Key Highlights of the Nigeria Data Protection Act-General Application and Implementation Directive 2025

On March 20, 2025, the Nigeria Data Protection Commission (the “NDPC”) took a significant step toward deepening regulatory clarity and enforcement with the issuance of the Nigeria Data Protection Act General Application and Implementation Directive, 2025 (the “NDP ACT, GAID 2025/ Directive”).’ Released pursuant to its powers under the Nigeria Data Protection Act, 2023 (the “NDP Act”), the Directive sets the tone for how data controllers and processors must align their operations with the NDP Act. 2
This article explores key provisions of the GAID 2025 and unpacks what they mean for or-ganisations navigating Nigeria’s evolving data protection regime.

1. Clarifying the Legal Hierarchy and Transition from NDPR
   Notably, the issuance of the NDP ACT GAID 2025 officially repeals the NDPR 2019 as a binding legal instrument for data privacy and protection in Nigeria. While this marks a significant regulatory shift, it is important to note that acts performed under the NDPR prior to the release of the NDP ACT GAID 2025 remain valid and unaffected.
   Furthermore, for the sake of clarity, and harmonisation of the data protection laws in Nige-ria, in the event of a conflict between the NDP Act and the NDP GAID 2025, the NDP Act shall take precedence.