The Nigerian Data Protection Commission (NDPC) recently issued the NDPA – GAID, which introduced significant changes to the country’s data protection framework. The GAID clarifies and includes provision for the implementation of the Nigeria Data Protection Act (the Act).
Here’s a breakdown of the key changes and their impact on data controllers, processors, and data subjects in Nigeria.
- Repeal of the Nigeria Data Protection Regulation 2019
The GAID officially repeals the NDPR 2019 and its 2020 Implementation Framework, replacing them as one of Nigeria’s legal instruments for data protection. However, any actions taken under the NDPR prior to the issuance of the GAID remain valid and enforceable. - New Registration and Audit Requirements for Data Controllers and Processors. Under the GAID, organisations categorised as Data Controllers or Processors of Major Importance (DCPMI) must adhere to new registration and compliance audit obligations:
– Ultra High Level (UHL) and Extra High Level (EHL) entities only need to register with the NDPC once but must submit an annual Compliance Audit Report (CAR) annually.
– Ordinary High Level (OHL) entities must renew their registration annually but are exempt from filing a CAR. - Expanded Definition of DCPMI
The GAID clarifies the definition of DCPMI under the NDPA by providing that organisations do not need to be physically located in Nigeria to qualify as DCPMI. If a data controller or processor targets Nigerian data subjects, they may still fall under this category, reinforcing the extraterritorial reach of the NDPA. - Data Protection Impact Assessment (DPIA) Requirements
The GAID outlines mandatory scenarios where organisations must conduct a Data Protection Impact Assessment (DPIA). These include:
– Evaluation or scoring (profiling);
– Automated decision-making with legal or similar significant effects;
– Systematic monitoring;
– When sensitive or highly personal data is involved;
– When personal data processing relates to vulnerable data subjects;
– When considering the deployment of innovative processes or applications, of new technological or organisational solutions which may pose a significant risk to the privacy of data subjects;
– Development of software for the purposes of enabling communication with data subjects;
– Financial services involving the processing of personal data through digital devices;
– Health care services;
– E-Commerce services;
– Deployment of surveillance cameras in places that may be accessed by members of the public;
– Development and implementation of any legal instrument or policy which requires the processing of personal data of members of the general public;
– Educational services involving processing of various records relating to students or pupils;
– Hospitality services; and
– Cross-border data transfer - Special Protections for Vulnerable Data Subjects
The directive introduces a new regime of protection for vulnerable data subjects, including individuals who are:
– Young or elderly
– Facing financial difficulties
– Differently abled
– Lacking education or digital literacy
– Unable to exercise free will
– Without access to data security support services - Introduction of Legitimate Interest Assessment (LIA)
The GAID 2025 also introduces a Legitimate Interest Assessment (LIA) framework, allowing data controllers and processors to evaluate whether legitimate interest can serve as a lawful basis for data processing. - Update on Storage Limitation
According to the GAID, if there are no timebound obligation for data storage, personal data must be deleted within six months after fulfilling its original purpose. However, a data controller may retain the data with proper security measures if needed for legal defense or due diligence, in line with data protection principles. - New Audit Fees
According to the GAID, the new fees for Ultra-High Level DCPMI are NGN1,000,000 (50,000+ data subjects), NGN750,000 (25,000–49,999), and NGN500,000 (below 25,000).
For DCPMI Extra-High Level, the fees are NGN250,000 (10,000+ data subjects), NGN200,000 (5,000–9,999), and NGN100,000 (below 2,500).
This is a significant increase from the previous audit report filing fees of NGN10,000 for under 2,000 data subjects and NGN20,000 for 2,000 data subjects and above. - Expanded the obligations of Data Protection Officers (DPO)
Among others, the GAID mandates the DPO to compile and submit a semi-annual data protection report to an authorized officer of the data controller or processor responsible for receiving the Record of Processing Activities (RoPA), with the report forming part of the RoPA.
Additionally, the Commission will conduct an Annual Credential Assessment (ACA) of the DPO, which may be verified upon payment of the applicable fees.
These updates mark a significant shift in Nigeria’s data protection landscape, reinforcing compliance expectations for organisations handling personal data. For more insights and updates on data protection regulations kindly subscribe to Olaniwun Ajayi's mailing list or contact tif@olaniwunajayi.net.
--
Read the original publication at Olaniwun Ajayi
