Nigeria: Data Protection Commission adopted General Application and Implementation Directive (NDPC/NDP ACT-GAID/01/2025) including cybersecurity regulation

On 20 March 2025, the Nigeria Data Protection Commission (NDPC) adopted the Nigeria Data Protection Act (NDP Act) 2023 General Application and Implementation Directive (GAID) 2025 (NDPC/NDP ACT-GAID/01/2025). Article 28 and Schedule 4 require Data Privacy Impact Assessments (DPIAs) for high-risk processing, evaluating necessity, proportionality, and mitigation measures to safeguard data subjects. The Directive requires controllers to report breaches to the NDPC within 72 hours and notify affected data subjects if risks are high.