GAID Nigeria Data Protection Directive: What Businesses Must Know
Nigeria’s data protection regulator doesn’t wait for businesses to catch up. Before GAID even came into force, the NDPC had already investigated over 1,300 organisations, and since September 2025, it has had the full weight of the directive behind it.
If your business collects customer emails, phone numbers, payment details, or any other personal information, you are within scope. It doesn’t matter whether you’re a fintech startup, a mid-size manufacturing firm, or a small shop running a WhatsApp Business account.
Nigeria’s General Application and Implementation Directive (GAID) took effect on 19 September 2025. It’s the operational framework that turns the Data Protection Act’s principles into specific, enforceable obligations. The NDPC has the tools to enforce them.
Here’s what the directive requires and what your business needs to do.
What is GAID?
GAID stands for General Application and Implementation Directive. Think of it as the instruction manual for Nigeria’s Data Protection Act (NDPA 2023).
The NDPA set the rules. GAID tells you exactly how to follow them.
It’s issued by the Nigeria Data Protection Commission (NDPC) and replaces the older 2019 regulations. This time, there’s stronger legal backing and real enforcement machinery behind it.
Who Does This Apply To?
If your business touches customer data in any way, you need to comply. That includes:
- E-commerce sites collecting shipping addresses
- Fintech apps storing bank details
- Healthcare platforms managing patient records
- Marketing agencies handling email lists
- HR software processing employee information
- Even small shops using WhatsApp Business for customer communication
No business is too small to be exempt.
Your Compliance Risk Level
Not every business faces the same burden. Where you fall depends on the type and volume of data you process.
High-burden sectors include fintech, healthtech, HR technology, and e-commerce platforms that profile customer behaviour. These businesses typically process sensitive or large-scale data, are more likely to require a formal Data Protection Officer, and face the highest scrutiny in any NDPC audit.
Medium-burden sectors include professional services firms (legal, accounting, consulting), telecommunications, and insurance. They handle significant personal data, but often in more controlled contexts with clearer legal bases.
Lower-burden sectors include small retail businesses, events companies, and service providers who collect minimal customer data for transactional purposes only. Compliance is still required, and these organisations remain fully subject to NDPC audit and penalty powers. Certain obligations, like mandatory DPO appointment and formal DPIA requirements, are less likely to apply.
Understanding where your business sits determines which requirements are non-negotiable for you.
How GAID Compares to GDPR
If you’ve worked with European clients or followed EU data protection news, GAID will feel familiar. It follows a similar framework to GDPR, which is good news if you have international partners. Your compliance work can overlap in many areas. For a detailed comparison, see our NDPA vs GDPR breakdown.
| Feature | GAID (Nigeria) | GDPR (EU) |
|---|---|---|
| Enforcement Body | NDPC | National Data Protection Authorities |
| Maximum Fine | β¦2Mββ¦10M or 2% of revenue | 4% of revenue or β¬20 million |
| Grievance Process | SNAG available for internal resolution | Direct complaint to DPA |
| Consent Requirements | More flexible for low-risk data | Strict documentation required |
The fine under GAID is lower than under GDPR, but for most Nigerian SMEs, 2% of annual revenue is a meaningful amount. And unlike the GDPR, where enforcement took years to ramp up, the NDPC has been deliberately building its enforcement capacity.
What You Need to Do
Support Data Subject Rights
Your customers have rights over their data. They can request a copy of what you hold on them, ask you to correct inaccurate information, request deletion, object to how you’re using their data, or ask you to transfer it to another service provider.
You have 30 days to respond to any of these requests. Ignoring them is not a neutral act. It’s grounds for a formal complaint to the NDPC.
Set up a process for receiving and tracking these requests. Designate who in your organisation is responsible for handling them.
Have a Legal Basis for Processing Data
You cannot collect data without a clear legal justification. The main ones are:
- Consent: Required for email marketing and non-essential data collection
- Legitimate interest: For fraud detection, security monitoring, or service improvement
- Legal obligation: For tax records, KYC requirements, or regulatory compliance
- Contract fulfilment: For processing orders or delivering services
Document which legal basis applies to each category of data you collect. If you’re audited, this is what the NDPC will ask for first. For a broader look at building a compliance programme, see our guide to data protection compliance strategies for Nigerian businesses.
The SNAG Process
SNAG stands for Standard Notice to Address Grievance. It’s a formal template that data subjects can use to demand remedial action when they believe their data rights have been violated.
An important distinction: a SNAG is not a legal requirement before someone can file a complaint with the NDPC. A data subject can go directly to the Commission if they choose. What SNAG does is create an internal resolution pathway, giving your business the opportunity to resolve the issue before it escalates to a formal investigation.
When you receive one, you are required to communicate your decision to the NDPC as part of the grievance management process. A complaint that sits unacknowledged is an unnecessary liability, and an unresolved SNAG is visible to the NDPC.
Set up a dedicated address, like [email protected], and make sure someone with the authority to act on it checks it daily.
Do You Need a Data Protection Officer?
You likely need a formal DPO if you process large volumes of personal data, handle sensitive categories (biometrics, health records, financial data), use automated profiling or AI-driven decision-making, or monitor people at scale.
If you’re a small business handling low-risk data, you may not need a full-time DPO. But you still need a designated person responsible for compliance, data subject requests, and NDPC communication. That responsibility cannot sit with no one.
For businesses without the internal capacity, shared DPO services and outsourced compliance consultants are available in Nigeria. The cost varies significantly based on scope, but factoring this into your compliance budget early is worthwhile.
Data Protection Impact Assessments (DPIAs)
If your business engages in any high-risk activity involving personal data, you need to conduct a DPIA before that activity begins, not after.
High-risk activities include:
- Automated decision-making that affects people (credit scoring, loan approvals)
- Processing biometric data, such as fingerprints or facial recognition
- Large-scale monitoring (CCTV, location tracking)
- Processing children’s data at scale
- Combining datasets from multiple sources to build profiles
The NDPC provides free DPIA templates on its website. What the template gives you is structure. What it doesn’t give you is the judgment to complete it accurately, particularly in high-risk sectors where data flows are complex. A fintech conducting credit scoring, a healthtech managing patient records, or an HR platform running automated performance assessments all face DPIA requirements that are difficult to satisfy without genuine data protection expertise.
Moving Data Outside Nigeria
If you use international cloud services like AWS, Google Cloud, or Microsoft Azure, you are transferring Nigerian customer data outside the country. This is permitted if the destination country has NDPC adequacy recognition, you use Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), or you have obtained explicit consent from the individual.
For most businesses, SCCs are the practical route since the NDPC’s list of adequacy-recognised countries is limited. Check your vendor contracts to confirm the right provisions are in place.
Managing Vendors and Third Parties
If another company processes data on your behalf, you remain responsible for what happens to that data. Your vendor contracts must include breach notification timelines (72 hours), your right to audit their security practices, clear processing instructions, and termination clauses for non-compliance.
Review your existing contracts. Many pre-GAID agreements don’t include these provisions, and the gap is not theoretical. If a vendor suffers a breach involving your customers’ data and your contract has no notification clause, you are exposed regardless of where the fault lies.
How to Register with the NDPC
Formal NDPC registration applies to businesses classified as Data Controllers or Processors of Major Importance (DCPMIs), tiered into Ultra-High Level, Extra-High Level, and Ordinary High Level based on data processing volumes. If your business processes data for more than 200 individuals in a six-month period, you likely fall within the DCPMI classification and should assess your registration obligation.
Even below that threshold, compliance obligations still apply. Visit ndpc.gov.ng to confirm your classification.
Keep Documentation
The NDPC expects evidence of compliance, not just assurances. Maintain records of:
- Your data inventory (what you collect, why, where it’s stored, who has access)
- Your privacy policy and any updates
- DPIAs you’ve conducted
- SNAG requests received and how you resolved them
- Staff training logs
- Vendor contracts with data processing provisions
- Your breach response policy and incident log
- Your data retention schedule
During an NDPC audit, failure to produce documentation is treated as non-compliance even if processes exist informally. The documentation is the evidence. Without it, good intentions count for nothing.
What the NDPC Has Done So Far
Building on the sector-wide investigations already underway before GAID came into effect, the Commission has been conducting active monitoring and enforcement since September 2025.
The NDPC has demonstrated its willingness to impose penalties, issue enforcement orders, and publicly name non-compliant organisations. The Commission’s enforcement powers include administrative sanctions, compliance orders, audit directives, and financial penalties under Section 48 of the NDPA.
For more on how the Commission operates, see our overview of the Nigeria Data Protection Commission. Monitoring their official communications at ndpc.gov.ng is also worth doing regularly, particularly for high-risk sectors where enforcement attention is highest.
What Non-Compliance Costs
On the penalty side, the NDPC fine structure is tiered. For businesses classified as DCPMIs, the fine is whichever is greater between β¦10 million or 2% of annual gross revenue. For other businesses, it’s whichever is greater between β¦2 million or 2% of annual gross revenue. The NDPC can also publicly name non-compliant organisations and conduct unannounced audits.
The compliance costs are worth understanding too. For Nigerian businesses, a rough picture looks like this:
- Outsourced DPO services: From around β¦200,000 to β¦800,000 per month, depending on scope
- DPIA consultants: Variable, typically project-based
- Privacy policy and contract review: A one-time legal engagement
- Staff training: Available through NDPC-accredited providers, with group rates through industry associations
These costs are substantially lower than the reputational and financial cost of a penalty or public listing. For a sense of what data protection failures have cost Nigerian businesses, our Nigerian data breach case studies are worth reading. The comparison is worth making explicitly when building the business case for compliance internally.
Turning Compliance into a Business Advantage
Compliance is not just a legal obligation. It’s a signal.
Businesses that are visibly compliant are easier to partner with internationally, more attractive to investors who assess regulatory risk during due diligence, and more trusted by customers in sectors like health and finance.
For Nigerian startups looking to raise funding from institutional investors or expand into the EU or UK, where data protection standards are a procurement requirement, documented compliance removes a friction point that due diligence surfaces early.
Getting compliant doesn’t need to be positioned internally as a cost centre. For growth-oriented businesses, it’s a prerequisite.
Where You Should Be Right Now
Foundation (should be complete):
- Data audit completed: you know what you collect, where it lives, and why
- Privacy policy updated to reflect GAID requirements
- Legal basis documented for each category of data you process
Governance (should be in place):
- DPO appointed or designated compliance owner identified
- SNAG process established with a dedicated contact point
- Vendor contracts reviewed and updated with GAID-required provisions
High-risk activities (if applicable):
- DPIAs completed before any high-risk processing activities
- Data transfer arrangements confirmed for international cloud services
Registration (if applicable):
- NDPC registration completed if your business qualifies as a DCPMI
If you have gaps across multiple categories, prioritise data audit and registration first. Everything else flows from knowing what data you hold and having a legal basis for it.
Quick Wins You Can Do This Week
- Set up [email protected] and make sure someone checks it daily
- Download the NDPC’s free DPIA template from ndpc.gov.ng
- Pull your top three vendor contracts and check for breach notification and audit rights
- Update your website privacy policy to reference the NDPA 2023 and GAID
- Brief your team on what a SNAG notice looks like and who to escalate it to
- Start your data inventory with a simple spreadsheet: what you collect, why, where it’s stored, and who has access
- Check whether your data processing volume classifies you as a DCPMI, and begin registration if required
None of these requires a consultant. They do require someone in your organisation to own them.
Getting Structured Support
Most of the foundational work (data audit, privacy policy review, legal basis documentation) can be started without external help. But some situations genuinely benefit from professional guidance: high-risk data processing, AI or automated decision-making, biometric or health records, multi-jurisdictional operations, NDPC audit preparation, or complex vendor agreements.
PlanetWeb works with Nigerian businesses on data protection readiness, from initial assessments to ongoing compliance support. For businesses in growth mode, whether you’re preparing for a funding round, onboarding enterprise clients, or expanding into regulated markets, having documented compliance in place removes a barrier that due diligence tends to surface early. If you’d like to understand where your organisation stands, get in touch.
GAID enforcement is live. The NDPC is actively monitoring compliance.
The businesses that moved early are in a stronger position across every dimension: legal exposure, investor readiness, and customer trust. Those that haven’t started yet are not facing a future problem. They’re managing a current one.
The good news is that getting compliant is not as opaque as it seems. The NDPC provides free templates, and the foundational steps can be taken without expensive external help.
What it requires is someone in your organisation taking ownership and getting started.
Frequently Asked Questions
What’s Next in This Series
Our next article covers Data Protection Impact Assessments in depth: what a DPIA produces, when your business is required to conduct one, and what the process looks like for high-risk sectors like fintech and healthtech in Nigeria.
