GAID 2025 Unpacked (Series II): Data Protection Officers, Mandatory Consents And Emerging Technologies

Introduction

In continuation of our GAID 2025 Series which examined the General Application and Implementation Directive (GAID)'s expanded compliance obligations, individual responsibilities, and risk-based classification framework – GAID 2025 Unpacked: Critical Updates on Data Processing, Individual Obligations, and Compliance Measures, this second instalment focuses on three equally significant themes: (a) the enhanced role and responsibilities of Data Protection Officers (DPOs); (b) the broadened scope of mandatory consent requirement for specific processing activities; and (c) the compliance expectations for organisations deploying emerging technologies such as Artificial Intelligence (AI), the Internet of Things (IoT), and Blockchain for the purpose of processing personal data. Together, these provisions signal a maturing regulatory environment where data governance is more structured, risk sensitive and accountability driven.

A. Obligation of Data Protection Officer (DPO):

Under Section 32 of the Nigeria Data Protection Act (NDPA), every data controller of major importance is required to appoint a DPO who may either be a staff member or an external service provider under a valid service contract. Such person must possess: (i) expert knowledge in data protection law and practices and (ii) can carry out duties prescribed under the Act.

The GAID, however, advances this requirement by defining the DPO as an independent compliance role, charged with ensuring that an organisation's data processing operations aligns with complies with all applicable laws and standards.

Expanded Duties under the GAID

The GAID further elaborates on the responsibilities of DPOs, which include:

1. Advisory Role: The DPO must be actively involved in the planning and execution of the organisation's data processing activities, ensuring ongoing compliance and providing expert guidance.
2. Contact Point for Data subject: The DPO also serves as a primary contact for data subject to exercise their rights provided in the NDPA or lodge complaints. The GAID mandates that the data controller or processor must publish the contact details of the DPO and notify the Nigeria Data Protection Commission (NDPC) in the prescribed format.
3. Compilation and Submission of the Semi-Annual Data Protection Report: The DPO must prepare and submit a semi-annual data protection report (“Report”) detailing the organisation's compliance status over the preceding six (6) months. The Report must include a summary of the types of data processed, applicable data protection principles and lawful bases, privacy notice assessment, any conducted Data Protection Impact Assessment (DPIA) or Legitimate Interest Assessment (LIA), the ease with which data subjects exercise their rights, complaints and remedial steps, notices or guidance from the NDPC, data security measures, cross-border transfer grounds, and any reported breaches. The Report forms part of the organisation's Record of Processing Activities (RoPA) and is subject to review by a Data Protection Compliance Organisation (DPCO) during NDPA compliance audit.¹

B. Mandatory Consent Requirement for Certain Types of Processing

In addition to the provisions of the NDPA, the GAID broadens instances where explicit consent is required, thereby strengthening data subjects' autonomy and transparency obligations for controllers and processors.

Key instances include:

1. Direct Marketing Activity: The GAID requires express consent where the data processor or controller communicates directly with its customers to promote or advertise its products or services. For example, Under Article 8(a) where pictures of a data subject are taken for public event and used for journalistic purpose, consent is implied. However, if the image is used for profit making or commercial advertisement express consent from data subject is compulsory.
2. Processing of Sensitive personal data: the GAID reaffirms that data relating to an individual's generic and biometric data, race or ethnic origin, religious beliefs, health status, sex life, political opinions or affiliations, trade union memberships and other information as prescribed by the NDPC, fall within the category of sensitive personal data, and may only be processed with the data subject's express consent.
3. Further processing for incompatible purposes: Any data processing that diverges from the original lawful purpose requires renewed and specific consent.
4. Processing Personal data of Minors: GAID reinforces Section 31 of the NDPA, mandating that express consent must be obtained from a parent or legal guardian prior to processing a child's data.
5. Cross-Border Transfer: GAID provides that before transferring of personal data to countries lacking an NDPC adequacy decision, data controllers must secure the explicit consent of the data subject.
6. Automated Decision-Making: Data controllers relying solely on automated processing which produces legal effects concerning or significantly affecting the data subject must first obtain express consent and demonstrate safeguards against bias. ²

The Compliance Annual Returns (CAR) now plays a key role in demonstrating adherence to consent requirements. Data controllers and processors are required to disclose in their CAR whether they rely on consent for any of the specified processing activities, and to show evidence that such consent was obtained in line with GAID standards.

C. Compliance Measures related to Emerging Technologies

Perhaps the most forward-looking innovation of the GAID 2025 is its recognition of the data protection risks associated with emerging technologies (“ETs”) such as AI, IoT, and Blockchain. Controllers and processors intending to deploy these technologies for personal data processing are now required to ensure that their use aligns with:

1. the NDPA;
2. applicable public policy objectives; and
3. any other regulatory instrument issued by the NDPC.

A data controller or data processor who intends to deploy or deploys ETs for processing personal data is expected to establish robust technical and organizational measures that guarantee:

1. the right of data subjects not to be subjected to purely automated processes or algorithm;
2. the right of erasure (right to be forgotten), including where synthetic or tokenised data is used;
3. safeguards for the processing sensitive personal data, child data and other vulnerable groups;
4. appropriate regulation of cross-border data flows; and
5. the integration of Privacy by design and Privacy by default principles.

The GAID also mandates a DPIA focusing on:

1. potential disparate impacts of data processing; and
2. Data Subjects' Vulnerability Indexes (DSVI) outlined in Schedule 6 of the GAID. These DPIAs must be filed with the NDPC as part of the organisation's annual CAR.

In addition, data processors and controllers must evaluate the appropriateness of using anonymisation techniques to remove personal identifiers and test ETs in controlled, low-risk environments before deployment. These tests should help determine whether the technology produces any disparate or harmful outcomes and how such outcomes can be effectively addressed. Where risks to data subject are identified, the tools must be retooled, retested or entirely discarded. Even after deployment, continuous monitoring and evaluation are required to ensure ongoing compliance and data protection.³ Through these safeguards, the GAID extends the NDPA's reach to emerging technologies, ensuring that innovation proceeds responsibly and securely.

Conclusion

Ultimately, the GAID 2025 reinforces accountability, consent, and risk management as the pillars of Nigeria's data protection regime. Altogether, it marks a decisive step in Nigeria's digital maturity, balancing innovation with privacy and accountability.

Footnotes

1 GAID, art 13(2)

2 GAID, art 18

3 GAID, art 43

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.