Introduction
Consent is essential to data protection, giving individuals control over their personal information. However, with algorithmic profiling, biometric surveillance, and cross-border data sharing, traditional consent faces challenges. Nigeria’s General Application and Implementation Directive (GAID) 2025, under the Nigeria Data Protection Act (NDPA), signifies a shift in how consent is understood, implemented, and enforced, especially for sensitive data.
This article examines the evolution of consent as a lawful basis for processing, the specific thresholds required under GAID 2025, and the compliance obligations imposed on data controllers. It also examines the tension between empowering data subjects and ensuring organisations implement robust safeguards when handling high-risk data categories.
Consent under GAID 2025
GAID 2025 views consent as a dynamic, evidence-based expression of an individual’s control over their personal data, rather than just a simple checkbox. Under the new Directive, consent must be recorded, revocable at any time, and clearly informed—placing the responsibility on data controllers to demonstrate that each affirmative action is made by a fully aware data subject¹. Every request for consent must clearly explain the processing purposes in straightforward, non-legal language. Data subjects need to understand not only what data is collected, but also why, how long it will be kept, and with whom it may be shared.
At all times where consent is required, a data subject shall be provided with a clear and explicit option to accept or decline².
Controllers shall maintain accurate records that ensure accountability regarding consent given³.
The GAID 2025 allows constructive or implied consent for data processing in specific situations:
- Public Event Participation⁴
Images of participants at public events can be used for reporting purposes. Such images cannot be utilised for profit or commercial advertisements without explicit consent. Data controllers must ensure photographs do not portray participants negatively and may inform participants about potential uses of captured images.
- Privacy Notice Closure⁵
Closing a privacy notice that obstructs webpage viewing implies consent for limited data collection. Data gathered must be restricted to what is necessary for basic website functionality, such as responding to and analysing user interactions.
These provisions are subject to the NDPA and Article 18 of the GAID.
Consent as the Sole Legal Basis for Processing
Under GAID 2025, consent is listed alongside contractual obligation, legal obligation, vital interest, public interest, and legitimate interest as one of the six lawful bases for processing personal data⁶.
However, where reliance on consent may effectively undermine the rule of law, another lawful basis may be considered⁷.
Special Rule of Law Indexes (SRLI) ⁸
When analysing complaints about data processing consent, the Commission assesses if relying on consent threatens the rule of law using the Special Rule of Law Indexes (SRLI). These include risks to rights and freedoms, security, public welfare, sustainable development, and the proportionality and necessity of processing. The evaluation also considers justice delivery effectiveness, focusing on equality before the law and judicial neutrality, as well as the past relationship between the data controller and the data subject⁹.
Data processing that requires Consent
Consent is explicitly required under the GAID in several key circumstances to protect data subjects. These include¹⁰:
- Engaging in direct marketing,
- Handling sensitive personal data,
- Further processing beyond the original intended purpose,
- Processing children’s data,
- Transferring data to countries without an adequacy decision from the Commission, and
- Making decisions based solely on automated processing that have significant legal or personal effects.
These requirements operate alongside the provisions of the NDPA and other applicable laws.
A Compliance Audit Report (CAR) must clearly specify whether the data controller or data processor depends on consent for any of the data processing activities listed in Sub-Article 1, such as direct marketing or managing sensitive personal data. This promotes transparency in how consent is used across key processing actions¹¹.
Navigating the Challenges of Sensitive Data Processing
Handling sensitive personal data like health records, racial or ethnic origins, political opinions, religious beliefs, and sexual orientations increases compliance and operational challenges. The following issues are especially acute.
- Precision in Data Mapping and Classification
Organisations must first identify where sensitive data is stored. As per Article 18 of GAID 2025, processing sensitive personal data—like health details, biometric data, religious beliefs, political views, and sexual orientation—requires explicit consent. This consent must be:
- Freely given, specific, informed, and unambiguous
- Documented with clear audit trails
- Withdrawable at any time, with processing ceasing upon revocation
- Consent is also required for cookies and tracking tools that process sensitive data¹².
- Security and Breach Notification
Under Article 33, controllers and processors must:
- Implement Confidentiality, Integrity, and Availability (CIA) safeguards
- Notify the NDPC of any personal data breach within 72 hours
- Inform affected data subjects immediately if the breach poses a high risk.
Security measures must be documented and reviewed periodically¹³.
- Conducting Robust Impact Assessments¹⁴
When processing sensitive data poses significant risks, Article 28 and Schedule 4 of GAID 2025 mandate a DPIA before starting. Controllers must perform DPIAs prior to any processing involving:
- Sensitive personal data
- Emerging technologies (e.g., Artificial Intelligence, Internet of Things)
- Automated decision-making
- Cross-border transfers
DPIAs must assess risks to data subjects and outline mitigation strategies. High-risk DPIAs may be subject to NDPC review.
- Cross-Border Transfer Complexities
Transferring special-category data overseas requires a valid lawful basis and a transfer mechanism like standard contractual clauses, binding corporate rules, or NDPC-approved adequacy decisions¹⁵.
Aligning these mechanisms with evolving EU, UK, and African Union data-transfer standards requires ongoing legal oversight and contractual updates.
- Governance and Internal Controls¹⁶
Under Articles 11–14, entities recognised as key data controllers or processors must:
- Appoint a Data Protection Officer (DPO)
- Submit semi-annual data protection reports
- Undergo Annual Credential Assessments for DPOs
Internal controls should incorporate staff sensitisation schedules (Article 30) and privacy governance frameworks.
By addressing these challenges through cross-functional collaboration—legal, IT, risk management, and operations—organisations can turn GAID 2025 regulations into a strategic advantage, demonstrating reliability to regulators, partners, and data subjects.
Implementation Roadmap for GAID 2025 Compliance
Achieving full compliance requires a phased approach aligning resources, timelines, and risks. The roadmap below divides the journey into five phases.
Phase 1: Assessment and Gap Analysis
- Conduct a detailed inventory of all personal data flows and processing activities.
- Map existing controls against GAID 2025 requirements to identify gaps in consent, security, DPIAs, and data-transfer mechanisms.
- Score each gap by risk level and operational impact to prioritise remediation.
Phase 2: Strategy and Policy Development
- Draft or update privacy policies, data-subject-request procedures, and consent-management frameworks.
- Define roles, responsibilities, and governance structures, and appoint a Data Protection Officer if one is not already designated.
Phase 3: Training, Communication, and Change Management
- Implement targeted training for legal, IT, HR, marketing, and customer teams.
- Publish clear, user-friendly privacy notices on websites, apps, and internal portals.
Phase 4: Monitoring, Review, and Continuous Improvement
- Develop real-time dashboards to oversee consent, breach alerts, and DPIA progress.
- Schedule quarterly audits of key controls, with well-defined escalation procedures for identified deficiencies.
- Regularly revise policies and technical controls in response to regulatory modifications, audit findings, or new business initiatives.
Conclusion
Embracing GAID 2025 isn’t just about meeting regulations—it’s about integrating privacy and security, building trust, and fostering innovation. A clear roadmap, automation, and ongoing assessment can turn compliance into a competitive advantage.
This article is intended for general information purposes only. It does not constitute legal advice. Organizations should seek tailored advice from a qualified legal professional to address specific compliance needs.
For further information or assistance with data protection compliance and advisory services, please contact the Lex Luminar team at support@lexluminar.com
Footnotes
- General Application and Implementation Directive (GAID) 2025, Article 17(1) – Reliance on consent.
- GAID 2025, Article 17(9)
- GAID 2025, Article 17(6)
- GAID 2025, Article 17(8)(a)
- GAID 2025, Article 17(8)(b)
- GAID 2025, Article 16 – Enumeration of lawful processing bases.
- GAID 2025, Article 17(2)
- GAID 2025, Article 17(4) – Special Rule of Law Indexes (SRLI).
- GAID 2025, Article 17(3) Consideration for SRLI.
- GAID 2025, Article 18(1) – Data Processing, which requires consent, GAID 2025,
- GAID 2025, Article 18(2)
- GAID 2025, Article 19 – Consent to cookies and other tracking
- GAID 2025, Article 29 – Monitoring, Evaluation and Maintenance of Data Security System
- GAID 2025, Article 28, Schedule 4 – Data Privacy Impact Assessment
- GAID 2025, Article 45, Schedule 5 – Cross-Border Data Transfer; Nigeria Data Protection Commission (NDPC)
- GAID 2025, Article 7 – General NDP Act Compliance Measures by Data Controllers and Data Processors