Nigeria's data privacy landscape is anchored by the Nigeria Data Protection Act, 2023 (the "NDPA"), administered by the Nigeria Data Protection Commission (the "NDPC"). In March 2025, NDPC issued the General Application and Implementation Directive (GAID) 2025, an operational rulebook that consolidates how the Act applies in practice and introduces detailed rules (including cross-border transfers and registration of "data controllers/processors of major importance," or DCMIs/DPMIs). The NDPC has communicated GAID's effective date as 19 September 2025, until then the NDPA governs, and NDPC has said it will cease applying the older NDPR as a regulatory instrument once GAID takes effect. The foregoing are some of the questions we have had to field from global clients seeking clarity on how Nigeria's data privacy framework aligns with and diverges from familiar regimes like the GDPR and UK GDPR.
1. Who is covered? (Territorial & material scope)
The NDPA applies primarily to controllers/processors in Nigeria, and to non-Nigerian entities that process personal data of individuals in Nigeria in connection with offering goods/services or monitoring behaviour and to Personal data & special categories: NDPA definitions are broadly aligned with GDPR. The GAID provides operational detail.
2.Which principles & lawful bases are Applicable?
NDPA's core principles mirror the GDPR and recognises lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity/confidentiality, and accountability. Common lawful bases (consent, contract, legal obligation, vital interests, public interest, legitimate interests) are also recognised. Additionally, consent must be freely given, specific, informed, unambiguous. The GAID provides operational detail.
3.What rights do individuals have under Nigeria's data privacy law in 2025
The NDPA recognises data subject rights, including right to be informed, access, rectification, portability, restriction, objection, erasure ("right to be forgotten"), and protection from certain forms of automated decision-making. These provisions are closely related to the standards under the GDPR.
4.What are the obligations of controllers, processors, and DPOs under Nigeria's data privacy law in 2025?
Data processors and controllers are subject to a number of statutory obligations which include:
- Governance: Controllers must implement appropriate technical/organisational measures and keep processing records; processors must act on instructions and implement security.
- Appointment of Data Protection Officer (DPO): Mandatory for data controllers/processors of major importance and in other prescribed situations. GAID elaborates on qualifications and role.
- Registration (DCMI/DPMI): Entities processing "substantial numbers" of data subjects or data important to Nigeria's economy must register with NDPC. Additional operational details re provided in the GAID including limited exemptions.
6)What are the data breach notification rules under Nigeria's data privacy law in 2025?
Generally, two key statutory notices are required. The first is the regulator notice requiring Controllers to mandatorily notify NDPC within 72 hours of becoming aware of a breach likely to risk individuals' rights/freedoms. There is also the Data subject notice, which is required if a breach is likely to result in a high risk, notify affected individuals without undue delay in clear language. Other statutory notices may apply based on the nature of a processing activity.
7) How does Nigeria's data privacy law regulate cross-border data transfers in 2025?
As a general rule, no transfers unless adequate protection exists. GAID 2025 operationalises mechanisms familiar to GDPR, including adequacy determinations, binding corporate rules, standard contractual clauses/contractual safeguards, codes of conduct, certifications, plus case-by-case assessments.
8)What are the enforcement powers and penalties under Nigeria's data privacy law in 2025?
NDPC has statutory powers to investigate, issue compliance orders, and impose fines. Data controllers and processors can be fined up to ₦10,000,000 or 2% of the preceding year's gross revenue (whichever is greater).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
