In this digital age, data has become a vital asset for both individuals and corporate bodies. It has in fact been regarded as the world's most valuable resource1. The question then is, what is data?
Data can simply be defined as information that has been translated into a form that is efficient for movement or processing2. It can be collected, used, shared, measured, analysed, stored and destroyed (data processing). The most common type of data is personal data, which refers to any information related to an identified or identifiable natural person. In Nigeria, the National Information Technology Development Agency (NITDA) through the Nigeria Data Protection Regulation (NDPR)3, regulates the processing of personal data of Nigerian citizens. Persons who engage in data processing activities can either be Data Controllers or Data Processors.
Under the NDPR, startups, businesses and companies that engage in the processing of personal data of over 1000 Nigerians, are mandated to conduct a detailed annual audit of their data processing activities. This audit is to be conducted by a licensed Data Protection Compliance Organisation (DPCO). Failure to comply with the provisions of the NDPR will result in the payment of a fine of 10 million Naira or 2% of the annual turnover (whichever is greater).
In view of the foregoing, it is useful to understand when you will be considered as a data processor and when you will be considered to be a data controller; for the purpose of complying with the provisions of the NDPR. In this article, we have provided a guide on how to identify each category.
Who is a data controller?
A data controller simply means any person or company that determines "why" data is to be processed and "how" data is to be processed. Most businesses/companies collect the personal data of clients/customers in the course of providing services to them (e.g. by requiring the customers to complete an online or physical, registration form for the service or for the purpose of payment); in all such instances that company/business is a data controller.
Furthermore, where companies/businesses share personal details of their customers, such as names, email addresses, phone numbers to third-party service providers, for various business purposes such as to market their products (e.g. sharing with a Digital Marketing Agency); or to enhance their service delivery (e.g. sharing with an Information Technology Partner), that company/business remains the data controller in those instances and primarily responsible for the use and protection of the data.
In addition, companies and business owners are data controllers of data they collect in respect of their employees and remain primarily responsible for the use of such data.
Who is a data processor?
Companies/businesses are regarded as data processors when they are involved in the processing of data, on the instruction and on behalf of another person (data controller). Effectively, a data processor cannot act on its own or undertake any data processing activity without the permission of the data controller.
In the scenarios given above, the Digital Marketing Agency and Information Technology Partner are data processors. Also, where a company outsources payroll payment to a third party or other human resource related services, that third party would be seen as the data processor.
Can a data processor be a data controller?
Yes. What distinguishes a data controller from a data processor is control. Where you have control over which data is to be collected and the purpose for which the data is to be collected, you are the data controller. Where all you have is the possession of the data and must act in accordance with the instructions of another person, then you are the data processor.
Where you, however, have both control and possession of data (i.e. the data was given to you by a third party), in such an instance, you act as both a data controller and a data processor.
Under Nigerian law, data controllers and data processors are required to undergo Data Protection Compliance audits and generally adhere to the provisions of the NDPR. Each business should be clear on whether they are handling data in the capacity of a data controller or a data processor as the obligations of a data controller vary from the obligations of a data processor.
If you require clarity as to whether your business would be categorised as a data controller or a data processor, please do not hesitate to contact the team at Pavestones Legal.
Economist, 'The World's Most Valuable Resource is no Longer
Oil, but Data' Economist (6 May 2017)
3 To understand more about the NDPR, follow the link to our article https://pavestoneslegal.com/nigeria-data-protection-regulation-2019/
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.