Nigeria has taken a major step toward strengthening data protection with the release of the Nigeria Data Protection Act – General Application and Implementation Directive (NDP Act-GAID), 2025. The directive, unveiled by the Nigeria Data Protection Commission (NDPC) in Abuja, aims to ensure compliance across industries and position the country as a leader in data governance within Africa.
Speaking at a press conference, NDPC National Commissioner and CEO, Vincent Olatunji, emphasized that the directive reinforces Nigeria’s commitment to safeguarding citizens’ personal information in the digital era. The NDP Act, signed into law by President Bola Ahmed Tinubu in June 2023, aligns with Section 37 of Nigeria’s Constitution, which guarantees citizens’ privacy rights.
The commission engaged stakeholders, including corporate bodies, civil society groups, and international institutions, to shape the directive. A committee of technical experts was formed in September 2023 to draft the framework, incorporating feedback from validation workshops held in Lagos and Abuja.
The NDP Act-GAID outlines key areas of data governance, including lawful data processing, data subject rights, ethical considerations for emerging technologies, cross-border data transfers, compliance audits, and a standardized grievance redress mechanism. Notably, it introduces the Standard Notice to Address Grievance (SNAG), empowering individuals to demand action from data controllers without first contacting the commission.
With the directive set for full implementation in September 2025, and related fee provisions commencing in January 2026, Olatunji affirmed that no organization can claim ignorance of its obligations under the law. The NDPC plans to issue guidance notices, conduct training, and collect stakeholder feedback for future regulatory updates.
