The federal republic of Nigeria not only has a constitutional right to privacy, it now also has enforceable guidelines that are designed to protect that right in our digital age.
Nigeria’s 2023 Data Protection Act (NDPA) marked the country’s entry into the global data-protection arena. For the first time, Nigerians had legislative clarity on how their personal data could be processed, what lawful consent meant, and who qualifies as a “data subject” under Nigerian law.
Still, while the NDPA introduced strong principles, there was a lack of specific compliance actions that businesses could follow. So, to remedy this, on 19 September, 2025 (just a few months ago lol), the Nigerian government released the General Application and Implementation Directive (GAID): laws with specific requirements and compliance steps for major data collectors in Nigeria.
So, here are 5 of the most important provisions of the new NDPA and GAID and why they matter:
- Broad Territorial Scope
Any entity, anywhere in the world, is bound by the NDPA if it processes the data of anyone located in Nigeria (not just Nigerian citizens), or if it processes data that holds value for Nigeria’s economy, society, or security.
Why it matters
This establishes Nigeria as a center of data sovereignty i.e, Nigeria owns and claims jurisdiction over all data originating from the country. As a result, Nigerians can hold foreign organizations accountable right here, in Nigeria.
- Focus on Regulating Emerging Technologies like Artificial Intelligence
Article 43 and Article 44 of the Act focus on emerging technologies. Organizations must meet specific technical and organizational requirements before processing Nigerians’ data. Compliance is assessed through a Data Privacy Impact Assessment (DPIA), overseen by a certified Data Protection Officer (DPO) within each organization.
Note: The DPO is the individual in the organization who will run the DPIA assessment test, ensuring the organization complies with Nigeria’s Data Protection Act. The DPO must also be certified (annually) by the Nigerian Data Protection Commission.
Why it matters
AI’s “black box problem” means users often cannot understand how an algorithm arrived at a decision. This problem typically shields companies from liability when the AI causes harm to individuals or communities.
However, under requirements like the DPIA, organizations must proactively test for risks before deployment.
One notable requirement is the Data Subjects’ Vulnerability Indexes (DSVI), which quantifies the susceptibility of certain data subjects, a group, class or individual, to certain unfair risk factors in data processing. Such tests shift accountability away from “the algorithm did it” and back onto the companies deploying AI.
- Establishing the Nigeria Data Protection Commission (NDPC):
The NDPA created the NDPC as Nigeria’s dedicated regulator for privacy and data protection with the powers to investigate, issue directives, enforce the law, issue sanctions, etc.
Why it matters
This creates a mature data protection ecosystem for Nigeria. Citizens now have a clear institution for grievances, and the private sector has a single point of contact for compliance. All in all, it promotes trust, which is critical for any developing economy.
- Consent Really Matters
The NDPA requires explicit, informed consent before any personal data is processed. This also means there must be options to accept or to decline data processing.This ranges from things like consent to cookies to consent to be included in automated decision making systems.
Why it matters:
Consent is not buried in legal jargon. It must be voluntary, unambiguous, and directly requested. For example, if a Nigerian bank uses AI to approve loans, it must first obtain explicit consent to process a person’s data using automated decision-making.
- Data Controllers of Major Importance
This is possibly the most unique aspect of Nigeria’s data protection Act.
Because Nigeria’s digital economy is rapidly growing, from fintechs to e-commerce to health tech, the NDPA uses a tiered system that classifies data controllers/processors as:
- Ultra High Level
- Extra High Level
- Ordinary High Level
This classification depends on how many data subjects they process within six months. Entities in these categories are subjected to stricter obligations including: registration, annual audits, DPO appointment,and DPIAs.
Why it matters:
I feel like this approach prevents over-regulation. Nigeria is not enforcing the NDPA on every single data collector or data processor but focusing on those who meet a certain threshold. Essentially, this means smaller startups will not be suffocated by the same requirements placed on large-scale data processors. It supports innovation while still protecting citizens. Which, in my opinion, is the right track for a developing economy like Nigeria’s.
Now, if you leave this post with anything, let it be this: Nigeria is not just a newcomer in the global digital-regulation space, IT IS A SERIOUS CONTENDER!
Though the NDPA and GAID are recent, they are comprehensive. And in certain areas like consent, care and ethical considerations, in my opinion, they are even more comprehensive and protective than celebrated regulations like Europe’s General Data Protection Regulation.
That said, Nigeria’s biggest challenge has never been drafting strong laws; it has been implementing them. The real test will be whether the NDPC is empowered, funded, and independent enough to enforce these rules consistently.
Still, for the first time, Nigeria has both the legal framework and the institutional machinery to fully protect our privacy. That alone is worth celebrating.