The SNAG Process in Nigeria: How to Handle Data Complaints Before They Reach the NDPC
The GAID introduced a formal complaint mechanism that most Nigerian businesses have never prepared for. It is called a Standard Notice to Address Grievance, or SNAG, and it allows any data subject (a customer, an employee, or a civil society organisation) to demand that your business address a data privacy violation directly, before the matter goes anywhere near the NDPC.
Most compliance discussions cover registration, DPOs, and data breach response. The SNAG process gets far less attention, despite carrying real response obligations and direct NDPC visibility. If your business has no process for receiving and handling one, that gap is worth closing.
This article explains what a SNAG is, who can send one, what the NDPC can see, and what a proper response requires.
It is part of PlanetWeb’s GAID compliance series. For the foundational framework, see GAID Nigeria Data Protection Directive: What Businesses Must Know. For the broader data subject rights that SNAGs are typically used to enforce, see Data Subject Rights in Nigeria.
What a SNAG Is
It is a standardised complaint template introduced by the General Application and Implementation Directive (GAID) 2025, issued by the Nigeria Data Protection Commission under the authority of Section 61 of the Nigeria Data Protection Act 2023. The full GAID text is available as a PDF on the NDPC’s website.
The purpose of the SNAG is to create a structured internal remediation pathway. Rather than going straight to a regulator, a data subject can send a SNAG to the organisation they believe has violated their privacy rights, giving that organisation a defined window to investigate and respond.
One point must be stated clearly: sending a SNAG is not a precondition for filing a complaint with the NDPC, nor for taking legal action. A data subject can go directly to the Commission at any time, without first issuing a SNAG. The SNAG is a parallel route, one that the data subject may choose to take, not a gate they must pass through.
What this means in practice: a SNAG represents a genuine opportunity to resolve a data complaint before it becomes a regulatory matter. It also carries real compliance obligations regardless of whether the sender later escalates.
Who Can Send One and What Can Trigger It
Three categories of senders are recognised under the GAID.
The first is the data subject themselves: any individual whose personal data your organisation collects, holds, or processes. That includes customers, website visitors, newsletter subscribers, and job applicants.
The second is an authorised representative: typically a lawyer or any person formally acting on behalf of the data subject.
The third category warrants particular attention: a civil society organisation acting in the public interest. This means an NGO, advocacy group, or similar body with standing to assert data subject rights on behalf of a group of individuals. For businesses in regulated or high-volume sectors (fintech, healthcare, telecoms, e-commerce), this broadens the pool of potential SNAG senders beyond direct customers.
The threshold for issuing a SNAG is a reasonable belief that a data privacy right has been violated. Common scenarios include an access request that was ignored or not answered within the required timeframe; continued use of personal data after the data subject withdrew consent; sharing of personal data with a third party without authorisation; a data breach that exposed the sender’s personal information; and failure to delete or anonymise data following a valid erasure request. Data subject rights in Nigeria covers each of these rights in detail, including the conditions and limits that apply to them.
One scenario that catches many Nigerian employers off guard: employees can send SNAGs to their own employer. An employee who believes their HR records, monitoring data, or payroll information has been mishandled has grounds to issue a SNAG against the organisation they work for. Employee data protection in Nigeria covers the specific data rights that apply in the employment context.
A SNAG can be delivered through any reasonable means: email, post, courier, or other written correspondence. There is no requirement to use a specific channel, though a designated inbox for privacy-related correspondence makes routing and logging considerably more reliable.
What the NDPC Can See
Many organisations that receive a SNAG treat it as a private exchange to be managed quietly. That assumption is mistaken.
Under the GAID, when an organisation receives a SNAG, it is required to communicate its decision on that SNAG to the NDPC through an electronic platform the Commission is establishing to track these complaints. The NDPC can also monitor complaints where the matter appears unresolved and may initiate an investigation accordingly.
This changes the risk picture. From the moment a SNAG arrives, your handling of it is part of a regulatory record. The Commission can see whether you responded, whether you reported your decision, and, by inference, whether you engaged at all.
For businesses that have already registered with the NDPC as data controllers or processors of major importance, the SNAG tracking dimension adds another layer of accountability to an already structured compliance framework. For businesses that have not yet taken their GAID compliance obligations seriously, receiving a SNAG while also being non-compliant on registration and documentation is a compounding problem.
The Response Window and What It Requires
The GAID sets out a two-stage response framework.
Acknowledging Receipt
The first stage is acknowledgement: your organisation should confirm receipt of the SNAG within seven days. This is not the substantive response. It does not require you to have investigated the complaint or reached a decision. What it does is signal that the notice has been received and is being considered properly.
Silence in the first week is not a neutral position. It is the kind of inaction that regulatory tracking is designed to surface.
The Substantive Decision
The substantive response, meaning your actual decision on the complaint, is due within 30 days of receiving the SNAG. It must confirm that you investigated the complaint and state your decision clearly: whether you are upholding the request and what remedial action you are taking, or declining it and on what specific legal basis. The response must be communicated in writing to the sender and reported to the NDPC through the SNAG tracking platform.
If you require more time to investigate properly, communicate that before the window closes rather than allowing it to lapse without explanation. A brief, substantive update explaining the delay is a more defensible position than a missed deadline with no record of engagement.
A response that says “we take data privacy seriously and are reviewing your concern” is not a decision. The sender is entitled to a clear answer, and the NDPC, if it reviews the exchange, will look for one.
What to Do Internally When a SNAG Arrives
Most Nigerian businesses do not have a defined process for this. The following is the structure that should be in place before a SNAG arrives, not after.
Designate a Receiving Channel
Establish a dedicated contact point for privacy-related correspondence: a monitored email address such as [email protected] is the most practical option. This address should be accessible to someone with the authority to act on behalf of the person who owns it, and it should be visible in your privacy policy and on your website.
Without a designated channel, a SNAG sent to a general customer service inbox can sit unread while the response window runs down.
Route It to the Right Person
On receipt, the SNAG should be escalated to your Data Protection Officer if your organisation has one, or to whoever is responsible for data compliance. Data Protection Officers under GAID explains when organisations are required to appoint a DPO and what that role must cover in practice.
The decision to investigate, respond, and report to the NDPC should not rest with a junior team member without compliance training or authority to act.
Log It Properly
Every SNAG your organisation receives should be recorded in a complaints log. The entry should capture: the date the notice was received, the nature of the complaint, the steps taken to investigate, the decision reached, the date and content of the response sent to the data subject, and the date of the report to the NDPC.
This record is what the Commission would want to see if a subsequent investigation is opened. It is the evidence of good-faith compliance that the Commission would weigh in any subsequent enforcement matter. The GAID compliance checklist covers the broader documentation standards your organisation should be maintaining across your data operations.
Investigate Before Responding
Do not dismiss a SNAG without reviewing the underlying complaint. Pull the relevant data: check your Record of Processing Activities for the processing in question, confirm your lawful basis, and review your consent records where applicable. Determine whether the sender’s rights have actually been engaged and whether your organisation’s conduct was compliant.
It is possible that a review will confirm that no violation occurred. It is equally possible that it will reveal a gap in your processes. Either way, the investigation is necessary before you can give an honest and defensible answer.
Report to the NDPC
Once your decision is reached and communicated to the sender, report it to the NDPC through the SNAG tracking platform. This step is a GAID obligation.
When You Cannot Uphold the Complaint
Not every SNAG will result in remedial action. There are legitimate grounds for declining certain data subject requests, and declining one does not constitute a compliance failure, provided the refusal is handled correctly.
An erasure request may be refused where your organisation is legally required to retain the data. CBN guidelines impose record-keeping obligations on financial institutions. NRS regulations require tax record retention for defined periods. NDPC sector guidelines set retention rules for health data. Deleting records in response to an erasure request while thereby breaching one of these instruments trades one compliance problem for another.
An access request may be declined where it is manifestly unfounded or excessive. A right to object to processing can be overridden where there are compelling legitimate grounds, though an objection to direct marketing is absolute and cannot be refused under any circumstances.
Data subject rights in Nigeria covers the conditions and limits that apply to each right in detail, including where the distinction between absolute and qualified rights matters most.
The standard for a defensible refusal is consistent: state the specific legal basis in writing, inform the sender that they retain the right to escalate to the NDPC, and document everything. A justified refusal communicated clearly and logged properly is a tenable position. A justified refusal communicated poorly, or not communicated at all, is a compliance failure regardless of the merits of the underlying position.
The Escalation Path If It Goes Further
A data subject who is unsatisfied with your response, or who chose to file with the NDPC without sending a SNAG at all, may bring a complaint to the Commission directly.
Under the GAID, the NDPC will conduct a preliminary evaluation of the complaint. If it concludes that a violation may have occurred, it opens a case file and serves a notice of investigation on your organisation. From that point, the respondent has 21 days to respond to the notice. The Commission may then convene a Pre-Action Conference to examine the facts and available evidence from both parties. Where the NDPC determines that a violation of the NDPA has occurred, it will direct remedial action and communicate its decision.
The NDPC’s enforcement toolkit extends beyond financial penalties. The NDPC overview covers the Commission’s full range of powers, which include mandatory deletion orders, public naming, and, for regulated entities, licence implications. For context on the penalty structure, the NDPA compliance guide for businesses covers the financial exposure in detail.
Your SNAG handling record becomes material evidence at every stage of this process. An organisation that investigated the original complaint promptly, communicated its decision clearly, and documented the full exchange is in a fundamentally stronger position than one that ignored the SNAG entirely.
If a data breach triggered the SNAG in question, responding to data breaches in Nigeria covers the parallel notification obligations your organisation must meet under the GAID.
Conclusion
The SNAG process gives Nigerian businesses a defined window to handle data complaints internally, before they become enforcement matters. That window is 30 days. The NDPC monitors whether organisations are using it responsibly. Whether your business has a process ready when a SNAG arrives is a question worth answering now, not when one lands in your inbox.
If you need help building a SNAG handling procedure, reviewing your data subject request process, or assessing your broader GAID compliance position, contact our team.
