filed via email and accompanied by a cover letter to the National Commissioner/CEO, NDPC.  

3. Ultra-High Level Data Processing Fee

Schedule 7 of the GAID requires Data Controllers of Major Importance in the Ultra-High Level category to pay a ₦5,000 data processing activities fee per data processor engaged within a 12-month period.

The NDPC has indicated that guidance on the payment process and platform integration will be communicated once the payment system becomes operational.

4. Adequacy (Whitelist) Publication

The NDPC has confirmed that in the absence and pending the publication of an NDPC-approved Adequacy List, data controllers and data processors are required to rely on other recognised cross-border data transfer instruments to ensure the lawful and secure transfer of personal data. 

What This Means for Companies

1. It is critical to distinguish between substantive (conduct) obligations and filing/administrative obligations. While certain filing links and payment mechanisms are still under development, the underlying compliance obligations remain fully in force. Accordingly:

a. Companies must continue to conduct DPIAs where high-risk processing activities are involved.

b. Required documentation must be prepared and retained internally.

c. Registration renewal obligations subsist, notwithstanding temporary platform limitations.

d. Ultra-High Level entities still need to put in place a process that tracks processors engaged to ensure readiness for payment once the system becomes active. In short, the absence of a filing or payment link does not suspend statutory compliance duties. 

2. Adherence to the GAID will likely be treated as evidence of good faith compliance, while non-alignment may expose organizations to administrative sanctions, remedial orders, and reputational harm. Proactive compliance will therefore be useful to mitigate regulatory and litigation risk.

We will continue to monitor developments and provide updates as further operational guidance is released.