GAID Compliance Checklist: How Nigerian Businesses Can Audit Their Current Position
Most Nigerian businesses that have started on GAID compliance believe they are further along than they are. A privacy policy exists. Someone has been named as DPO. The NDPC registration was submitted. On paper, the boxes are ticked.
The problem is that ticked boxes and genuine compliance are not the same thing. A privacy policy copied from another website does not describe your actual processing activities. A DPO appointment letter for someone who is also the Head of IT does not satisfy the independence requirement. A registration at the wrong tier leaves you exposed. Partial compliance and false compliance are different things, and an NDPC audit will distinguish between them.
This article is a structured audit tool. Work through each section and mark your honest position: not started, in progress, or done. By the end, you will have a clear picture of where you stand and which gaps carry the most immediate risk under NDPC scrutiny.
This audit is part of PlanetWeb’s GAID compliance series. For the foundational framework, see our GAID Nigeria Data Protection Directive guide. For registration and classification, see our GAID registration guide. For DPO obligations, see our Data Protection Officers guide.
How to Use This Audit
Each section below covers a core area of GAID compliance. For each item, mark your organisation’s position in each of the three states.
Done means documented evidence exists and is current. Not just that the activity happened, but that records confirm it.
In progress is only valid if documented work is underway, not if something is planned or intended.
Not started means the obligation exists, but nothing has been done. This is the honest position for many organisations in one or more areas, and acknowledging it is more useful than recording false progress.
The audit covers core GAID obligations. Sector-specific requirements, including the additional obligations that apply to fintechs, healthcare providers, or organisations processing children’s data, are not fully captured here. Those are addressed in the sector deep-dive articles in this series.
Foundation: Data Inventory and Lawful Basis
Everything in a GAID compliance programme depends on knowing what personal data you hold. An NDPC auditor’s first question is almost always: show me your data inventory. If that document does not exist, or does not reflect your actual processing activities, every subsequent compliance claim becomes questionable.
Data Inventory
A complete data inventory records the categories of personal data you collect, the purpose of collection, where data is stored, who has access, how long it is retained, and the lawful basis for each processing activity.
If your inventory exists but was last updated more than twelve months ago, treat it as incomplete. Data processing activities change, new tools get added, and staff roles shift. An inventory that no longer matches how the organisation actually operates is a liability, not an asset.
Auditor’s focus: Whether the inventory is current and whether the lawful basis column reflects specific documented reasoning, not placeholders.
Lawful Basis Documentation
Under the Nigeria Data Protection Act 2023, every processing activity requires a documented legal justification. The main bases are consent, contract, legal obligation, legitimate interests, vital interests, and public interest. Documenting which basis applies to each category of data, and why, is not a formality. It is what the NDPC will ask for first.
Legitimate interests require a balancing test. Consent requires records showing it was freely given, specific, and informed.
Auditor’s focus: Whether a basis is documented for each processing activity and whether it reflects a genuine assessment rather than a box-ticking exercise.
Retention Schedule
Data minimisation is a core GAID principle. Organisations must keep personal data only for as long as necessary for the purpose it was collected. A retention schedule sets out how long each category of data is held and what happens when that period ends.
“We delete things when we remember” is not a retention policy. Documented retention periods, with an owner responsible for enforcing them, are what compliance looks like here.
Auditor’s focus: Whether a schedule exists, whether it is followed, and whether deletion or anonymisation happens at the end of the retention period.
Registration and Classification
NDPC Registration Status
Your organisation should know its exact registration status: registered and current, not registered, or lapsed. A lapsed registration carries the same enforcement exposure as no registration.
If you are not yet registered and your processing activities cross the DCPMI thresholds, this is the highest-priority gap in this audit. An unregistered organisation is straightforward for the NDPC to identify. Registration is completed through the NDPC portal.
Auditor’s focus: Current registration certificate and whether registered details match actual processing activities.
Classification Accuracy
The most common registration gap is not the absence of registration but misclassification: organisations registered as Regular when their processing volume, turnover, or data sensitivity clearly places them in the Major tier.
If your organisation processes data for more than 200 individuals within any six-month period, has a turnover above ₦50 million, or handles sensitive data categories at scale, you are likely a DCPMI, and your registration should reflect that. For the full classification criteria and what Major status commits you to, see our GAID registration guide.
Auditor’s focus: Whether the registered tier matches the organisation’s actual profile, and whether the Major tier obligations, specifically annual audit and DPO appointment, are in place where required.
Change Notifications
GAID requires organisations to notify the NDPC of material changes within 30 days. A change in DPO, a significant expansion in data processing activities, or a turnover increase that crosses the classification threshold all require formal notification through the portal.
Many organisations that registered correctly at the time have since changed in ways that were never notified. This is a quiet but genuine compliance gap.
Auditor’s focus: Whether the registered position still reflects current reality, and whether a process exists for identifying and notifying changes.
Governance: DPO and Accountability
DPO Appointment or Designated Compliance Owner
If your organisation is classified as a DCPMI, a DPO must be appointed before registration. The individual must be demonstrably independent and cannot hold a role that conflicts with their data protection responsibilities.
If your organisation is below the DCPMI threshold, you still need a named person accountable for data protection. That person must have the authority to act on compliance matters, not just a title. For the full details on qualification and independence requirements, see our Data Protection Officers guide.
Auditor’s focus: Whether a DPO is named, whether they are genuinely independent, and whether their details are registered with the NDPC.
Internal Accountability Structure
Beyond the DPO, the NDPC expects evidence that data protection responsibility is embedded across the organisation, not siloed with one person. Staff should know who the DPO is, how to escalate a potential incident, and what to do when they receive a data subject request.
If “who do you contact about a data protection issue?” would stump most of your staff, the accountability structure is not functioning.
Auditor’s focus: Whether training records show staff have been informed of their obligations and who to contact.
Privacy Notices and Consent
Privacy Policy
A compliant privacy policy under GAID must accurately describe your actual processing activities, reference the NDPA 2023 and GAID as the applicable legal framework, identify the lawful basis for each processing purpose, and provide contact details for the DPO or responsible person.
A privacy policy template copied from a UK or US website does not meet this standard. Neither does a policy that describes what the organisation intended to do rather than what it actually does.
Auditor’s focus: Whether the policy is accurate, current, accessible, and references the correct regulatory framework.
Collection-Point Notices
Data subjects must be informed at the point of collection. Every form, sign-up page, app permission screen, and data-collection touchpoint should include a clear notice explaining what data is collected, why, and how it will be used. That notice needs to be visible before the data is submitted.
“See our privacy policy”, buried in a footer, does not satisfy this requirement.
Auditor’s focus: Whether data subjects are meaningfully informed before their data is collected, not after.
Consent Records
Where consent is the lawful basis for processing, it must be documented. The record should confirm that consent was freely given, specific to the purpose, and informed. Pre-ticked boxes, consent bundled with terms and conditions, or consent obtained under pressure do not meet the standard.
Consent withdrawal must also be straightforward. If the mechanism for withdrawing consent is harder to find than the mechanism for giving it, the consent framework does not comply.
Auditor’s focus: Whether consent records exist, whether they are specific to the processing purpose, and whether the withdrawal process is functional.
Data Subject Rights
Request Handling Process
Under the NDPA, data subjects can request access to their data, corrections, erasure, restriction of processing, data portability, and the right to object. Every request must be responded to within 30 days.
A compliant process means a documented procedure, a designated recipient, a log of requests received and resolved, and records showing the 30-day window was met. A privacy email address that no one checks is not a compliant request-handling process.
Auditor’s focus: Whether a process exists, whether it is operational, and whether the log demonstrates timely handling.
SNAG Process
The Standard Notice to Address Grievance is a formal complaint mechanism that data subjects can use before or instead of escalating their grievance directly to the NDPC. An organisation that receives a SNAG and does not respond correctly is in a worse position than one that never received one, because the gap is now documented.
A designated contact point, a clear escalation path, and a record of how each SNAG was handled are the minimum requirements. For full details on what triggers a SNAG, see our NDPA compliance guide.
Auditor’s focus: Whether a SNAG process is documented and whether received notices have been handled and reported to the NDPC.
Breach Response
Breach Response Plan
GAID requires a 72-hour notification window from the point an organisation becomes aware of a qualifying breach. That window is short enough that an organisation without a documented breach response plan will almost certainly miss it.
A compliant plan covers how a potential incident is detected and escalated, who decides whether it meets the notification threshold, how the NDPC is notified, and how affected data subjects are informed, where required. The plan should be tested. A document that has never been rehearsed is not a reliable plan. For the full notification process, see our data breach response guide.
Auditor’s focus: Whether a documented plan exists, whether it has been tested, and whether the 72-hour threshold and notification process are clearly understood by the people responsible for executing it.
Incident Log
Even incidents that did not meet the notification threshold should be logged. The log demonstrates that the organisation is actively monitoring for breaches and applying a consistent assessment framework.
An empty incident log does not mean no incidents have occurred. It may mean no one is looking.
Auditor’s focus: Whether a log exists and whether it reflects a genuine ongoing assessment process rather than a retrospective record assembled for audit purposes.
Vendor and Third-Party Management
Data Processing Agreements
Every vendor that processes personal data on your behalf must have a Data Processing Agreement in place. Under the NDPA, the data controller remains responsible for what those vendors do with that data, regardless of contractual gaps.
A DPA must cover breach notification timelines, audit rights, clear processing instructions, data transfer provisions where relevant, and termination clauses for non-compliance. A standard commercial contract without these provisions does not satisfy the requirement.
Auditor’s focus: Whether DPAs exist for all material vendors and whether they contain the required provisions.
Vendor Register
Before you can have DPAs in place, you need to know which vendors process personal data on your behalf. Many organisations discover significant gaps here: cloud storage providers, payroll platforms, CRM systems, email marketing tools, and payment gateways all commonly process personal data without formal agreements.
A vendor register maps each third-party processor, what data they handle, the legal basis for transfer, and whether a DPA is in place.
Auditor’s focus: Whether the register exists, whether it is complete, and whether DPA coverage matches it.
Staff Training
Training Records
Staff who handle personal data must be trained on their obligations under the NDPA and GAID. Training must be role-specific: a customer service team handling data subject requests has different obligations from a finance team processing payroll.
Records must document who was trained, what was covered, and when. A generic annual session applied to all staff is a starting point, not a complete training programme.
Auditor’s focus: Whether records exist and whether they demonstrate role-specific coverage.
Refresh Cycle
Training conducted once at onboarding and never repeated is not sufficient. Regulations change, processing activities evolve, and staff change roles. A refresh cycle, at a minimum annually, with records confirming completion, is what ongoing compliance looks like.
Auditor’s focus: Whether training is repeated at defined intervals and whether the refresh records are current.
Reading Your Results
Work through the sections above and count your positions across the eight areas. Here is what each outcome means in practice.
Mostly Done
Your compliance programme is in reasonable shape. The priority now is maintenance: keeping the data inventory current, tracking annual renewal, refreshing staff training, and monitoring your classification status as the business grows.
Scheduling annual audit preparation proactively is worth doing rather than waiting for an NDPC trigger.
Mixed Results
Some areas are covered, others have real gaps. Prioritise by risk. Data inventory and DPO gaps first, as they affect everything downstream. Registration issues second, as these are visible to the NDPC and straightforward to identify. Privacy notices and consent records third.
Do not attempt to close all gaps simultaneously. A prioritised remediation plan with a named owner and realistic deadlines is more effective than a broad effort that stalls. The most common failure pattern is organisations that identify their gaps, assign them collectively to no one in particular, and then discover six months later that nothing has moved.
Significant Gaps Across Multiple Areas
The exposure is real and current. An NDPC audit, a data subject complaint, or a breach at this stage would reveal a compliance programme that does not exist in substance.
Professional assessment is strongly recommended before attempting self-remediation. Knowing which gaps carry the highest immediate risk, and in what order to close them, is the difference between a structured compliance programme and a reactive scramble.
Running through this audit gives you a position. What it does not give you is a remediation plan. Knowing that your vendor contracts are missing data processing provisions and your staff training records are incomplete is useful. Knowing which to address first, in what sequence, and to what standard, is where professional guidance adds the most value.
If your audit has surfaced issues across multiple areas, a structured compliance assessment is the most efficient path forward. PlanetWeb works with Nigerian organisations to map their current compliance position, prioritise remediation, and build programmes that hold up under NDPC scrutiny. The difference between a compliant organisation and an exposed one is rarely the size of the gap. It is whether anyone is closing it. If you would like to understand what that looks like for your organisation, get in touch.
