NDP Act GAID Simplified: From Confusion to Compliance

1
NDP Act GAID Simplified: From Confusion to C ompliance

2
NDP Act GAID Simplified: From Confusion to C ompliance
TABLE OF CONTENTS
DISCLAIMER .......................................................................................................................................... 4
INTRODUCTION ..................................................................................................................................... 5
DEFINITIONS OF KEY TERMS ............................................................................................................. 6
Article 6: Data Processing by Individuals for Household or Personal Purposes .................................... 8
Article 7: General NDP Act Compliance Measures by Data Controllers and Data Processors .............. 9
Article 8: Designation of Data Controllers and Data Processors of Major Importance ......................... 11
Article 9: Registration as a Data Controller or Data Processor of Major Importance ........................... 12
Article 10: Filing of NDP Act Compliance Audit Returns with the Commission .................................... 13
Article 11: Designation of a Data Protection Officer ............................................................................. 16
Article 12: Position of the Data Protection Officer ................................................................................. 16
Article 13: Submission of Internal Semi-Annual Data Protection Report by a Data Protection Officer 17
Article 14: Credential Assessment of a Data Protection Officer ........................................................... 18
Article 15: Principles of Personal Data Protection ................................................................................ 20
Article 16: Lawful Bases of Data Processing ........................................................................................ 21
Article 17: Reliance on Consent ............................................................................................................ 22
Article 18: Data Processing Which Requires Consent .......................................................................... 24
Article 19: Consent to Cookies and Other Tracking Tools .................................................................... 25
Article 20: Lawfulness of Purpose, Reliance on Consent, and Other Lawful Bases ............................ 26
Article 21: Reliance on Contract ........................................................................................................... 27
Article 22: Reliance on Legal Obligation ............................................................................................... 28
Article 23: Evaluation of Lawful Bases of Data Processing .................................................................. 29
Article 24: Reliance on Vital Interest ..................................................................................................... 31
Article 25: Reliance on Public Interest .................................................................................................. 32
Article 26: Reliance on Legitimate Interest ........................................................................................... 34
Article 27: Consideration Regarding Information to Data Subjects ....................................................... 36
Article 28: Data Privacy Impact Assessment ........................................................................................ 37
Article 29: Monitoring, Evaluation and Maintenance of Data Security System ..................................... 39
Article 30: Schedule for Internal Sensitisation and Training on Privacy ............................................... 40
Article 31: Deployment of a Data Processing Software by a Data Controller or Data Processor ......... 43
Article 32: Measures Against Privacy Breach Abetment ...................................................................... 44
Article 33: Data Breach Notification ...................................................................................................... 45
Article 34: Data Processing Agreement ................................................................................................ 46
Article 35: Benchmarking with Interoperable Data Privacy Measures .................................................. 47
Article 36: Exercise of Right to Rectification ......................................................................................... 49
Article 37: Exercise of Right to Data Portability .................................................................................... 50
Article 38: Exercise of Right to be Forgotten ........................................................................................ 50
Article 39: Exercise of Right to Lodge a Complaint with the Commission ............................................ 52
Article 40: Data Subject’s Standard Notice to Address Grievance ....................................................... 54

3
NDP Act GAID Simplified: From Confusion to C ompliance
Article 41: Data Ethics, Privacy and Dignity of the Human Person....................................................... 55
Article 42: Application of Global Best Practice on Data Ethics ............................................................. 56
Article 43: Emerging Technologies ....................................................................................................... 57
Article 44: Parameters for Assessing Privacy and Public Interest in Emerging Technologies ............. 59
Article 45: Cross-Border Data Transfer ................................................................................................. 60
Article 46: Capacity Building in Data Protection and Continuous Professional Development Credits . 61
Article 47: Jurisdiction of Court and Access to Justice ......................................................................... 61
Article 48: Evidence of Compliance with the NDP Act .......................................................................... 62
Article 49: Consideration of Time- Bound and Non- Time-Bound Obligations ....................................... 63
REFERENCES ...................................................................................................................................... 64
APPENDIX ............................................................................................................................................ 64
ABOUT THE AUTHOR ......................................................................................................................... 65

4
NDP Act GAID Simplified: From Confusion to C ompliance
DISCLAIMER
Please note that this guide is not an official interpretation or guide by the Nigeria Data
Protection Commission (NDPC). It is a simplified version of the NDPC's Nigeria Data
Protection Act General Application and Implementation Directive (NDP Act GAID), developed
based on research and consultations with subject matter experts. This guide is for
informational purposes only and should not be considered legal advice.

5
NDP Act GAID Simplified: From Confusion to C ompliance
INTRODUCTION
In a world driven by data, your personal information is valuable. From your name on a social
media profile to your phone number on a customer list, protecting that data is more important
than ever. This simple guide breaks down the Nigeria Data Protection Act General Application
and Implementation Directive (NDP Act GAID) into plain, easy -to-understand language. It’s
designed for everyone, from big conglomerates and small business owners to everyday
citizens, to help you navigate the new rules and understand your rights and responsibilities.

6
NDP Act GAID Simplified: From Confusion to C ompliance
DEFINITIONS OF KEY TERMS

Terms Definitions
NDP Act The Nigeria Data Protection Act (NDP Act) is the legal framework that
regulates the processing of personal data in Nigeria.
NDP Act GAID
The NDP Act GAID (Nigeria Data Protection Act General Application
and Implementation Directive) is a directive issued by the Nigeria Data
Protection Commission (NDPC) to provide practical guidance for
implementing Nigeria's 2023 Data Protection Act (NDP Act). See it as
a manual for the NDP Act.
NDPC
The Nigerian Data Protection Commission (NDPC) is the body that
regulates data privacy in Nigeria. It does this by establishing laws and
frameworks such as the NDP Act and the NDP Act GAID.
Personal Data
Any information that can be used to identify a person, directly or
indirectly. This includes obvious things like your name, address, and
phone number, as well as digital information like your email, location,
cookies, and online identifiers.
Sensitive Personal
Data
A special category of personal data that requires a higher level of
protection because it could be used to discriminate against someone. Examples include health information, biometric data, religious beliefs,
political views, and sexual orientation.
Processing
Any action performed on personal data. This is a very broad term that
covers everything from collecting it and storing it to using, sharing, or
deleting it.
Lawful Basis
The legal reason or justification you must have for processing
someone's personal data. The NDP Act provides six (6) possible
lawful bases: consent, contract, legal obligation, vital interest, public
interest, and legitimate interest.
Data Subject The individual whose personal data is being processed.
Data Controller
The person or company that decides why and how personal data is
processed. Most companies are data controllers.

7
NDP Act GAID Simplified: From Confusion to C ompliance
Terms Definitions
Data Processor
A company that processes personal data on behalf of a data
controller, following their instructions. For example, a marketing
agency or a cloud storage service provider.
Data Protection
Officer (DPO)
An expert, either an internal employee or an external consultant, who
oversees an organisation's data protection strategy and helps ensure
compliance with the NDP Act.
Data Processing
Agreement (DPA)
A written contract between a data controller and a data processor that
sets out the rules for how personal data will be handled.
Compliance Audit
Returns (CAR)
An annual report that "major" organisations must file with the NDPC,
detailing their data processing activities and security measures.
Data Privacy Impact
Assessment (DPIA)
A process used to identify and minimise the data protection risks of a
new project or technology, especially those that are considered high- risk.
Emerging Technologies (ETs)
New and innovative technologies like Artificial Intelligence (AI),
Internet of Things (IoT), and Blockchain that process personal data.
These have special compliance rules.
Data Subjects’
Vulnerability Index
(DSVI)
An assessment tool used within a DPIA to identify specific risks to
vulnerable groups, such as children, the elderly, or people with
disabilities.
Standard Notice to
Address Grievance
(SNAG)
An optional, standardised template that individuals can use to formally
complain to a company about a data privacy violation before or during
a complaint to the NDPC.

8
NDP Act GAID Simplified: From Confusion to C ompliance
Article 6: Data Processing by Individuals for Household or Personal
Purposes
Your brother's data is still your brother's data.
This article means you have a duty to be careful with other people's personal information,
even when you handle it in your own private life (for example, on your phone or computer).
Even if it's your brother's personal data, if you don't respect his privacy, you could still face
consequences.
What counts as risky or careless behaviour?
a) Letting apps access your phone contacts without understanding why they need
that information. For example, when you install a new chat app and give it
permission to copy all your contacts without your friends' permission.
b) Sharing someone's personal details (like their phone number or picture) with others
verbally, in writing, or on social media without their permission. For example,
posting your friend’s phone number in a WhatsApp group without asking them first.
c) Not properly securing your devices (like your phone, laptop, or hard drive) that
contain other people's information. For example, leaving an unlocked laptop with
sensitive documents, like family photos, in a public space.

Remember: Even in your personal life, being careful with other people's data is your
responsibility.

9
NDP Act GAID Simplified: From Confusion to C ompliance
Article 7: General NDP Act Compliance Measures by Data
Controllers and Data Processors
Your to- do list for data privacy
This article lists the key things you must do to properly manage people's personal information.
It’s a summary of the compliance measures you need to follow.
1) Register with the NDPC.
2) Do compliance audits: You must conduct your first audit within 15 months of starting
your business, and then once every year.
3) Submit audit results: Send your audit report to the NDPC not later than March 31st
each year.
4) Appoint a Data Protection Officer (DPO): You must have a person or team
responsible for overseeing data protection.
5) Know your duties: Identify everything the NDP Act requires you to do (e.g., getting
permission, protecting data, respecting user rights).
6) Create a schedule for how and when you will meet these duties. You can use
documents like a data protection policy and a plan to train your staff.
7) Document reports every six (6) months on how you have been handling personal data
and present to senior management.
8) Protect data security: Have a plan to keep personal data safe and private. This
includes protecting it from theft, damage, or being accessed by people who shouldn’t
have it.
9) Train your staff
a) Initial training: Teach your employees about data privacy within six (6) months
of starting your business.
b) Yearly training: Refresh their knowledge at least once a year.
c) Create awareness: Run internal campaigns to make sure everyone in your
business understands and values privacy.
10) Be transparent with policies:
a) Update your privacy policy to meet the standards of the NDP Act.
b) Publish it on your website or app so your data subjects can easily find it and
understand their rights.
c) Use clear cookie notices: Don't hide cookie information. Your website should
clearly ask users to accept or reject cookies.
11) Strategise internally: Develop a privacy plan or checklist for your staff, vendors, and
partners. This makes it clear what's expected of them.

10
NDP Act GAID Simplified: From Confusion to C ompliance
12) Conduct risk checks: Do a Data Privacy Impact Assessment (DPIA) whenever you
need to. A DPIA is like a security check you do before processing personal data in a
certain way. You use it to identify and fix privacy risks early. See Article 28 for more
information.
13) Handle data breaches:
a) Report serious breaches to the NDPC within 72 hours.
b) Tell affected people right away if their personal information is at high risk.
14) Manage third parties: Update contracts with vendors and partners (like your cloud
storage provider or marketing firm) to make sure they also follow the NDP Act.
15) Respect user rights: Make it easy for people to exercise their rights, such as:
i. Accessing their data to see what information you have about them.
ii. Correcting or updating their personal information.
iii. Transferring their data to another company or person, etc.

11
NDP Act GAID Simplified: From Confusion to C ompliance
Article 8: Designation of Data Controllers and Data Processors of
Major Importance
Bigger fish, bigger rules
Some businesses handle a lot of people's information or deal with it in risky ways. The NDPC
labels these businesses as "data controllers or processors of major importance". If you are
one of these businesses, you must follow stricter rules.
1) Who counts as "major"?
You could be classified as "major" if:
a) You operate in Nigeria or target Nigerians online, even if you are based outside
the country.
b) You handle the personal information of many Nigerians. The NDPC sets the
exact number. A recent guide specifies that this is over 200 data subjects in six
months, though this number may change.
c) You deal with very sensitive data. This includes information like financial,
health, or security-related details.
d) The way you handle data has a big impact on Nigeria's economy, society, or
security.
2) How the NDPC decides if you are “ major”
The commission looks at several factors to make this call:
a) How many people's data you handle.
b) How sensitive the data is.
c) If you send data outside Nigeria.
d) If you rely on foreign servers or cloud services.
e) If your service involves money or financial trust.
f) How much you use automated systems to analyse or group data.
g) Whether you follow international security standards.
3) The levels to being "major"
Not all "major" businesses are treated the same. The NDPC groups them into three levels,
with different registration fees and compliance requirements:
a) Ultra-High Level (UHL): The biggest and most sensitive. Think of the largest
banks or telecom companies.
b) Extra-High Level (EHL): Big but not the absolute top. This could include
government ministries, microfinance banks, or large hospitals.
c) Ordinary- High Level (OHL): Important but smaller. Many Small and Medium-
Sized Enterprises (SMEs) that process a decent amount of data would fall here.

12
NDP Act GAID Simplified: From Confusion to C ompliance
Examples
• A major Nigerian bank that manages millions of accounts: This is a good example
of an Ultra-High Level business.
• A social media app with millions of Nigerian users: This could be an Extra-High or
Ultra-High Level business, depending on the scale and type of data handled.
• A mid-sized online store with thousands of customers: This would likely be an
Ordinary-High Level business.
• A small bakery with a customer WhatsApp list: This is not a "major" business.
Note: The NDPC has an official guidance notice (related to Schedule 7 of the NDP Act GAID)
that shows the exact categories and fees, so it is important to check this schedule for specifics.
This notice is part of the supporting documents for this guide.

Article 9: Registration as a Data Controller or Data Processor of
Major Importance
If you're a big player, you must register to play
This article outlines the specific registration rules for any business the NDPC classifies as
"major" (as defined in Article 8).
If the NDPC tells you that you are "major", which applies if you handle the personal data of
more than 200 people within six months, you must officially register with them. You can
find more details on this in Schedule 7 of the NDP Act GAID (which is part of the supporting
documents to this guide).
1) How your registration works based on your level
a) Ultra-High Level (UHL) & Extra-High Level (EHL): You only need to register
once, but must submit a Compliance Audit Return (CAR) every year.
b) Ordinary- High Level (OHL): You must renew your registration every year. As long
as you do this annually, you are not required to file a CAR.

2) Important updates
a) If your registration details change, for example, if you get a new Data Protection
Officer (DPO), move to a new office, or change your services, you must inform the
NDPC within 60 days. You should do this through the official channel the
Commission provides.

13
NDP Act GAID Simplified: From Confusion to C ompliance
b) If you are no longer "major"— If you feel you no longer meet the criteria to be
considered a "major" organisation, you can officially ask the Commission to remove
you from their register. However, you must still pay any outstanding fees for the
current or previous years.
The NDPC will publish a public list of all the "major" organisations that have registered. This
list will be updated at least once every year.

Article 10: Filing of NDP Act Compliance Audit Returns with the
Commission
Let's do the books (data edition)
This article explains how "major" businesses must check their data protection practices (a
process called an audit) and then send a report of this check (the Compliance Audit Return or
CAR) to the NDPC.
1) Key rules for your check-up
a) Audits are a must: You must regularly audit how you handle people's data to
reduce the risk of a data breach. The goal is to use good technical and
organisational protections.

14
NDP Act GAID Simplified: From Confusion to C ompliance
b) Be smart about where you look: Focus on the parts of your business where data
risks are the highest. Think about your people, your processes, and your
technology.
c) Follow the best practices: Base your check-up on the best global practices. This
could be anything from a simple checklist for small risks to a detailed technical
review for bigger ones.
d) Set the right pace: Decide how often you'll do your audit based on your level of
risk. If you use online devices like laptops, servers, or cloud services, you should
check your practices as often as possible because cyberattacks are a constant
threat.
2) Who must file the CAR and when
a) UHL & EHL businesses must file an annual CAR with the NDPC.
b) The report must follow the official format from the NDPC (Schedule 2 of the NDP
Act GAID). This is part of the supporting documents to this guide.
c) For businesses that started before June 12, 2023: Your first CAR is due by March
31 of each year.
d) For businesses that started after June 12, 2023: Your first CAR is due within 15
months of starting, and then annually after that.
3) Fees and penalties
a) The fees for UHL and EHL businesses are listed in Schedule 10 of the NDP Act
GAID, which is part of the supporting documents to this guide. See fees below.
S/N DCPMI Tiers
Fees (N)
1. Ultra-High Level (UHL)
A- 50,000 data subjects and above
1,000,000
B- 25,000 - 49,999 data subjects
750,000
C- below 25,000 data subjects
500,000
2. Extra-High Level (EHL)
A- 10,000 data subjects and above
250,000
B- 5,000 - 2,500 data subjects
200,000
C- below 2,500 data subjects
100,000

b) If you miss the deadline, you have to pay a penalty of 50% of the filing fee,
on top of the normal fee.
4) How to file your CAR
a) You must file your CAR through the Commission’s official online portal.

15
NDP Act GAID Simplified: From Confusion to C ompliance
b) For UHL and EHL businesses, the CAR must be filed with the help of a licensed
Data Protection Compliance Organisation (DPCO). These are expert firms
approved by the NDPC to help with compliance, such as Deloitte Nigeria.

After you file, the NDPC might ask for more information if they need it. Once your CAR is
approved, the Commission may award you a Compliance Audit Returns Certificate as proof
that you have completed this step.

16
NDP Act GAID Simplified: From Confusion to C ompliance
Article 11: Designation of a Data Protection Officer
Meet your DPO; Your data protection guide
This article states that any business affected by the NDP Act must appoint a Data Protection
Officer (DPO).
1) Who can be your DPO?
Your DPO can be;
a) An employee from within your company.
b) An external person or an expert firm hired specifically for the role under a contract.
2) What happens after you appoint one?
Once you have a DPO, you must do two things:
a) Publish their contact information publicly. This allows the public, including the
people whose data you handle, to easily know how to contact them. A website is a
good place to do this.
b) Send the DPO’s contact details to the NDPC using the official format they provide.

Article 12: Position of the Data Protection Officer
Your DPO must have your back (and everyone else's)
This article lays out the specific role of the Data Protection Officer (DPO) in your business.
Your DPO must be involved in every decision about how personal data is handled. To make
sure your DPO can do their job, you must:
1) Provide enough resources. Give them the necessary budget, tools, and staff
support.
2) Grant full access. Your DPO needs access to all personal data processing activities
within the company.
3) Support their growth. Ensure your DPO gets continuous training to stay updated,
including pursuing professional certifications.
To be effective, your DPO must be independent. This means they:
1) Cannot work under pressure or be influenced or threatened while doing their job.
2) Can have other roles, but only if there is no conflict of interest. For instance, an
employee cannot be both the DPO and the IT Security Manager. In that case, they
could both decide how data is processed (as IT Manager) and then judge if that
process is compliant (as DPO). This is a clear conflict of interest.

17
NDP Act GAID Simplified: From Confusion to C ompliance
3) Cannot be fired or punished for doing their job. Their job is to protect personal data,
not just to make management happy.
4) Must report directly to top management to ensure their advice is heard at the highest
level.
People (data subjects) must be able to easily contact the DPO with questions or concerns
about their personal data. Additionally, the DPO has a duty to keep all information
confidential while carrying out their work.

Article 13: Submission of Internal Semi -Annual Data Protection
Report by a Data Protection Officer
The DPO's semi-annual report
This article explains the reporting duties of your Data Protection Officer (DPO). Every six
months, your DPO must create a report detailing your company’s data protection practices
and compliance.
1) Who gets the report and how
a) The DPO must send the report to a senior officer or manager who is officially tasked
with receiving the company's Records of Processing Activities (RoPA).
b) The DPO must also get confirmation that the senior manager has received the
report.
c) This report then becomes an official part of your company's RoPA.
d) Down the line, a licensed Data Protection Compliance Organisation (DPCO) will
review this report during the official annual compliance audit.
2) What the report must include
At a minimum, the DPO's report should cover the following points:
a) Privacy Notices: Are your privacy notices (the info you give people about how you
use their data) clear and legal?
b) Data Types: What types of personal data are you processing?
c) Data Protection Principles: Are you following the data protection principles (like
fairness, security, and using only what data you need)?
d) Lawful Basis: What is the lawful basis (like consent, a contract, or legitimate
interest) you are using to process data?
e) Data Privacy Impact Assessment (DPIA): Did you need to conduct a DPIA for
any new processes, and was it done?

18
NDP Act GAID Simplified: From Confusion to C ompliance
f) Legitimate Interest Assessment (LIA): If your basis was legitimate interest, was
an LIA performed?
g) Data Subject Rights: How easy is it for people to exercise their rights over their
data? What methods are in place to handle their requests, and how well do they
work?
h) Complaints: What complaints have you received from people about their data,
and how were they handled?
i) Commission Notices: What official notices or communications have you received
from the NDPC?
j) DPCO Guidance: Did you ask for any guidance from a DPCO?
k) Security Measures: How effective are your security measures for personal data?
Are they strong enough?
l) Cross-Border Transfers: Are there valid legal grounds for transferring data to
other countries?
m) Data Breaches: Were there any data breaches, and were they reported correctly
to the NDPC and the affected people?

Article 14: Credential Assessment of a Data Protection Officer
The DPO certification test
This article explains how the NDPC will check the qualifications of a business's Data Protection
Officers (DPOs) to ensure they are competent to protect people’s personal data.
1) Key rules for DPO checks
a) DPO database: The NDPC will maintain a list of all Certified DPOs who have been
appointed by different companies.
b) Annual Credential Assessment (ACA): Every year, the NDPC will review
whether DPOs still meet the professional standards needed to protect people’s
data rights.
c) Assessment criteria: The review will use specific standards outlined in Schedule
3 of the GAID, which is part of the supporting documents to this guide. It will check
if your DPO complies with:
i. The NDP Act
ii. The GAID
iii. The Code of Conduct for licensed Dat a Protection Compliance
Organisations (DPCOs)

19
NDP Act GAID Simplified: From Confusion to C ompliance
iv. Any other rules from the NDPC or relevant professional ethics codes.
2) Verification of certification
When your company files its Compliance Audit Returns (CAR) or registers, the NDPC will
also verify your DPO’s certification. The NDPC can either award a verification score if
everything is in order or reject the verification if the evidence of training or professional
development is false, cannot be verified, or is too weak.
You may also be required to pay fees for the NDPC to verify your DPO’s credentials. This
annual check ensures that only DPOs who are fit, proper, and skilled in safeguarding
people's data rights are allowed to hold the position.
3) What this means for you
a) Make sure your DPO is certified and continues to learn and stay current.
b) Be ready for the NDPC to check your DPO’s credentials every year.
c) If your DPO fails verification, your company could fall out of compliance.

20
NDP Act GAID Simplified: From Confusion to C ompliance
Article 15: Principles of Personal Data Protection
The Eight Commandments of Data Handling
This article lists the core principles every business must follow when handling people's
personal data. These principles form the bedrock of data protection under the NDP Act.
1) Fairness, lawfulness & transparency: Be honest, law-abiding, and open about how you
use people’s data. This means you should have a clear purpose for collecting the data and
make it easy for people to understand what you are doing with their information.
2) Purpose limitation: Only use data for the specific reason you collected it. You cannot
misuse it or use it for a different purpose without the person’s consent.
3) Data minimisation & ethics: Only collect and process the data you absolutely need. Don't
collect extra information just in case. For example, a website that only needs an email for
a newsletter should not ask for the user's date of birth or phone number.
4) Storage limitation: Don’t keep data longer than necessary. When the data is no longer
needed for its original purpose, you must delete it or remove any personal identification.
For example, a business must delete a customer's old address if they only ship to their
new one.
5) Accuracy: Keep the data you hold correct and up to date. You must provide ways for
people to update their own information if it changes, like a change of marital status.
6) Confidentiality, integrity & availability: Protect personal data from leaks, tampering,
loss, or unauthorised access. This means having good security in place to keep the data
safe.
7) Accountability: You must be able to prove that you are following all the rules. This
includes keeping records and showing the NDPC what you are doing to comply, not just
saying you are compliant.
8) Duty of care: Treat people’s data with the same level of care and respect you would want
for your own. This means acting responsibly and prioritising the privacy of the individuals
whose data you process.

21
NDP Act GAID Simplified: From Confusion to C ompliance
Article 16: Lawful Bases of Data Processing
Don't use my data without a lawful reason
This article explains that before using anyone’s personal data, you must have a valid legal
reason for doing so. This ensures that data is always processed fairly and responsibly.
The six (6) lawful bases;
1) Consent: The person has freely and clearly agreed for you to use their data for a specific
purpose. For example, when someone ticks a box to sign up for your company newsletter.
2) Contractual Obligation: When you must process the data to fulfil a contract with the
person. For instance, using a customer’s address to deliver an online order they paid for.
3) Legal Obligation: You are required by law to process the data. For example, banks are
legally required to report suspicious transactions to Nigeria's Financial Intelligence Unit
(NFIU).
4) Vital Interest: Processing the data is necessary to protect someone’s life or safety. For
example, a hospital sharing a patient's medical information with emergency responders
during a crisis.
5) Public Interest: Processing the data is necessary to perform a task in the public interest,
or to exercise official government authority. A national census is a classic example of this,
where the government collects data to inform public policy.
6) Legitimate Interest: Processing the data is necessary for your business’s legitimate
interest, as long as it doesn’t harm the d ata subject’s rights and freedoms. For instance, a
company might use data for fraud prevention or IT security, as long as the data subject
would reasonably expect their data to be used in that way and it does not violate their
fundamental rights.

22
NDP Act GAID Simplified: From Confusion to C ompliance
Article 17: Reliance on Consent
Consent is King, but be careful
This article explains that if you rely on a person's consent to use their data, that consent must
be freely given, informed, and fair. You must not trick, force, or pressure anyone into giving
consent.
Data privacy is a fundamental right, so consent is a critical way to ensure people remain in
control of their own information.
Consent is not always the right legal basis to use. If using consent would go against the rule
of law or be unfair, you should use another lawful basis instead (like fulfilling a contract).
1) How the NDPC checks your consent (Special Rule of Law Indexes)
The NDPC can evaluate how valid your consent is by looking at a number of factors,
including:
a) Risk to people’s rights: Is there a risk that using the data could harm someone's
rights or freedoms?
b) Security implications: What are the security risks of processing this data?
c) Public welfare: Does using the data genuinely benefit society or the community?
d) Fairness in justice: Is the data used in a way that respects equality before the law
and impartial courts?
e) Sustainable development: Does the data use align with long-term benefits, like
environmental, social, or economic sustainability?
f) Previous relationship: What was the previous relationship between your
company and the person?
g) Necessity and proportionality: Is the data you collected really needed for the
purpose and not excessive?
2) Your accountability when using consent
You must keep clear records showing how you obtained consent. To prove your
accountability, you must:
a) Give people clear and simple information before asking for their consent.
b) Make it as easy for someone to withdraw their consent as it was to give it.
c) Ensure that a person saying "no" does not result in them being unfairly
disadvantaged or harmed.
3) Implied consent: A limited exception
a) Implied consent is only allowed in a few special cases. Important note: The NDPC
prioritises affirmative and explicit consent, and while this article mentions implied

23
NDP Act GAID Simplified: From Confusion to C ompliance
consent, it is a narrow and often debated concept in data privacy. The safest
approach is always to seek explicit consent where possible.
b) Public events: If someone attends a public event, photos or videos may be used
for reporting or journalism, but not for commercial adverts without their explicit
permission. The images must also not show people in a bad light.
c) Websites: If a user closes a cookie or privacy notice, the website may only collect
the minimal data needed for basic functions (like loading pages) and not for ads or
advanced tracking. Any non-essential tracking requires explicit opt-in.
4) How you can stay compliant
a) Obtaining Consent
i. Use simple, clear language. No confusing legal terms.
ii. Give people a real choice, such as "Yes" or "No" buttons. Never use pre-
ticked boxes.
iii. Explain exactly what the consent covers, especially if there are multiple
reasons you need their data.
5) Recording Consent
a) Keep records of who consented, what they consented to, and when and how they
gave consent.
b) Use special tools (like cookie consent banners that log user actions) to help you
do this.
6) Withdrawing Consent
a) Provide easy options for withdrawal, such as an "unsubscribe" link, account
settings, or an email address.
b) Make withdrawal free and instant. No unnecessary delays.
7) Avoiding Consent Abuse
a) Don’t use consent where there is a power imbalance, like between an employer
and an employee.
b) Don’t hide consent terms in long, complicated privacy policies.
c) Don’t make consent a requirement for a service unless it is truly necessary.
8) Public Events (Implied Consent)
a) Put up visible notices saying "Photos/videos may be taken for news reporting."
b) Blur or anonymise sensitive images.
c) For commercial use (like adverts), always get explicit written consent.
9) Websites (Implied Consent)
a) Use cookie banners that clearly explain what data is collected.
b) The default setting should only collect the minimum necessary data.
c) Any extra tracking (for ads, analytics, etc.) requires explicit opt-in.

24
NDP Act GAID Simplified: From Confusion to C ompliance
Article 18: Data Processing Which Requires Consent
When you absolutely, positively need consent
This article explains that for certain sensitive or high-risk activities, getting consent is not
optional; IT IS A REQUIREMENT. This is because these situations pose a greater risk to
people's data privacy.
You are required to obtain specific consent from individuals in these situations:
1) Direct Marketing: If you want to send someone promotional messages, like emails, SMS,
or make direct calls to them, you must have their clear permission first.
2) Sensitive Personal Data: If you are processing sensitive information, such as health
records, biometric data, religious beliefs, political views, or sexual orientation, you need
explicit consent.
3) Further Processing for New Purposes: If you decide to use data for a new purpose that
is different from the original reason you collected it, you must get consent again for that
new purpose.
4) Children’s Data: You must take extra care when processing a child's data. If the child is
under 18, you must get the consent of a parent or guardian.
5) Cross-Border Data Transfer (without an Adequacy Decision): If you are sending data
to a country that the NDPC has not officially declared as having adequate data protection
standards ("safe"), you must get consent before sending the data. This is not needed if
you use other safeguards approved by the NDPC, like binding corporate rules (BCRs) or
standard contractual clauses (SCCs).
6) Automated Decision-Making with Serious Effects: If you use algorithms or automated
systems to make important decisions that have a legal or serious effect on someone (e.g.,
approving a loan, shortlisting for a job, creating a credit score) without any human review,
you must get consent.
Your company's Compliance Audit Return (CAR) must clearly state whenever you have used
consent for any of these situations. You must be able to show evidence of how you obtained
and recorded that consent.

25
NDP Act GAID Simplified: From Confusion to C ompliance
Article 19: Consent to Cookies and Other Tracking Tools
Cookies need your permission, too
This article explains that your company must get consent before using cookies and other
tracking tools on your website or app, since these collect information about people. This is a
crucial part of data protection under the NDP Act.
Consent for cookies and trackers must be freely given, informed, and specific. This is typically
handled through a cookie banner or pop-up that appears on your website.
1) Necessary cookies (no consent needed)
You do not need consent for strictly necessary cookies; those needed for your site to
function correctly. This includes features for security, network stability, and accessibility.
These cookies should not collect sensitive, financial, or private data and must not require
users to click a box.
2) All other cookies require consent
a) All other types of cookies, including for analytics, advertising, personali sation,
social media plugins, or tracking pixels, require consent.
b) The banner must present clear options like "Accept" and "Reject" (or similar
language), and you cannot use pre-ticked boxes.
3) What the cookie banner must show
a) Your cookie banner needs to be clear, obvious, and visible immediately when
someone lands on your site and requires no scrolling. It must clearly state:
b) What cookies are used and why. Explain the purpose of each cookie.
c) Who is responsible. Identify your company as the main party and list any third-party
or fourth-party advertisers and content managers who also use cookies.
d) How to withdraw consent. Give clear information on how users can change their
minds and withdraw their consent at any time.
4) Other tracking tools are also covered
The NDPC will treat any tracking tool that behaves like a cookie under the same rules.
This includes technology like:
a) Browser Fingerprinting: This advanced method uses details about your device
(like screen resolution, installed fonts, and browser version) to create a unique
profile for tracking you online, even without cookies.
b) Tracking Scripts: These are small pieces of code, often JavaScript, embedded
on a site to monitor user behaviour , such as which pages they visit.
c) Device IDs: These are unique identifiers for mobile devices used for tracking app
installations and user activity.

26
NDP Act GAID Simplified: From Confusion to C ompliance
Below is a sample compliant cookie banner from a website of the Information Commissioner's
Office (ICO) of the United Kingdom; https://ico.org.uk/

Article 20: Lawfulness of Purpose, Reliance on Consent, and Other
Lawful Bases
The reason matters more than the consent
This article serves as a quick recap, emphasising a crucial point: Consent alone does not
make data processing lawful if the purpose behind it is illegal or harmful. Every data
processing activity must have a valid purpose under the legal statutes, in addition to a valid
lawful basis (like consent).
Data processing must always be lawful. The purpose for which you process personal data
must be legal. This means the purpose must:
a) Be lawful under the NDP Act.
b) Not violate any other Nigerian law.
c) Not break any international laws that Nigeria recognises.
Consent is never valid if it’s used to justify harmful or illegal activities, including:
a) Promoting hate or discrimination.
b) Supporting criminal activities or other atrocities.
c) Violating children’s rights.
d) Any other criminal acts.

27
NDP Act GAID Simplified: From Confusion to C ompliance
Article 21: Reliance on Contract
When a contract requires data
This article explains the rules for processing personal data when it is necessary for a contract
with an individual. While it is a lawful basis for processing, there are specific rules to ensure
fairness and transparency.
Key rules for processing data with a contract
1) Before the contract (due diligence)
a) Before signing a contract, you can collect and process personal data to verify
information, such as when a fintech company checks a person's credit history
before offering a loan. If the contract does not go through, you must delete any
collected personal data within six (6) months.
b) The data may be kept for longer than six (6) months if there is a justifiable legal
reason for it, such as for potential legal claims or fraud prevention.
2) Termination must be possible
You must include provisions that allow an individual to end the agreement early if they no
longer want their data to be processed, provided all legal obligations are met. For example,
an e-learning platform that collects user data for subscriptions must include a clause that
allows users to cancel their subscription and request that their personal data be deleted
or anonymised.
3) No blocking courts or NDPC
A contract can never include a clause that takes away a person’s right to go to Nigerian
courts or the Nigeria Data Protection Commission (NDPC). Any such clause is
automatically invalid. For example, a social media company operating in Nigeria cannot
include a clause in its user agreement that says only foreign courts have jurisdiction over
data protection disputes with Nigerian users. This is not legally enforceable.
4) Alternative Dispute Resolution (ADR) is okay
Contracts can include options for Alternative Dispute Resolution (ADR), like mediation or
arbitration, for resolving data-related issues. However, including an ADR clause cannot
prevent an individual from reporting an incident to the NDPC or pursuing their rights in
court.

28
NDP Act GAID Simplified: From Confusion to C ompliance
Article 22: Reliance on Legal Obligation
When the law requires data
This article explains that sometimes you must process personal data because the law requires
it, not because of consent or a contract. This is known as a legal obligation.
1) What counts as a legal obligation?
A legal obligation can be:
a) A specific duty imposed by a law.
b) An order from a court.
c) A responsibility tied to an existing legal duty that requires you to process data.
2) Limitations on your privacy
a) If a legal obligation restricts someone's usual data privacy rights, it is considered a
limitation on the constitutional right to privacy. Such restrictions are only valid if
they are:
b) Reasonably justifiable in a democratic society.
c) Serving purposes like defence, safety, order, public health, or morality, OR
protecting the rights and freedoms of others.
3) Limits on how you can use the data
When you process data under a legal obligation, you must only process the minimum
amount of data necessary. You cannot use a legal obligation as an excuse to pry into
people’s private lives or collect more information than is absolutely required by law.
4) Alternative, less intrusive options
a) Before enforcing a legal obligation, authorities should consider if there is a less
invasive way to achieve the same result. They can get input from:
b) The person affected (data subject).
c) The NDPC.
d) Your company.
e) Human rights groups.
f) The media.
5) The role of your DPO
a) Your company's Data Protection Officer (DPO) should help confirm that:
b) The authority asking for data has the legal right to do so.
c) The proper data protection safeguards are in place.
d) The request is clear and limited in scope, not vague.
e) The person whose data is being requested can still exercise their rights under the
NDP Act.

29
NDP Act GAID Simplified: From Confusion to C ompliance
f) The request follows the principles of necessity and proportionality, meaning what
is being processed is absolutely necessary for the purpose.
6) What to do if there's a dispute
a) If your company disagrees with an administrative order (e.g., a government
directive), you can seek guidance from the NDPC.
b) If you disagree with a court order, you can go to a higher court to try to change or
cancel it.

Article 23: Evaluation of Lawful Bases of Data Processing
Your legal reason must be a fair reason
This article explains that even if your company has a lawful basis for processing data, it must
still be evaluated against broader principles of a democratic society, like necessity, duty of
care, proportionality, and access to redress. All data processing must respect the
constitutional limits set by the Nigerian Constitution, particularly Sections 37 (right to privacy)
and 45 (justifiable restrictions).
Key evaluation criteria
1) Necessity
Is this processing truly needed? Could you achieve your goal with less data, or with no
data at all?

30
NDP Act GAID Simplified: From Confusion to C ompliance
Example:
�� Necessary: A bank collecting a customer's ID for KYC (Know Your Customer) checks
is necessary due to legal and financial regulations aimed at preventing fraud and money
laundering.
� Not Necessary: A bank collecting a person’s religion to open a bank account is
unnecessary for that purpose and is a privacy violation.
2) Duty of Care: Are you being careful with the data? You must show that you used safe and
careful practices to reduce the risk of harm to people's personal data.
Example:
�� Careful: Encrypting patient health records before sharing them with a lab
demonstrates a responsible practice to protect sensitive information.
� Careless: Sending patient records over an unsecured email without safeguards is a
failure of your duty of care.
3) Opportunity for Redress: Can people complain if something goes wrong? People whose
rights are affected must have clear and easy ways to complain or seek justice. This
includes access to NDPC procedures and their constitutional rights.
Example:
�� Fair: A telecom provider informs customers of their right to file a complaint with the
NDPC if they feel their data was misused.
� Unfair and invalid: An app's terms of service stating, "By using this service, you waive
your right to complain to any authority" is invalid and not legally enforceable.
4) Proportionality: Does the data you collect match your aim? The amount and type of data
collected must be proportionate to the actual goal you are trying to achieve. The benefit
you gain must not be at the expense of a person's privacy rights.
Example:
�� Proportionate: Using CCTV cameras in a bank hall is a proportionate measure to
enhance security and prevent robbery.
� Disproportionate: Using CCTV cameras in office toilets to prevent misconduct is a
disproportionate measure and a serious privacy violation.

31
NDP Act GAID Simplified: From Confusion to C ompliance
Article 24: Reliance on Vital Interest
When you have to act fast for life and livelihood
This article explains that sometimes an urgent situation comes up where you can’t get a
person's consent, but you must act quickly to protect their life or livelihood. In these cases,
you can use vital interest as your lawful basis for processing their data.
Conditions for relying on vital interest
You can only rely on this basis if all these conditions are met:
a) It's necessary for life or livelihood: You must genuinely need to process the data to
save a life, protect someone's health, or preserve their economic survival.
b) There is a legitimate expectation: It is reasonably expected by law, in the relationship
you have with the person, or based on social norms, that you would act in such a
situation.
c) You'll be held accountable if you fail: If you don't act, you could be seen as negligent
or reckless.
d) You use a proportionate method: You must only use the minimum amount of data
necessary to deal with the emergency.
e) You provide transparency afterwards: You must explain your actions to the person
affected, their representative, or a competent authority when asked.
Examples
• Medical Emergency (protecting a person’s life): A hospital processes a patient’s
medical records without consent because the patient is unconscious. The hospital
needs this information to save their life. This is a lawful use of vital interest.
• Epidemic Outbreak (protecting others’ lives): Health authorities share the contact
details of a person infected with a highly contagious virus with contact tracing teams
to stop the spread. This is necessary to protect the lives of others.
• Preserving Livelihood: A relief agency collects farmers’ personal details (such as
account numbers and family size) after a flood to quickly provide food and shelter,
even without obtaining explicit consent first. This helps preserve the farmers’
livelihood.

32
NDP Act GAID Simplified: From Confusion to C ompliance

Article 25: Reliance on Public Interest
It's for the public good, but with limits
This article explains that your company can sometimes process personal data without a
person's consent if it is necessary for a task carried out in the public interest. However, this
must always be done in a way that is necessary, proportionate, and respects fundamental
human rights.
1) When can public interest be used?
You might be able to use public interest as a lawful basis in specific, well-defined situations,
such as:
a) Public Health or Humanitarian Emergency: To protect the wider community
during health crises (like an epidemic) or natural disasters (like a flood).
b) Public Safety: If there is a clear and immediate danger threatening the public,
such as a national security threat.
c) Addressing Destitution or Deprivation: To help vulnerable people when inaction
could cause severe hardship, aligning with national policy and development goals.

33
NDP Act GAID Simplified: From Confusion to C ompliance
Examples;
• Humanitarian Crisis: In a flood-prone area, a relief organisation might collect the
names and contact details of displaced people without prior consent to quickly provide
emergency shelter and aid.
• Public Safety: The police might use CCTV footage to track suspects during a terrorist
threat, even without getting consent from every individual caught on camera.
• Destitution or Poverty Relief: Government agencies might process details of
homeless individuals to provide housing and food support through social welfare
services.
2) Safeguards required
When relying on public interest, you must:
a) Follow the principles in Article: Ensure the processing is necessary,
proportionate, respectful of your duty of care, and that individuals have access to
a way to get justice (redress).
b) Keep processing limited: Only collect and share the data that is absolutely
essential for the specific task.
c) Avoid harmful precedents: You cannot misuse public interest as a blanket
excuse to process data, as this can weaken privacy rights in the long run.
d) Document your decisions: You must keep clear records showing why you relied
on public interest in a particular situation.
3) Compliance tips
 Check the threshold: Before you act, ask yourself: "Is this genuinely a public health,
safety, or humanitarian emergency that justifies this?"
 Minimis e data: Use only the data that is strictly required for the emergency response.
 Conduct a proportionality test: Ask yourself: "Would a less intrusive method achieve
the same goal?"
 Be transparent after the fact: Inform the affected individuals of what you did when it
is safe and possible to do so.
 Involve your DPO: Always have your Data Protection Officer (DPO) document and
approve your decision to rely on public interest.
 Provide a redress mechanism: Ensure there is a way for individuals to challenge or
question the processing of their data.

34
NDP Act GAID Simplified: From Confusion to C ompliance
Article 26: Reliance on Legitimate Interest
Using data fairly, not freely
This article explains how your company can rely on legitimate interest as a lawful basis for
processing personal data. This isn't a "free pass" to use data as you like. You must prove your
reason is fair, necessary, and does not override people’s rights.
1) Be careful when using legitimate interest
You must prove that your company’s reason for processing data is fair, necessary, and
respects people’s rights.
Example: A bank records calls with customers for training and fraud prevention. This
might be a legitimate interest, but the bank must ensure it's truly needed and that it
respects customers’ privacy.
2) Be ready to explain your reasons during audits
The NDPC can ask you to explain why you used legitimate interest. You must be able to
show documentation, such as a Legitimate Interest Assessment (LIA). If you cannot
explain, it will count against you.
3) Legitimate interest cannot stand alone
You can only use legitimate interest if it is compatible with one of the other lawful bases,
such as consent and contract. This means it must connect with another lawful basis for
which you have initially collected the personal data being processed.
Example: A logistics company tracks deliveries under a "contract" with customers. Using
legitimate interest to also store tracking logs for 30 days to analyse and improve operations
is compatible with that contract.
4) Conduct a Legitimate Interest Assessment (LIA)
Before using legitimate interest, you must conduct an LIA. Schedule 8 of the GAID
provides a template for this. The LIA checks:
a) Purpose: What is the interest you are pursuing?
b) Necessity: Is the processing necessary for that purpose?
c) Balancing Test: Do the individual's rights and interests outweigh your interest?
Always document your LIAs. This is your evidence that you have thought it through and
are accountable.
5) Design systems with privacy by default
Your systems must be designed to respect privacy automatically. This means:
a) Anonymisation: Removing identifying details from data.
b) Pseudonymisation: Replacing personal details with codes.
c) Data Minimisation: Only collecting the data you really need.

35
NDP Act GAID Simplified: From Confusion to C ompliance
Example: Instead of storing full names in customer analytics, you use random IDs.
6) Avoid high-risk processing
Do not rely on legitimate interest for things that are risky to the rights and privacy of the
data subject, such as:
a) Profiling people based on their behaviour .
b) Tracking people across different websites.
c) Targeted advertising by third parties without consent.
d) Processing data that could expose vulnerable groups.
7) Be transparent with people
You must tell people in simple language why their data is being processed under legitimate
interest. This information should be in your privacy notice.
Example: Your privacy notice states, "We keep CCTV footage for 30 days to help prevent
and investigate security incidents under our legitimate interest of ensuring safety and
security."
8) Provide an easy way for people to exercise their rights
If a person objects to you processing their data based on legitimate interest, you must
review their objection. In most cases, you must stop processing their data unless you can
prove a very strong, overriding reason to continue.
9) Apply ethics and duty of care
Always ask: "Is this fair to people?" Even if something is technically allowed, if it feels
intrusive or unfair, it could violate your duty of care.
Example: Monitoring employees’ private WhatsApp chats on a work phone would be
unethical and a breach of trust, even if the employer tries to justify it as a "legitimate
interest."

36
NDP Act GAID Simplified: From Confusion to C ompliance
Article 27: Consideration Regarding Information to Data Subjects
Telling people what you do with their data.
Before your company collects or uses anyone’s personal data, you must give them clear and
easy-to-understand information. This is so people know exactly what is happening with their
data.
The information you provide must be easy to understand, especially for vulnerable people,
such as children, individuals with disabilities, or those who don’t speak the language well.
At physical events (like interviews or seminars) where a written privacy notice isn't practical,
you must explain the information in a way that people can easily understand. This could
involve using interpreters, translations, or simple verbal explanations.
You must provide, at a minimum, the following information:
a) Your identity: The name of your company (as the data controller or processor).
b) The lawful basis: Your legal reason for processing the data (e.g., consent, a contract,
or legal obligation).
c) The type of data: The specific type of data you are collecting (e.g., name, phone
number, email, or health data).
d) The purpose: The reason why you are collecting the data.
e) The process: How the data will be collected and processed.
f) Third-party access: Whether any other companies or individuals will have access to
the data.
g) Third-party reasons: Why those third parties need access.
h) Individual rights: What rights the individual has (e.g., access, correction, deletion).
i) Contact information: Who to contact within your company for questions or complaints
(such as your DPO).
j) The right to complain: How to lodge a formal complaint with the NDPC.
It is important to note that c onsent is not the same as information. Giving someone this
information is not the same as asking for their consent. You must specifically request consent
when it is required. And the person must have received all the necessary information first so
they can make a truly informed choice. Statements like “By accepting this privacy notice, you
give us your consent to…” are unlawful and invalid.

37
NDP Act GAID Simplified: From Confusion to C ompliance
Article 28: Data Privacy Impact Assessment
A risk check for big projects
This article explains the Data Privacy Impact Assessment (DPIA), a necessary "risk test" you
must conduct before starting any data processing project that is likely to cause a high risk to
people’s rights and freedoms. This includes projects involving new technology or large-scale
data processing.
1) When is a DPIA required?
A DPIA is required if your data processing poses a high risk due to its nature, scope,
context, or purpose. It is a proactive step to assess and mitigate risks.
These high- risk processing activities include;
a) New technologies and large-scale processing: Introducing new technology or
processing large amounts of data requires a DPIA because these projects can
have unintended consequences on people’s lives. Example: A government
introducing a new biometric ID system could affect millions of citizens if
mismanaged, making a DPIA mandatory.
b) Profiling: Analyzing someone's behavior (e.g., credit scoring, personality
analysis).
c) Automated Decision-Making: AI systems denying loans or filtering job
applications without human intervention.
d) Systematic Monitoring: Using CCTV in public places.
e) Sensitive Data: Processing health records, biometrics, or religious beliefs.
f) Vulnerable People: Processing data of children, the elderly, or sick people.
g) Innovative Processes: New apps or AI solutions with high potential risk.
h) Communication Software: Chatbots or direct messaging systems.
i) Financial Services: Mobile banking or fintech apps.
j) E-commerce: Large online stores with customer profiling.
k) Public Surveillance: Cameras in public places.
l) Government Policies: Laws requiring large-scale processing.
If your processing relates to any of these, you must conduct a DPIA.
Risks associated with such processing can include loss of jobs or opportunities due to
automated decisions, invasion of privacy, discrimination, exploitation, etc.

2) Vetting by a certified DPO
Your DPIA must be reviewed and signed off by a Data Protection Officer (DPO) who is
certified and accredited by the NDPC.

38
NDP Act GAID Simplified: From Confusion to C ompliance
3) Filing with the NDPC
The results of your DPIA must be included in your Compliance Audit Return (CAR), which
is submitted to the NDPC. This proves that you considered and mitigated privacy risks.
4) Penalties for not doing a DPIA
If you skip a required DPIA, the NDPC can restrict your operations. Example: If a fintech
company ignores the DPIA requirement, the NDPC can block it from onboarding new
customers until it complies.
5) Ongoing guidance
When conducting a DPIA, you must follow both the NDP Act and the GAID (General
Application and Interpretation Directive), which provides practical rules.
6) Deadlines
a) New High- Risk Software: Carry out a DPIA and submit it to the NDPC 4 months
after GAID issuance
b) Legacy Processing: If any sensitive or high-risk processing began before the
issuance of the GAID, complete your DPIA and submit to the NDPC within 6
months.
7) Building privacy into your systems
A DPIA must also show how you have built privacy by design and by default into your
system. This includes:
a) Proactive, not reactive: Anticipating risks before they happen.
b) Default privacy: Systems should protect data automatically.
c) Design with privacy in mind: Building privacy into the system from the start.
d) Full functionality: Privacy should not reduce the usefulness of the system.
e) End-to-end security: Protecting data throughout its entire lifecycle (from collection
to disposal).
f) Transparency: Users should understand how their data is used.
g) Respect for users: Ensuring fairness, dignity, and minimal intrusion.
8) Signature requirement
Only a certified, NDPC-accredited DPO can sign off on a DPIA, this ensures accountability.
9) DPIA format
The DPIA must follow the template provided in Schedule 4 of the NDP Act GAID. This is
attached as a supporting document to this guide.

39
NDP Act GAID Simplified: From Confusion to C ompliance

Article 29: Monitoring, Evaluation and Maintenance of Data Security
System
Security is a marathon, not a sprint
This article explains that data security is a continuous process, not a one-time task. You must
create and follow regular schedules to monitor, evaluate, and maintain your data security
systems.
1) Mandatory schedules
You must have a regular, planned schedule for data security. This means your security
efforts should be ongoing and not just happen once.
2) What your schedule should cover
Your plan needs to cover the people, processes, and technology involved in security. It
should include, but not limited to:
a) Training: Regularly teach your staff about data security (e.g., how to spot phishing
emails).
b) Certifications: Ensure that employees in key data security roles have the right
professional qualifications.
c) Software Updates: Keep all your systems, software, and apps up to date.
d) Database Tests: Regularly check your databases for vulnerabilities that hackers
could exploit.

40
NDP Act GAID Simplified: From Confusion to C ompliance
e) Hardware Assessments: Check that your servers, laptops, and storage devices
are working properly and replace old equipment when needed.
f) Authentication Checks: Make sure your login systems are strong (e.g., using
multi-factor authentication and good password policies).
g) Encryption Reviews: Regularly confirm that sensitive data is encrypted both when
it’s stored and when it’s being sent somewhere else.
h) Quality Assurance (QA): Test the security tools you use to ensure they are
actually protecting the confidentiality, integrity, and availability of your data.
3) Assigning officers
You must assign specific officers responsible for each security task and set clear timelines
for them.
Example: The IT officer is responsible for running database vulnerability scans every 3
months. The HR officer is responsible for staff security training every 6 months. The
Information Security Officer reviews encryption systems every year.
4) Vetting by an Information Security Officer (ISO)
Your security schedule must be checked and signed off by a certified Information Security
Officer (ISO).
5) Frequency of monitoring
The frequency of your monitoring should be based on the risk level of the data you process.
Example: A telecom company that handles millions of customer records should test its
systems more frequently (e.g. bi-weekly) than a small school with limited records (e.g.
quarterly)

Article 30: Schedule for Internal Sensitisation and Training on
Privacy
Everyone needs to be a data privacy expert
This article explains that your company must have a structured, ongoing training plan to make
sure everyone is aware of data privacy rules and how to follow them.
1) Mandatory training schedule
You must create and implement a formal, planned training schedule for privacy
awareness. It cannot be random or unplanned. Example: A hospital creates a 12-month
training calendar that includes quarterly workshops for all staff (doctors, nurses, and
admin) on patient data confidentiality.
2) Evaluating compliance

41
NDP Act GAID Simplified: From Confusion to C ompliance
Your training schedule must include ways to check how well staff are following the NDP
Act, the GAID, and any other rules from the NDPC.
Example: You could use post-traini ng quizzes, annual compliance audits, or random spot
checks to see if staff are handling personal data correctly.
3) Different ways to train
You can use various methods to keep employees engaged during training:
a) Meetings: Discuss privacy risks during weekly team meetings.
b) Questionnaires: Use surveys to test awareness.
c) Interviews: Talk to employees to measure their real understanding.
4) Identify what to stop, start, and continue
Your training should help your company identify and document:
a) Practices to STOP: For example, sharing client data using personal WhatsApp.
b) Practices to START: For example, encrypting sensitive personal data before it is
transferred.
c) Practices to CONTINUE: For example, continuing to use role-based access
controls.

5) Publish the schedule
The training plan must be easily accessible to all staff, senior management, vendors, and
other key stakeholders. Example: You could upload the plan to the company intranet, post
it on office notice boards, or share it by email with all staff and contractors.
6) Assigning responsibilities and timelines
Your company must:
a) Review where personal data is being processed (including digital platforms and
physical documents).
b) Assign officers to conduct training and compliance checks.
c) Set clear deadlines for making improvements.

42
NDP Act GAID Simplified: From Confusion to C ompliance
Example: HR is responsible for annual privacy training. The IT department is responsible
for ensuring that databases are handled securely. The compliance team is responsible for
monitoring who has completed the training.
7) Basic Privacy Checklist
A Basic Privacy Checklist (BPC) must be created and disseminated to your staff to help
guide their daily activities that involve personal data

8) Random compliance checks
Your company should have a written policy that allows for random, unannounced spot
checks to ensure rules are being followed.

Practical compliance steps
 Create a Training Calendar: Schedule regular awareness sessions for all staff.
 Use Multiple Training Methods: Mix workshops, e-learning, posters, and quizzes.
 Measure Effectiveness: Test staff knowledge with quizzes, i nterviews, and spot
audits.
 Adopt Stop– Start– Continue Reviews: Continuously identify activities to start, stop
and continue to align with the requirements of the NDPC.
 Publish and Share the Schedule: Make sure everyone who handles data can access
the training plan.
 Develop a Privacy Checklist: Keep it short and practical for daily use.
 Conduct Random Compliance Checks: Perform surprise audits to ensure rules are
followed in real life.

43
NDP Act GAID Simplified: From Confusion to C ompliance
Article 31: Deployment of a Data Processing Software by a Data
Controller or Data Processor
Your software must be privacy-friendly
This article explains that if your company deploys any software that tracks or communicates
with people, you must comply with the NDP Act.
If your company deploys software that tracks a person (for example, by monitoring their
activity, usage, or location) or enables communication with a person (for example, through
messaging or notifications) ensure the following before you deploy such software;
1) A DPIA is conducted: You must carry out a Data Privacy Impact Assessment (DPIA) to
check for risks to users.
2) Privacy by Design and by Default: Privacy features must be built into the software from
the start. The default settings should be the most private, with minimal data collection
unless the person actively opts in.
3) Data Security Guidelines are followed: The software must comply with the security rules
of app stores like Google Play and the Apple App Store. For example, a messaging app
must have end-to-end encryption.
4) Privacy Policy is inside the software: A clear and accessible privacy policy must be
available within the app or system.
5) Privacy Statement is given before installation: Before a person installs the software,
you must clearly state:
a) What personal data you collect.
b) Why you collect it (your lawful purpose).
c) How you will process the data without violating anyone’s rights.
d) That you won’t process any unnecessary personal data.
e) What technical and organisational safeguards you have in place (e.g., encryption).
f) That a DPIA was conducted.
g) That technical support for privacy is available.
h) How a person can use self-service options (e.g., disable features, uninstall the
app).
i) How to complain to the NDPC or other relevant authorities.

44
NDP Act GAID Simplified: From Confusion to C ompliance

These rules apply to a wide range of software, including:
a) Operating Systems: Like Windows, Android, and iOS.
b) Mobile Apps: For banking, e-commerce, and ride-hailing.
c) Device Drivers: Like those for printers or scanners that process personal data.
d) Firmware: The operating software for smart TVs and other IoT devices.
e) Programming Language Translators: If they process personal data.
f) Utilities: Like antivirus software, disk cleanup tools, and VPNs.

Article 32: Measures Against Privacy Breach Abetment
Don't perpetuate the malice
This article explains that your company must ensure its platforms, systems, or networks are
not used to breach people's privacy. If they are, your company must take immediate action.
1) You are responsible for making sure your platforms and networks aren't used for privacy
breaches. This involves both technical measures (like data security controls ) and
organisational measures (like having strong policies, monitoring for abuse, and a clear
response plan).
2) If the NDPC tells your company that its system is being used to breach privacy, you must:
3) Immediately restrict the offending user or person (for example, by blocking their account
or suspending their access).
4) Keep this restriction in place until the NDPC finishes its investigation.
5) If your company fails or refuses to act after being directed by the NDPC, it will be treated
as if it had directly committed the privacy breach. This makes you legally accountable
under the NDP Act.

45
NDP Act GAID Simplified: From Confusion to C ompliance
Article 33: Data Breach Notification
You snooze, you lose
This article explains that if a data breach happens that could put people's rights and freedoms
at a high risk, your company (as the data controller) must notify affected people immediately,
and the NDPC within 72 hours of becoming aware of it. A breach is considered high-risk if it
could make people vulnerable to fraud, identity theft and exposure of sensitive data (like
health, financial, political, or biometric information)
Personal Data Breach notification requirements
1) You must notify the NDPC within 72 hours of becoming aware of such a breach.
2) When you notify the NDPC, you must include details about the breach, such as its nature,
the type of data involved, and the approximate number of people affected.
3) In addition to notifying the NDPC, you must also immediately notify the affected people so
they can take precautions, such as changing passwords or blocking their cards. This is
part of your company's duty of care and accountability.
4) For very serious threats, you must give immediate notice to the NDPC and other relevant
authorities, even if the 72-hour window applies. This is for breaches that could spread
further, cause national-scale risks or require urgent action at a national, sectoral, or
individual level.
5) When you report a breach to the NDPC, your notice must contain:
a) Description: A clear explanation of how the breach happened (e.g., hacking, a
lost laptop, or an insider leak).
b) Timeline: When the breach happened and for how long.
c) Data Involved: The types of personal data that were exposed (e.g., names,
emails, health records).
d) Risk Assessment: An evaluation of how likely it is that people will be harmed.
e) Affected People: The approximate number of people affected.
f) Mitigation Steps: The steps you have taken to reduce the risk (e.g., password
resets, fraud monitoring, system shutdown).
g) Notification to Individuals: The steps you have taken to notify affected individuals
(e.g., emails, press releases, SMS alerts).
h) Contact Person: A contact person (like your DPO or a security officer) for the
NDPC to reach for clarification.

46
NDP Act GAID Simplified: From Confusion to C ompliance

Article 34: Data Processing Agreement
Let’s shake hands for Privacy
This article explains the Data Processing Agreement (DPA), a written contract required
between a data controller (your company, which decides why and how data is processed) and
a data processor (a company that processes data on your behalf). A DPA ensures both sides
know their responsibilities and comply with the NDP Act.
A proper DPA should clearly outline the following:
1) Legal Obligations: An agreement that both parties will follow the NDP Act.
2) Party Identification: The names and addresses of both the controller and the
processor.
3) Contract Context: Reference to any other relevant contracts, like a Service Level
Agreement (SLA).
4) Purpose: The reason why the data is being processed.
5) Location: Where the processing will happen, especially if it involves sending data
across borders.
6) Scope: What type of data will be processed and how much.
7) Lawful Basis: The legal reason for processing the data.
8) Responsibilities: A clear breakdown of who is responsible for what.
9) Security Measures: Details of the technical and organisational safeguards in place,
such as encryption and access controls.
10) DPIA Results: Any results from a Data Privacy Impact Assessment, if one was
required.
11) Risks: Potential privacy and security risks.
12) NDPC Registration: Confirmation that both parties are registered with the NDPC.

47
NDP Act GAID Simplified: From Confusion to C ompliance
13) Confidentiality: Rules on keeping the data secret.
14) Tenure: The duration of the agreement.
15) Restrictions: What cannot be done with the data.
16) Indemnity & Insurance: Details on who pays if something goes wrong.
17) Force Majeure: What happens if uncontrollable events (like a natural disaster) affect
processing.
18) Dispute Resolution: How conflicts will be resolved.
Each party must make sure the other is complying with the NDP Act. If a controller hires a
processor, and that processor hires another company (a sub-processor), the controller is still
ultimately responsible for any wrongdoing.
Small operators (sole proprietors, freelancers, agents)
If an individual, like a freelance IT technician or a small consultant, processes high-risk
personal data, they must:
a) Get trained in data protection.
b) Be registered with the NDPC as a data processor of major importance.
c) Training and registration serve as proof of compliance for these small operators.

Article 35: Benchmarking with Interoperable Data Privacy Measures
Using global standards to protect data
This article explains that since data often moves across borders, your company should
consider using global best practices for data protection. These globally recognised templates
are called Interoperable Data Privacy Measures (IDPMs).
1) What is an IDPM?
An IDPM is a set of internationally recognised best practices. Adopting them helps your
company improve its data protection, even if the measures come from another country or
organisation. Example: A Nigerian fintech company could use EU-style rules for
encryption or adopt the ISO 27701 standard (Privacy Information Management) to
strengthen its privacy program.
2) Application Requirements
If your company wants to use an international standard (IDPM) that requires NDPC
approval, you must submit an application to the NDPC. Your application must include:
a) Your company's name and address.
b) Your type of business.

48
NDP Act GAID Simplified: From Confusion to C ompliance
c) The purpose and lawful basis for processing data.
d) The specific data processing where you want to use the IDPM.
e) The origin of the IDPM (e.g., EU, OECD, ISO).
f) The benefits of using the IDPM for your data processing.
g) The benefits to the overall data protection ecosystem.
h) Three examples of how you will use the IDPM.
i) Any disadvantages of using the IDPM.
j) The contact details of your certified Data Protection Officer (DPO).
The NDPC has 30 days to review your application. If the IDPM is consistent with the NDP
Act, the NDPC may approve its use.
3) Scope of Adoption
Here are some areas where you might adopt international standards:
a) Anonymisation: Removing names from customer data before sharing it for
research.
b) Automated Decision-Making: Using international standards to ensure fairness in
AI-driven loan approvals.
c) Child Online Protection: Implementing stricter parental consent measures,
similar to those in the US.
d) Data Portability: Allowing customers to download their account data, as required
by the GDPR.
e) Data Subject Access Requests (DSARs): Using international templates for
responding to people's requests for their data.
f) DPIAs: Using international frameworks to assess data privacy risks.
g) Artificial Intelligence (AI): Applying Organisation for Economic Co-operation and
Development (OECD) AI ethics principles to your AI systems in Nigeria.
h) Encryption Standards: Adopting encryption benchmarks from international
bodies like the National Institute of Standards and Technology (NIST) or the
European Union Agency for Cybersecurity.
i) Legitimate Interest Assessment (LIA): Using international checklists to evaluate
legitimate interest.
j) Pseudonymisation: Masking health records with codes before performing
analytics.
k) Records of Processing Activities (RoPA): Keeping structured logs consistent
with international requirements.
Your DPO must actively review IDPMs to make sure your company is always prepared. The
NDPC will also provide ongoing guidance on which IDPMs are acceptable.

49
NDP Act GAID Simplified: From Confusion to C ompliance
Article 36: Exercise of Right to Rectification
The right to fix your data
This article explains that people have the right to correct any personal data about them that is
inaccurate or incomplete. This is tied to the data accuracy principle in the NDP Act. Your
company must make it easy and accessible for individuals to request these corrections.
Key rules for rectification
1) Platforms must allow corrections: Any system you use (like a web app, mobile app, or
database) that collects personal data must have an option for the person to correct it. For
example, a customer should be able to update their address in your online banking app.
2) No affidavit or newspaper guide needed: People don't need to go through formal, court-
style procedures to correct their data, especially if the correction aligns with their National
Identification Number (NIN). For example, if someone's name is misspelt, they can use
their NIN to prove the correct spelling, without needing to publish an affidavit in a
newspaper.
3) Free if the error is your company's fault: If your company caused the error (for example,
a typo when inputting details), the individual should not have to pay to get it corrected. For
instance, if a telecoms company wrongly enters "Oluwasegun" as "Olusegun," the
customer should not pay to fix it.
4) Opportunity to verify before final submission: Your systems must give users a clear
chance to review their data before they submit it permanently. For example, a loan
application form should show a summary page asking the user to confirm their details
before final submission.
5) The burden of proof is on you: If there is a dispute, you must be able to prove that you
gave the individual a fair opportunity to review and correct their data. This means your
systems should keep records showing when users had the chance to confirm their data.

50
NDP Act GAID Simplified: From Confusion to C ompliance
Article 37: Exercise of Right to Data Portability
The right to take your data with you
This article explains the right to data portability, which allows people to obtain their personal
data and reuse it across different services. This means you must provide an individual with a
copy of their data in a usable, machine-readable format so they can take it with them to another
company.
Key rules explained
1) An individual has a right to portability: Individuals can request a copy of their data
in a structured, commonly used, and machine-readable format (like a CSV or JSON
file).
2) The right to portability only applies when:
a) The person’s data was provided based on their consent, OR
b) The data was collected or processed because of a contract.
c) It does not apply when the legal basis is a legal obligation or the performance
of a public interest duty.
d) Example: A music streaming subscriber can request a copy of their playlist
because the data was processed based on a contract. A hospital, however, can
refuse to give you raw patient data if it’s held due to public health laws, not
because of a contract or consent.
3) When more than one person's data is involved: If a portability request affects the
data of other people, their rights must also be protected.
Example: social media user requests their chat history. The data also includes
messages from friends. Your company must balance both parties’ rights by providing
only the requesting user’s data and protecting the other people’s privacy.
4) It does not affect the right to erasure: Portability and erasure are separate rights.
Example: A customer can ask for their call history (portability) and also request that
you delete their old account (erasure).
5) Data needed for ongoing contracts can be kept: If a person exercises their right to
portability, it doesn’t mean that you should erase or delete the data that is necessary
to fulfil a contract.

Article 38: Exercise of Right to be Forgotten
The right to delete your data (but not always)

51
NDP Act GAID Simplified: From Confusion to C ompliance
This article explains the right to be forgotten (also called the right to erasure), which allows
individuals to ask for their personal data to be deleted under specific conditions. However, this
right is not absolute, and your company must balance it against other legal and public
interests.
1) When a person can ask for erasure
A person can request that you erase their data in the following situations:
a) Data is no longer needed: The data is no longer necessary for the original
purpose for which it was collected. Example: An old customer's delivery address is
still stored years after they stopped using your service. They can request its
deletion.
b) Consent is withdrawn: The person withdraws their consent for you to process
their data.
Example: A person unsubscribes from a fitness app and withdraws their consent
for storing their health records.
c) Legitimate interest is challenged: A person objects to you processing their data
based on legitimate interest, and you have no stronger legal reason to keep it.
Example: A bank uses legitimate interest to profile customers for offers. If a
customer objects, and the bank has no stronger legal reason, their data must be
erased.
d) Data is used for direct marketing: The person objects to their data being used
for direct marketing. This is an absolute right. Example: A user asks a retailer to
stop sending promotional emails. Their details must be deleted from marketing
databases.
e) Data was processed unlawfully: The data was processed without a valid legal
basis.
f) A legal obligation or ruling requires erasure: A court or a legal order requires
you to erase the data.
2) When you can refuse an erasure request
You can legally refuse to erase a person’s data in some cases:
a) Freedom of expression: If keeping the data is necessary for exercising the right
to freedom of expression and information.
b) Legal or public duties: If processing the data is required by a legal or public duty,
such as:
i. Tax retention rules: Keeping records for tax purposes.
ii. Elections database: Maintaining records for public interest tasks like
elections.

52
NDP Act GAID Simplified: From Confusion to C ompliance
iii. Public health needs: Keeping data for contact tracing during a public
health crisis.
iv. Research and statistics: If erasing the data would seriously damage
important research or statistics.
v. Legal claims: If you need the data to defend yourself against a legal claim.
Example: A company retains employee data needed for a pending lawsuit.
3) Your obligation as the data controller when data has been shared
If you have made the data public or shared it with third parties, you must take reasonable
steps to ensure those third parties also erase it.
4) The burden of proof for public interest
If you want to refuse an erasure request by arguing that the data must remain public in the
"public interest," you must be able to prove it.

Article 39: Exercise of Right to Lodge a Complaint with the
Commission
The right to complain to the NDPC
This article gives individuals the right to complain directly to the NDPC if they believe their
privacy or data rights have been violated. It explains the process, timelines, and obligations
for both the Commission and your company if you are investigated.

53
NDP Act GAID Simplified: From Confusion to C ompliance
1) The data subject’s right to complain
This is the first line of defence for individuals whose privacy rights have been breached. It
is rooted in the Nigerian Constitution (Section 37, right to privacy) and the NDP Act
(Section 46, complaints mechanism).
2) Mandatory clause in all policies
Your company's privacy policy, terms and conditions, and any other relevant documents
must include a clear clause stating that individuals can complain to the NDPC.
3) How to submit a complaint
a) The NDPC will provide an online platform for complaints.
b) The NDPC will acknowledge receipt of a complaint within seven days.
c) Complaints can also be submitted via physical letter, email, or in person at the
NDPC's offices.
4) Preliminary evaluation of complaints
a) When the NDPC receives a complaint, it will check:
b) Whether the NDP Act applies to the situation.
c) If the case is urgent (e.g., involves an immediate risk of harm).
d) The potential impact on the person who complained or other people.
e) Whether temporary relief is needed.
5) Opening a case file
a) If the NDPC finds merit in the complaint, it will open a formal case file and begin
an investigation.
b) The NDPC will serve your company with a formal notice of the investigation.
c) The NDPC may ask your company to provide:
i. Details of any third-party data processors and your agreements with them.
ii. Information on which countries data is transferred to and the legal basis for
those transfers.
iii. Copies of your Data Protection Impact Assessments (DPIAs).
iv. The name and contact details of your Data Protection Officer (DPO).
6) Timeline for your response
Your company must respond to the NDPC within 21 days, unless instructed otherwise.
7) The Pre-Action Conference (PAC)
a) The NDPC may call a PAC, which is like a mediation session, to review evidence
from both sides. This may happen more than once if needed.
b) The NDPC can also compel other relevant people (like contractors or IT vendors)
to attend.
8) The NDPC's decision

54
NDP Act GAID Simplified: From Confusion to C ompliance
a) If the NDPC confirms a violation, it can order your company to take corrective
action. This could include stopping the processing of data, paying fines, or
correcting inaccurate data.
b) The NDPC will communicate its decision to both the person who complained and
your company within seven days.
9) Temporary orders
The NDPC can issue temporary orders immediately to protect people if compensation
alone will not fix the harm.

Article 40: Data Subject’s Standard Notice to Address Grievance
The standardised complaint letter
This article introduces the Standard Notice to Address Grievance (SNAG). A SNAG is a
standard template that an individual can use to raise a complaint directly with your company
before (or at the same time as) going to the NDPC.
The SNAG is an optional tool. It is not mandatory to send one before complaining to the NDPC.
The purpose is to give individuals a structured, formal way to seek a resolution internally,
ensuring you receive a clear and standardised message. The SNAG template is included in
Schedule 9 of the GAID.
1) When a SNAG applies
A person can issue a SNAG to your company if they reasonably believe their privacy rights
have been violated.
2) It is not a required first step
Sending a SNAG is optional. Individuals can still complain directly to the NDPC or go to
court without sending a SNAG first.
3) Who can send a SNAG
a) The individual affected (the data subject).
b) Someone authorised by the individual, like a lawyer.
c) Civil society organisations acting in the public interest.
4) Electronic platform
The NDPC may set up a system to track all SNAGs that are submitted.
5) Your duty after receiving a SNAG
You must communicate your decision and response to the NDPC through the designated
platform.

55
NDP Act GAID Simplified: From Confusion to C ompliance
If the NDPC notices that a SNAG has gone unresolved, it can start an investigation
directly.
6) Medium of submission
A SNAG can be sent by physical letter, phone messaging, email, courier, or any other
reasonable means.

Article 41: Data Ethics, Privacy and Dignity of the Human Person
Go beyond the law, be ethical
This article moves past simple legal compliance and puts a strong emphasis on ethics,
fairness, and respect for human dignity when handling personal data. It means your company
should not just follow the letter of the law but also the spirit of fairness and respect.
1) Prioritising data ethics
Your company must embed ethical considerations into all its data processing operations.
Data ethics is about going beyond just following the rules to ensure respect, fairness, and
dignity for every person.
2) Transparency
You must provide individuals with clear, simple, and truthful information about:
a) What data is being collected.
b) Why it is being collected.
c) How it is processed and stored.
d) This allows people to make informed choices.
3) Fairness and non-discrimination
Your data processing must not discriminate against anyone based on gender, ethnicity,
religion, disability, or any other factor. Everyone deserves equal protection and treatment.
4) Responsible data management
You must implement strong technical and organisational security measures and
continuously update them as technology evolves.
5) Human dignity and autonomy
You must not use data in ways that undermine people's autonomy, freedom, or integrity.
This means respecting the intrinsic value of their personal data.
6) Prohibition of harmful processing
You are not allowed to process data in any way that:
a) Harms individuals.
b) Creates unfair or discriminatory profiles.

56
NDP Act GAID Simplified: From Confusion to C ompliance
c) Uses biased algorithms.
7) Third-party data sharing
If you originally obtained data with consent, you must get explicit consent again before
sharing it with third parties. You must clearly state:
a) The purpose of sharing.
b) The scope (what data will be shared).
c) The duration of the sharing.
d) Individuals must have the right to withdraw their consent at any time.
8) Continuous education and awareness
You should educate people about their digital rights. This helps them exercise better
control over their data.
9) Building a trustworthy digital ecosystem
a) The ultimate goal is to create a trustworthy digital environment where:
b) Privacy is respected.
c) Dignity is upheld.
d) Ethical data use is the norm.

Article 42: Application of Global Best Practice on Data Ethics
Global standards for data ethics
This article emphasises the need for your company to align its practices with global best
practices on data ethics. This means going beyond legal compliance to ensure your data
processing is transparent, fair, and respectful of individuals' rights and dignity.
1) Acknowledge that data belongs to the individual
a) Personal data ultimately belongs to the individual, not to your company.
b) Your data processing must respect the person's values, culture, faith, and legal
expectations.
c) If your company profits from using personal data, it should share social benefits,
for example, through Corporate Social Responsibility (CSR). Example: A telecom
company that uses customer data for analytics could fund digital literacy programs
as part of its CSR.
2) Demonstrate transparency and accountability
a) Your transparency must be provable, not just claimed.
b) You must be able to show how you are transparent and accountable for your data
handling.

57
NDP Act GAID Simplified: From Confusion to C ompliance
c) Disclosures must include the expected outcomes of data use, the technologies
employed (like AI), associated risks, mitigation strategies, and channels for
complaints.
3) Respect informational autonomy
a) People should be able to control their own information, even after giving consent.
b) Careless or negligent sharing of data is unethical.
c) Any data sharing must be done in a way that avoids prejudice, abuse, or indecent
purposes, such as spreading harmful content.
4) Ensure fairness of intention
a) Data processing must be lawful, ethical, and have a clear, fair intention.
b) The principle that "if it’s not prohibited, it’s allowed" does not apply. Your intentions
must be explicitly fair.
5) Assess outcomes
a) Your company must evaluate the real-world impact of its data processing,
especially on human rights.
b) Use tools like Data Privacy Impact Assessments (DPIAs), sandboxes, and
simulations to identify risks.
6) If the outcomes of your processing differ significantly from what you told users, it could be
a breach of trust and your duty of care.
7) The assessment must consider how data processing affects human rights, such as
privacy, equality, and dignity.

Article 43: Emerging Technologies
A privacy check for your new technologies
This article explains the rules for using emerging technologies (ETs) like AI, Internet of Things
(IoT), and Blockchain to process people's personal data. It emphasises that compliance goes
beyond just the technology itself; it also involves following the NDP Act and broader public
policy goals.
When using ETs, you must comply with:
• The NDP Act.
• Relevant public policy goals, such as child protection, national security, and digital
inclusion.
• The General Application and Implementation Directive (GAID) and any other rules
from the Nigeria Data Protection Commission (NDPC).

58
NDP Act GAID Simplified: From Confusion to C ompliance
1) Parameters for ET design
a) Your ETs must be designed with privacy by design and privacy by default built in.
b) They must also respect core data subjects’ rights, such as;
i. Automated decision- making: People have the right to not be subject
solely to decisions made by AI or algorithms without human oversight.
ii. Right to be forgotten: For technologies like blockchain and IoT that make
it hard to delete data, you should use solutions like tokenisation or synthetic
data to protect privacy.
c) Sensitive data safeguards: For sensitive data like biometrics or health
information, you need higher levels of protection.
d) Children and vulnerable groups: These groups require special protections. You
must consider the risks identified in your Data Subjects’ Vulnerability Index (DSVI).
e) Cross-border data flows: You must comply with all NDP Act restrictions when
sending data outside Nigeria.
f) Data Minimisation: Build your ETs so they collect the minimum amount of data
necessary.
Example: An AI recruitment tool must have a human review every automated rejection to
prevent unfair decisions.
2) Documentation and filing
You must document all the technical and organisational details of your ETs. This
information must be submitted as part of your annual Compliance Audit Returns (CAR) to
the NDPC.
3) Mandatory DPIA for ETs
a) You must conduct a Data Protection Impact Assessment (DPIA) before deploying
any ET. The DPIA must include:
i. Disparate outcome analysis: Checking for any unfair bias in the results.
ii. Data Subjects’ Vulnerability Index (DSVI): Identifying risks for vulnerable
groups.
4) Continuous monitoring
Even after your ET is approved, you must continuously monitor its deployment. Regular
audits and reviews are mandatory to ensure your ETs remain safe and fair.
5) Meaning of “suitability” and “possibility”
These terms mean you are obligated to take all reasonable technical and organisational
steps to guarantee:
a) The fair use of your ETs.
b) Your accountability through proper documentation and audits.
c) Your compliance with data ethics principles.

59
NDP Act GAID Simplified: From Confusion to C ompliance
Article 44: Param eters for Assessing Privacy and Public Interest in
Emerging Technologies
Balancing innovation with privacy
This article explains how the NDPC assesses Emerging Technologies (ETs), looking at how
they balance innovation and public interest with protecting individuals' privacy rights. The goal
is to encourage ETs that are both beneficial and privacy-friendly.
1) Priority for privacy-friendly ETs
The NDPC will support and promote ETs that enhance privacy, following international best
practices and law. This means that tools designed to protect data (like encryption,
anonymisation, or privacy-preserving AI) will receive regulatory support and recognition.
2) Balancing privacy and economic development
The NDPC understands that ETs drive economic growth and strengthen Nigeria’s position
in the global digital economy. Therefore, ETs are encouraged if they lead to sustainable
development, but only if personal data is processed lawfully and responsibly.
3) Alignment with global standards and human rights
You can benchmark your ET use against global documents like the UN Resolution on
Artificial Intelligence. However, you must avoid or stop using ET systems that:
a) Cannot comply with human rights law, such as systems that inherently discriminate
or enable surveillance without proper limits.
b) Pose unacceptable risks to fundamental rights like privacy, equality, and dignity.

60
NDP Act GAID Simplified: From Confusion to C ompliance
Article 45: Cross -Border Data Transfer
Sending data outside Nigeria
This article explains the rules for transferring personal data outside of Nigeria. All cross-border
data transfers are ultimately governed by the NDP Act.
According to Section 63 of the NDP Act, all rules concerning sending personal data outside of
Nigeria must follow Part VIII of the NDP Act. This means that while other rules may exist, the
NDP Act is the final authority.
Schedule 5 acts as a guide for determining if another country has adequate data protection
for the personal data of a Nigerian.
Essentially, Schedule 5 of the GAID allows for the transfer of personal data outside Nigeria if:
1) The destination country has adequate data protection as declared by the NDPC.
2) A special agreement called Cross-Border Data Transfer Instrument (CBDTI), such as
Binding Corporate Rules (BCRs), Standard Contractual Clauses(SCCs), Codes of
Conduct or Certification, is in place and approved by the NDPC
3) Other lawful bases, such as the following, have been established;
a) Defence or establishment of a legal claim
b) Protecting someone's vital interest
c) Public interest
d) The data subject concerned has given and has not withdrawn consent where risks
have been properly communicated, and there is a clear indication that the data
subject understands the risks involved.
e) You have established a contract with the data subject for this purpose.
f) The purpose of the transfer is for the sole benefit of the data subject.
See Schedule 5 of the GAID for more details.

61
NDP Act GAID Simplified: From Confusion to C ompliance
Article 46: Capacity Building in Data Protection and Continuous
Professional Development Credits
Making your team data privacy experts
This article emphasises that training on data protection is mandatory, not optional, for your
company. It also explains the NDPC's role in promoting professional development to build a
skilled workforce in data privacy.
All your employees and contractors must be trained on data protection and stay up-to-date on
new developments that are relevant to their jobs .
The NDPC may also establish and communicate:
• A training and certification mechanism.
• A system for professional credits to encourage continuous development in data
protection.
Compliance checklist for your company
 Establish a formal training program for all staff.
 Keep records of training completed, including attendance logs and certificates.
 Provide role-based training for different teams and hierarchy within your organisation.
 Ensure regular refresher courses on emerging risks and new regulations.
 Encourage your staff, especially your DPO, to pursue NDPC-recognised certifications.

Article 47: Jurisdiction of Court and Access to Justice
You can be taken to court, anywhere in Nigeria
This article explains that individuals have the right to take your company to court if their data
privacy rights are violated. This access to justice must be easy and accessible, protecting the
individual's constitutional right to privacy.
1) The right to go to court
Individuals have the right to sue your company if their data privacy rights are violated. This
right is guaranteed by Section 46 of the 1999 Constitution, which protects fundamental
rights in Nigeria.
2) Access to justice must be easy
a) For Nigeria to meet international data protection standards, people must have easy
access to courts, especially close to where they live.

62
NDP Act GAID Simplified: From Confusion to C ompliance
b) An individual can take your company (or any other company or government body)
to the nearest Federal or State High Court in the country, not just the one where
your company is located.
c) These cases will follow the Fundamental Rights Enforcement Procedure Rules,
which are special rules for the quick resolution of rights violations.

Article 48: Evidence of Compliance with the NDP Act
Your proof of compliance matters
This article explains how the NDPC evaluates evidence of your compliance with the NDP Act.
It emphasises that while showing good faith by registering and filing is important, specific
evidence is required when defending against a complaint.
1) Context matters for compliance evidence
a) When you present evidence of compliance (like policies, filings, or audits), the
NDPC will evaluate it only within the context to which it relates.
b) This means that showing you complied in one area doesn't automatically mean you
are covered in all others. For example, if a customer complains that their data was
shared without consent, you must provide consent logs, not just refer to your
general DPIA filing.
2) Registration and filings show good faith
Actions like registering with the NDPC, filing your annual Compliance Audit Return (CAR),
submitting Data Protection Impact Assessments (DPIAs), and getting approval for cross-
border transfers all show your company's commitment and accountability. However, they
are not a substitute for specific proof when you are defending against a complaint.
3) The NDPC sees compliance as cooperation
Under Section 48(6)(f) of the NDP Act, the NDPC considers your ongoing compliance
activities as a sign of your cooperation. This means that regulators are likely to view you
more favourably if you can actively demonstrate compliance, even if an issue arises.
Practical steps to prove compliance
 Register with the NDPC.
 File your Annual CAR with evidence of your controls.
 Submit DPIAs for any high-risk processing activities.
 Document all lawful bases for processing data (consent, contract, etc.).
 Keep logs of data transfers, consents, breaches, and remedial actions.

63
NDP Act GAID Simplified: From Confusion to C ompliance
 Show continuous cooperation with the NDPC by responding promptly and being open
to audits.

Article 49: Consideration of Time- Bound and Non-Time-Bound
Obligations
Promptness, urgency, and privacy rights.
This article explains that when it comes to handling data and requests from individuals, you
must act in a way that always protects their rights. It covers both obligations with specific
deadlines and those without.
1) Data subject rights come first
The most important factor is always protecting the rights and freedoms of individuals, as
guaranteed by the Nigerian Constitution. Whether your company fulfils an obligation "on
time" is judged by how well you protect these rights, not just by meeting a deadline.
2) Timely action for non-time -bound obligations
Some duties under the NDPA do not have fixed deadlines. Even for these, you must act
as quickly as possible. You should consider:
a) The urgency of the request.
b) Whether a delay could harm the individual's rights.
c) If no law sets a timeframe, the person making the request may propose one, and
you must respect it unless it is unreasonable.
3) Data storage time limit
If the law doesn’t specify how long data can be stored, the maximum storage time is six
months after the purpose for which it was collected has been achieved. After this period,
the data must be deleted or anonymised.
4) Exceptions for legal or due diligence reasons
You may store data longer than six months in some situations, even after the original
purpose is complete:
a) If it is needed to defend against a legal claim.
b) For due diligence purposes, like background checks or compliance reviews.
However, if you do keep the data, you must apply appropriate security measures, such as
encryption and access controls.

64
NDP Act GAID Simplified: From Confusion to C ompliance
REFERENCES
• Nigeria Data Protection Commission (NDPC) https://ndpc.gov.ng/
• NDP Act https://ndpc.gov.ng/resources/
• NDP Act GAID https://nd pc.gov.ng/resources/
• Information Commissioner's Office (ICO) https://ico.org.uk/

APPENDIX
Below are the useful resources referenced in this guide, which are linked below or included
as attachments.
• Additional Resources (Google Drive)
• NDP Act GAID Schedules 1-10 (https://ndpc.gov.ng/resources/)
• Cookie Banner Sample (https://ico.org.uk/)

65
NDP Act GAID Simplified: From Confusion to C ompliance
ABOUT THE AUTHOR
Muiz Adeleke is a Senior Consultant specialising in
Cybersecurity and Data Privacy. He has helped numerous
industry-leading organisations build mature data privacy
programs and comply with the requirements of the NDPC and
global best practices.
This guide is a result of his commitment to making data privacy
understandable for everyone. He breaks down complex
requirements into simple, everyday language, using relatable
examples to ensure no one is left behind.
When he's not demystifying data protection, Muiz enjoys long
walks, watching football, and binge- watching TV series.

Contacts

[email protected]
https://www.linkedin.com/in/muizadeleke/

NDP Act GAID Simplified: From Confusion to Compliance

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

NDP Act GAID Simplified: From Confusion to Compliance

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 56

Slide 57

Slide 58

Slide 59

Slide 60

Slide 61

Slide 62

Slide 63

Slide 64

Slide 65

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

8-top-ai-courses-for-customer-support-representatives-in-2025.pptx

7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx

25-essential-ai-courses-for-user-support-specialists-in-2025.pptx

8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx

Know for Certain

PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx