From NDPR to GAID: Why Nigerian Companies Must Relearn Data Protection

When the Nigeria Data Protection Regulation (NDPR) launched in 2019, it was hailed as a bold first step toward securing the privacy rights of Nigerians in the digital age. Some businesses responded with privacy notices, compliance audits, training sessions, and even appointed their first Data Protection Officers (DPOs). Just as businesses were beginning to find their rhythm, the bar has been raised. 

With the release of the NDPA General Application and Implementation Directive (GAID) by the Nigeria Data Protection Commission (NDPC) on March 20, 2025 in line with its powers under Section 6 of the Nigeria Data Protection Act, 2023, a new era of data protection has begun: one that builds on NDPR but also significantly rewrites it. GAID is not just a clarification; it’s the rulebook for how NDPA will be enforced with teeth. And if you're still treating NDPR as your guide, your compliance strategy is already outdated. 

Here’s what GAID changes, and what Nigerian companies must now do, not just to catch up, but to stay ahead. 

New Definitions and Classifications 

The GAID introduces more precise thresholds for classifying organizations as Ordinary High Level (OHL), Extra-High Level (EHL), or Ultra-High Level (UHL) data controllers or processors. These classifications are based on factors such as the number of data subjects whose data is processed and the sensitivity of the personal data in their care, among others. This change is significant because it directly affects each organization’s compliance obligations, particularly regarding audit requirements and filing fees. It also provides clearer expectations for what scale of accountability applies to different sizes of businesses. 

Start-ups’ Compliance Deadlines 

The GAID isn’t giving start-ups a free pass. It sets a firm compliance deadline: newly registered businesses must complete their first data protection audit within 15 months of incorporation. For context, even the CAC gives companies 18 months to file their first annual returns, yet start-ups are expected to figure out data protection even sooner. 

For early-stage companies still focused on building products, hiring talent, or raising funding, this timeline is tight, and the NDPC isn’t showing much sympathy. The message is clear: being new or small doesn’t exempt you from accountability. From day one, data protection must be part of your foundation not an afterthought. 

 Increased Filing Fees 

If you thought compliance was expensive before, GAID just said, “Hold my pen.” Under the new regime, ultra-large data controllers are now expected to cough up as much as One Million Naira annually to file their Compliance Audit Report (CAR). That’s a massive leap from the NDPR days, where fees hovered between Ten Thousand and Twenty Thousand Naira. 

Sure, it’s part of the NDPC’s effort to build a better-funded, more robust regulatory system, but let’s be honest, this new pricing tier choke. If your organization processes data at scale, you can’t treat compliance like a side hustle anymore. It’s time to start budgeting for it as a core operational expense, because that’s exactly what it is. 

So, if your DPCO’s invoice suddenly looks a little fatter, don’t panic (and definitely don’t blame them). They’re just trying to keep up with the new reality GAID has created. 

 Privacy Policy 

Under the NDPR, many businesses treated data protection like a checkbox exercise, copy a few policy templates, file the annual audit, and move on. But GAID has flipped the script. This is no longer a theoretical game. GAID is saying: “Don’t just tell us you protect data, prove it!” 

Having a privacy policy on paper isn’t enough anymore. Under GAID, your policy needs to be alive: reviewed regularly, easily accessible to your team, and most importantly embedded in practice. Your staff should be trained on it and able to demonstrate that they understand and follow it. 

The SNAG Form: Power to the People 

Perhaps one of the most empowering features of GAID is the introduction of the Standard Notice to Address Grievance (SNAG) form. Think of it as a digital megaphone for data subjects, now, anyone can formally lodge a complaint directly with your organization, no waiting for the regulator. It sounds fair and it is, but if your company doesn’t already have a solid system for handling data subject requests, brace yourself. The SNAG form isn’t just a polite email, it’s a regulatory-grade grenade. If your inbox starts filling up and your team’s not ready, compliance risk can escalate fast. 

GAID just made it easier for people to speak up and made it riskier for companies to ignore them. 

Annual Credential Assessment for DPOs 

GAID isn’t here for paper tigers. Data Protection Officers (DPOs) must now undergo an annual credential assessment to prove they know what they’re doing, not just wear the title. 

It’s a bold move that professionalizes the role, shifting it from checkbox compliance to real accountability. No more appointing “the IT guy” or “whoever’s free” as DPO. GAID wants qualified professionals who stay sharp, stay trained, and stay ready to handle evolving data protection challenges. If you’re a DPO, it’s time to start treating your position like the specialized role it truly is. 

Stricter Cookie Rules 

If your website’s cookie banner is hiding in some dark corner like it’s ashamed of itself, GAID says: bring it front and centre. Literally. 

Under the new rules, cookie banners must now be boldly displayed in the centre, left, or right of your homepage. No more tiny icons in the footer or “sneaky peekaboo” banners that users can barely spot. 

Even more importantly, users must be able to reject non-essential cookies just as easily as they can accept them. That means no more dark patterns or “Accept All” buttons with tiny “Manage Preferences” links. It's time to redesign your consent flows and get serious about meaningful user choice. GAID is making it clear: transparency isn’t optional, and neither is user control. 

Conclusion: Time to Rethink, Reskill, and Reinforce 

The message from GAID is loud and clear: organizations can no longer afford to approach data protection casually. This is not about ticking boxes or downloading free policy templates anymore. It’s about building real systems, hiring capable professionals, documenting actual practices, not just intentions, and proving, every step of the way, that your organisation respects the rights of data subjects. 

We are a licensed Data Protection Compliance Organisation (DPCO) in Nigeria, with deep expertise in helping businesses navigate data protection compliance. Whether you need a full compliance overhaul, staff training, compliance documentation, or just someone to walk you through the new GAID requirements, we’re here to help you move from reactive to ready. 

Please contact us at tcs@prioclen.cc if you have any questions or would like to explore how we can support your compliance journey.