In a time where almost everything we do; shopping, banking, and socialising are online, protecting personal information has become more important than ever. That’s why Nigeria’s latest move to strengthen data protection laws matters to everyone, from tech startups, and banks to the everyday Instagram user.
In March 2025, the Nigeria Data Protection Commission (NDPC) released a brand-new directive called the General Application and Implementation Directive (GAID) 2025. It’s an instruction manual for how to properly follow the Nigeria Data Protection Act (NDPA) 2023, which was signed into law last year.
But what does all of this mean in plain terms?
A Quick Recap. What is the NDPA?
The Nigeria Data Protection Act (NDPA) 2023 is Nigeria’s first real step toward a comprehensive legal framework for data privacy. It lays out how companies and government agencies should collect, use, and store your personal data. Think names, emails, photos, medical records, even your voice or image online.
Now, GAID 2025 has been introduced to break it all down and help businesses and institutions understand their responsibilities and what could happen if they fail to protect people’s data.
What’s new in the 2025 directive?
Real Clarity on Data Rights; The new directive spells out your rights as a data subject. That includes the right to know what data is being collected about you, to ask for it to be corrected or deleted, and to say “no” to how your data is being used—especially for marketing.
Stronger Rules for Organisations; Companies that handle a lot of sensitive information—especially in sectors like finance, telecoms, or healthcare—must now register as Data Controllers or Processors of Major Importance. They’ll also have to file yearly audits showing how they’re protecting user data.
International Data Transfers; If your data is going outside Nigeria (like to a foreign cloud server), the receiving country must have data protection standards equal to or better than ours. Otherwise, the transfer may be blocked.
No More Ignoring Complaints; There’s a new system called SNAG (Standard Notice to Address Grievance) that requires companies to respond directly to user complaints before they’re escalated to the NDPC. This gives consumers more power to hold organisations accountable.
Addressing Modern Tech; The directive also touches on how new tech like AI, facial recognition, and digital tracking should be developed with privacy “built in”—not as an afterthought.
What this means for business
This isn’t just about big tech companies. Even small businesses, content creators, schools, and online vendors need to pay attention. If you’re collecting emails for a newsletter, running a customer database, or processing payments online, you’re expected to comply with these rules. Non-compliance could lead to serious fines or sanctions.
With data breaches and privacy violations becoming more common, this new directive is a necessary upgrade. It sends a clear message: Nigerians have a right to digital privacy, and institutions must take that seriously.
As we become increasingly dependent on digital tools, knowing your rights—and your responsibilities—is no longer optional. GAID 2025 is a sign that Nigeria is aligning itself with global standards, like Europe’s GDPR, and is finally putting data privacy front and centre.
For lawyers, tech founders, digital entrepreneurs, and the everyday Nigerian, this is a conversation worth following.
