The Nigeria Data Protection Commission (NDPC) has issued a directive to enforce the Nigeria Data Protection Act (NDP Act), ensuring organisations are held accountable for handling personal data.
The NDP Act – General Application and Implementation Directive (NDP Act-GAID) 2025, is a comprehensive framework designed to execute data privacy laws and protect citizens’ personal information.
Speaking at a press conference in Abuja, NDPC’s National Commissioner and CEO, Dr Vincent Olatunji, said there’s no room for ambiguity. “No organisation can feign ignorance of its obligations under the law.” With this directive, companies must now embed data protection into their operations or face serious consequences.
The directive is the result of over a year of extensive work. After President Bola Ahmed Tinubu signed the Nigeria Data Protection Bill into law on 12 June 2023, NDPC moved swiftly to create a framework that ensures compliance across all sectors.
A National Committee of legal and technical experts was established in September 2023 to draft the directive, with broad consultations held across Lagos and Abuja.
The final document outlines clear regulations in 14 key areas, covering lawful data processing; privacy rights; cross-border data transfers; AI ethics; data protection officer training and certification; and standardised grievance redress mechanisms.
One of the most noteworthy changes is the introduction of the Standard Notice to Address Grievance (SNAG), which allows individuals to challenge privacy breaches directly with data controllers before escalating complaints to NDPC.
Dr Olatunji stressed the importance of this, stating, “We have fully democratised privacy breach remediation process for data subjects.” He further explained that with the automated SNAG system, “Over 230 million Nigerians are now our immediate and direct partners in ensuring adequacy of data protection in Nigeria.”
Organisations have six months to comply, with full enforcement beginning in September 2025. Financial penalties and compliance fees will take effect from January 2026. NDPC has made it clear that failure to comply will not be tolerated.
Dr Olatunji reinforced the importance of accountability, saying, “The need to hold data controllers and data processors accountable for their acts and omissions which affect the rights of others cannot be gainsaid.” This directive forces businesses to adopt privacy-by-design principles, making data security an integral part of their operations rather than an afterthought.
To help organisations meet these requirements, NDPC will provide guidance notices, training sessions, and advisory updates. The Commission also intends to gather ongoing feedback to refine the directive where necessary.
Dr Olatunji appreciated the Federal Government, particularly President Tinubu and the Minister of Communications, Innovation, and Digital Economy, Dr Bosun Tijani, for their support. However, he made it clear that the real work lies ahead: “Going forward, we shall be providing guidance notices and advisories to illustrate the requirements of the law towards deepening the culture of data privacy and protection.”
