NDPA + GAID compliance for businesses handling Nigerian data.
Section 24 controls, DPIA discipline, and audit-ready records.
We help businesses handling Nigerian personal data — Nigerian, European, and US firms with operations in country — get from policy ambiguity to defensible records of processing, executed DPIAs, and a breach pipeline that hits the NDPC's notification window. The deliverable is a Section 24 control map, an Article 30-style register, and a 72-hour incident playbook.
The NDPA has teeth. GAID 2025 sharpened them.
The Nigeria Data Protection Act 2023 (NDPA) consolidated and elevated what had been the NDPR's regulatory regime into primary legislation, with the Nigeria Data Protection Commission (NDPC) as the supervisory authority. Section 24 imposes the security-of-processing standard — appropriate technical and organisational measures, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing. Section 40 introduces the seventy-two-hour breach notification clock. Sections 41 and 42 govern cross-border transfers, with an adequacy test the NDPC has begun applying in practice.
The General Application and Implementation Directive (GAID) 2025 took effect this year and added the operational specifics — Data Protection Impact Assessment templates, registration thresholds for data controllers and processors of major importance, audit cadence, and the precise breach notification form. GAID is where the implementation work bites. Organisations that had a comfortable NDPR posture suddenly need DPIA discipline, executed processor agreements, and a records-of-processing artefact that survives a regulatory inspection.
The pattern we recommend treats NDPA and GAID as one regime, mapped to Section 24 as the spine and Section 40 as the operational pressure point. The work is records, registers, executed agreements, and an incident pipeline. The legal framework is settled. The execution is where most organisations are exposed.
From principle to enforceable record.
- 01
Processing inventory and lawful basis mapping.
We catalogue every processing activity against the six lawful bases in Section 25 — consent, contract, legal obligation, vital interest, public task, legitimate interest. The inventory feeds the records of processing under Section 28 and surfaces the activities that need consent re-papering or basis migration.
- 02
Section 24 control map.
The security-of-processing standard is technology-neutral but evidence-hungry. We map controls — encryption at rest and in transit, access management, logging, vulnerability handling, secure development — to the Section 24 text. Where you have ISO 27001 or SOC 2 evidence, we file it. Where you do not, the gap goes on the register.
- 03
DPIA discipline and high-risk processing.
GAID 2025 codified the DPIA template and the triggers for mandatory assessment. We build the DPIA register, execute assessments for current high-risk processing, and embed the trigger logic in product and procurement workflows so new processing activities do not slip past the gate.
- 04
Cross-border transfer architecture.
Sections 41 and 42 govern transfers outside Nigeria. We document the receiving jurisdictions, apply the adequacy test, structure standard contractual clauses where adequacy is absent, and surface concentration risk in your subprocessor chain. EU and US firms operating in Nigeria need this layered with their home-jurisdiction obligations.
- 05
Breach notification pipeline.
Section 40 compels notification of personal data breaches to the NDPC within seventy-two hours of awareness and to affected data subjects without undue delay where the breach is likely to result in high risk. We instrument detection, define the triage criteria, draft the templated submission, and rehearse the clock with the leadership team.
The clauses that drive the work.
NDPA structure reads cleanly. Part III defines the principles and lawful bases (Sections 24 through 27). Part IV governs the rights of data subjects (Sections 34 through 39). Part V handles breach notification, transfer, and processor obligations (Sections 40 through 44). The NDPC's enforcement powers, audit, and sanctioning framework live in Parts I and II.
GAID 2025 layered the operational substrate onto this. The directive specifies registration thresholds for Data Controllers and Processors of Major Importance (DCPMI), required audit cadence, the DPIA template and triggering criteria, the breach notification form, and the conditions under which the NDPC may conduct compliance audits and impose remedial orders. For most organisations the DCPMI registration question — am I above threshold? — is the first material compliance gate.
- Section 24 — security of processing, technical and organisational measures
- Section 25 — six lawful bases for processing personal data
- Section 28 — records of processing activities
- Section 40 — 72-hour breach notification to NDPC and data subjects
- Sections 41–42 — cross-border transfer, adequacy, contractual safeguards
- GAID 2025 — DPIA template, DCPMI thresholds, audit cadence
The end state we drive toward.
A records-of-processing register the NDPC can audit, executed DPIAs against high-risk processing, cross-border transfer architecture with documented adequacy, a 72-hour breach pipeline that hits the clock, and a Data Protection Officer with the standing and access to do the job.
- 100%
- Processing activities recorded
- <72h
- Breach notification window
- 100%
- High-risk processing with DPIA
- Quarterly
- Internal audit cadence
Illustrative, drawn from published architectures and forthcoming engagements. Specific obligations are conditioned on DCPMI status, sectoral overlay, and cross-border transfer footprint.
Where this work connects on the site.
- 01
- 02
- 03
Scoped NDPA + GAID readiness assessment.
Send us your DCPMI status (or the question of whether you have it), the processing activities you suspect are high-risk, and the cross-border transfer footprint. We come back with a fixed-scope assessment proposal and a sample records-of-processing register inside ten working days.