{"id":2026,"date":"2025-08-11T15:35:00","date_gmt":"2025-08-11T14:35:00","guid":{"rendered":"https:\/\/lexluminar.com\/?p=2026"},"modified":"2025-08-11T15:35:01","modified_gmt":"2025-08-11T14:35:01","slug":"evolving-consent-frameworks-and-sensitive-data-processing-under-gaid-2025","status":"publish","type":"post","link":"https:\/\/lexluminar.com\/fr\/evolving-consent-frameworks-and-sensitive-data-processing-under-gaid-2025\/","title":{"rendered":"Evolving Consent Frameworks and Sensitive Data Processing Under GAID 2025"},"content":{"rendered":"

Introduction<\/strong><\/p>\n\n\n\n

Consent is essential to data protection, giving individuals control over their personal information. However, with algorithmic profiling, biometric surveillance, and cross-border data sharing, traditional consent faces challenges. Nigeria\u2019s General Application and Implementation Directive (GAID) 2025,<\/strong> under the Nigeria Data Protection Act (NDPA)<\/strong>, signifies a shift in how consent is understood, implemented, and enforced, especially for sensitive data.<\/p>\n\n\n\n

This article examines the evolution of consent as a lawful basis for processing, the specific thresholds required under GAID 2025, and the compliance obligations imposed on data controllers. It also examines the tension between empowering data subjects and ensuring organisations implement robust safeguards when handling high-risk data categories.<\/p>\n\n\n\n

<\/div>\n\n\n\n
Consent under GAID 2025<\/strong><\/h6>\n\n\n\n

GAID 2025 views consent as a dynamic, evidence-based expression of an individual\u2019s control over their personal data, rather than just a simple checkbox. Under the new Directive, consent must be recorded, revocable at any time, and clearly informed\u2014placing the responsibility on data controllers to demonstrate that each affirmative action is made by a fully aware data subject\u00b9. Every request for consent must clearly explain the processing purposes in straightforward, non-legal language. Data subjects need to understand not only what<\/em> data is collected, but also why<\/em>, how long<\/em> it will be kept, and with whom<\/em> it may be shared.<\/p>\n\n\n\n

At all times where consent is required, a data subject shall be provided with a clear and explicit option to accept or decline\u00b2.<\/p>\n\n\n\n

Controllers shall maintain accurate records that ensure accountability regarding consent given\u00b3. <\/p>\n\n\n\n

The GAID 2025 allows constructive or implied consent for data processing in specific situations:<\/p>\n\n\n\n

<\/div>\n\n\n\n
    \n
  1. Public Event Participation\u2074<\/li>\n<\/ol>\n\n\n\n

    Images of participants at public events can be used for reporting purposes. Such images cannot be utilised for profit or commercial advertisements without explicit consent. Data controllers must ensure photographs do not portray participants negatively and may inform participants about potential uses of captured images.<\/p>\n\n\n\n

    <\/div>\n\n\n\n
      \n
    1. Privacy Notice Closure\u2075<\/li>\n<\/ol>\n\n\n\n

      Closing a privacy notice that obstructs webpage viewing implies consent for limited data collection. Data gathered must be restricted to what is necessary for basic website functionality, such as responding to and analysing user interactions.<\/p>\n\n\n\n

      <\/div>\n\n\n\n

      These provisions are subject to the NDPA and Article 18 of the GAID.<\/p>\n\n\n\n

      <\/div>\n\n\n\n
      Consent as the Sole Legal Basis for Processing<\/strong><\/h6>\n\n\n\n

      Under GAID 2025, consent is listed alongside contractual obligation, legal obligation, vital interest, public interest, and legitimate interest as one of the six lawful bases for processing personal data\u2076.<\/p>\n\n\n\n

      <\/div>\n\n\n\n

      However, where reliance on consent may effectively undermine the rule of law, another lawful basis may be considered\u2077.<\/p>\n\n\n\n

      <\/div>\n\n\n\n

      Special Rule of Law Indexes (SRLI) \u2078<\/p>\n\n\n\n

      When analysing complaints about data processing consent, the Commission assesses if relying on consent threatens the rule of law using the Special Rule of Law Indexes (SRLI). These include risks to rights and freedoms, security, public welfare, sustainable development, and the proportionality and necessity of processing. The evaluation also considers justice delivery effectiveness, focusing on equality before the law and judicial neutrality, as well as the past relationship between the data controller and the data subject\u2079.<\/p>\n\n\n\n

      <\/div>\n\n\n\n
      Data processing that requires Consent<\/strong><\/h6>\n\n\n\n

      Consent is explicitly required under the GAID in several key circumstances to protect data subjects. These include\u00b9\u2070:<\/p>\n\n\n\n

        \n
      1. Engaging in direct marketing,<\/li>\n\n\n\n
      2. Handling sensitive personal data,<\/li>\n\n\n\n
      3. Further processing beyond the original intended purpose,<\/li>\n\n\n\n
      4. Processing children\u2019s data,<\/li>\n\n\n\n
      5. Transferring data to countries without an adequacy decision from the Commission, and<\/li>\n\n\n\n
      6. Making decisions based solely on automated processing that have significant legal or personal effects.<\/li>\n<\/ol>\n\n\n\n
        <\/div>\n\n\n\n

        These requirements operate alongside the provisions of the NDPA and other applicable laws.<\/p>\n\n\n\n

        <\/div>\n\n\n\n

        A Compliance Audit Report (CAR) must clearly specify whether the data controller or data processor depends on consent for any of the data processing activities listed in Sub-Article 1, such as direct marketing or managing sensitive personal data. This promotes transparency in how consent is used across key processing actions\u00b9\u00b9.<\/p>\n\n\n\n

        <\/div>\n\n\n\n
        Navigating the Challenges of Sensitive Data Processing<\/strong><\/h6>\n\n\n\n

        Handling sensitive personal data like health records, racial or ethnic origins, political opinions, religious beliefs, and sexual orientations increases compliance and operational challenges. The following issues are especially acute.<\/p>\n\n\n\n

        <\/div>\n\n\n\n
          \n
        1. Precision in Data Mapping and Classification<\/li>\n<\/ol>\n\n\n\n

          Organisations must first identify where sensitive data is stored. As per Article 18 of GAID 2025, processing sensitive personal data\u2014like health details, biometric data, religious beliefs, political views, and sexual orientation\u2014requires explicit consent. This consent must be:<\/p>\n\n\n\n