Digital Policy Alert logo

Nigeria: Data Protection Commission's General Application and Implementation Directive including registration as a data controller or data processor of major importance requirement (NDPC/NDP ACT-GAID/01/2025) enters into force

Policy overview

Description

Data Protection Commission's General Application and Implementation Directive including registration as a data controller or data processor of major importance requirement (NDPC/NDP ACT-GAID/01/2025) enters into force

On 19 September 2025, the Nigeria Data Protection Commission’s (NDPC) General Application and Implementation Directive (GAID) 2025 (NDPC/NDP ACT-GAID/01/2025) under the Nigeria Data Protection Act (NDP Act) 2023 enters into force, mandating registration for data controllers and processors of major importance. Articles 8–9 and Schedule 7 classify entities into Ultra-High, Extra-High, and Ordinary-High levels, requiring annual registration and compliance audit returns (CAR) filings with prescribed fees.

Original source

Scope

Policy Area
Authorisation, registration and licensing
Policy Instrument
Business registration requirement
Regulated Economic Activity
infrastructure provider: internet and telecom services, infrastructure provider: cloud computing, storage and databases, infrastructure provider: network hardware and equipment, infrastructure provider: other
Implementation Level
national
Government Branch
executive
Government Body
data protection authority

Complete timeline of this policy change

Hide details
2025-03-20
adopted

On 20 March 2025, the Nigeria Data Protection Commission (NDPC) adopted the Nigeria Data Protection…

2025-09-19
in force

On 19 September 2025, the Nigeria Data Protection Commission’s (NDPC) General Application and Imple…