A. INTRODUCTION

The Nigeria Data Protection Commission (NDPC or "the Commission") on February 14, 2024 issued the Guidance Notice (Notice) for the Registration Of Data Controllers and Data Processors Of Major Importance (DCMI and DPMI) pursuant to Sections 5d, 6(c), 44, 45 and 65 of the Nigeria Data Protection Act 2023 (NDPA).

This Guidance Notice serves to provide clarity on the designation of DCMI and DPMI, and their subsequent registration. The Notice outlines the criteria for the designation of businesses, entities and organizations as DCMI and DPMI, and registration with the NDPC. In this Alert, we summarize the key points from the Notice.

B. DESIGNATION CRITERIA AS DCMI AND DPMI

Section 65 of the NDPA defines a DCMI and DPMI as a data controller or data processor that is domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria, as the Commission may prescribe, or such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society or security of Nigeria as the Commission may designate.

By Paragraph 1(1) of the Notice, Data controllers or processors are deemed to have "particular value or significance to the economy, society or security of Nigeria" and designated as DCMI and DPMI if they maintain a filing system (analog or digital) for processing personal data, AND:

  • Process the personal data of more than 200 individuals within six months, OR
  • Provide commercial Information and Communication Technology (ICT) services on digital devices with storage capacity belonging to others, OR
  • Process personal data as an organization or service provider in any of these sectors: finance, communication, health, education, insurance, import/export, aviation, tourism, oil and gas, or electric power

Based on this provision, to be designated a DCMI or DPMI, an entity must meet at least one (1) of the other three (3) criteria.

By virtue of Article 2(2) of the Notice, Data Controllers and Data Processors are deemed to be DCMI and DPMI if they have a fiduciary relationship with a data subject, and by virtue of this relationship are expected to keep confidential information on behalf of such data subject, is to be identified as a DCMI and DPMI due to the potential harm for significant harm if not subject to the obligations of a DCMI or DPMI.

In the case of GTB Plc v. Imananagha1 the Court of Appeal examined the borders of "fiduciary relationship" and held as follows:

"Fiduciary or confidential relation is a very broad term embracing both technical fiduciary relation and the informal relation which exists wherever one man trusts in or relies upon another. It is a relation founded on trust or confidence reposed by one person in the integrity and fidelity of another. A fiduciary relationship arises whenever confidence is reposed on one side and domination and influence result on the other."

C. CLASSIFICATION OF DCMIS AND DPMIS

The NDPC classifies DCMI and DPMI into three tiers for the purposes of Registration with the NDPC as follows; Major Data Processing – Ultra High Level (MDP-UHL), Major Data Processing – Extra High Level (MDP-EHL), and Major Data Processing – Ordinary High Level (MDP-OHL)

1. Major Data Processing – Ultra High Level (MDP-UHL)

Classification under this tier is entrenched by the provisions of Paragraphs 2(2) and 3(1)(a-b) of the Notice. By the provisions of Article 3(1)(a-b) of the Notice, the following entities are expressly classified as DCMI and DPMI under the MDP-UHL tier without any other qualifications, for the purposes of ascertaining the applicable sum for registration with the NDPC and applicable standards:

Commercial banks operating at national or regional level, telecommunication companies, Insurance companies, Multinational companies, Electricity distribution companies, Oil and Gas companies, Public social media app developers and proprietors, Public e-mail App developers and proprietors, Communication devices manufacturers, Payment gateway service providers, and other organizations that process the personal data of over 5,000 individuals in 6 months.

DCMI and DPMI that will be classified in this tier by virtue of Paragraph 2(2) of the Notice are those that are generally required to ABIDE BY GLOBAL AND HIGHEST ATTAINABLE STANDARDS of data protection taking into account at least five (5) of the following factors for the purpose of categorization:

  1. The sensitivity of personal data in their care;
  2. Data driven financial assets entrusted in their care by data subjects;
  3. Reliance on third party servers or cloud computing services for the purpose of substantial processing of personal data;
  4. Substantial involvement in cross-border data flows;
  5. Processing the personal data of over 5,000 (Five-Thousand) data subjects through the means of technology under its technical control or through a service contract;
  6. Legal competence to generate revenue on a commercial scale;
  7. The need for international standard certifications for people, processes and technologies involved in data confidentiality, integrity and availability; and
  8. The need for accountability

The Notice makes no allusion regarding what constitutes global and highest attainable standards of data protection. However, some examples of the global and highest attainable standards of data protection from international frameworks and standards include the General Data Protection Regulations (GDPR) 2018, Payment Card Industry Data Security Standard (PCI DSS) standards, the various International Organization for Standardization standards, Cloud Security Alliance standards, National Institute of Standards and Technology standards, etc.

The implication of classification under this category is that such entities are bound to the highest applicable standards of data protection above others, and in the event of a breach of any data privacy and protection obligation, would likely be subject to higher punitive consequences than those in lower categories.

2. Major Data Processing – Extra High Level (MDP-EHL

The following entities by virtue of the provisions of Paragraph 3(1)(c-d) of the Notice, are expressly classified as DCMI and DPMI under the MDP-UHL tier without any other qualifications, for the purposes of ascertaining the applicable sum for registration with the NDPC:

Ministries, Departments and Agencies (MDAs) of government, Micro Finance Banks, Higher Institutions, Hospitals providing tertiary or secondary medical services, Mortgage Banks; and organizations that process personal data of over 1,000 (One thousand) data subjects within 6 (six) months.

The DCMI and DPMI categorized in this tier by virtue of Paragraph 2(3) of the Notice, are those that are generally required to abide by global best practices of data protection taking into account any five (5) of the following factors for the purpose of categorization:

  1. The sensitivity of personal data in their care;
  2. Data driven financial assets entrusted in their care by data subjects;
  3. Functions as an establishment of government;
  4. Reliance on third-party servers or cloud computing services for the purpose of substantial processing of personal data;
  5. Substantial involvement in cross-border data flows;
  6. Processing the personal data of over 1,000 (One-Thousand) data subjects through the means of technology under their technical control or through a service contract;
  7. Legal competence to generate revenue on a commercial scale;
  8. The need for reputable and standardized certifications for people, process and technologies involved in data confidentiality, integrity and availability; and
  9. The need for accountability.

While the Notice does not define "global best practices of data protection" under this tier, as distinguished from "global and highest attainable standards of data protection" under Paragraph 2(2) of the Notice, some global best practices of data protection include privacy by design and default, adequate data security measures, privacy policies that comply with applicable privacy laws and regulations, respect for user rights and exercise, adequate international data transfer mechanisms, industry standards etc.

3. Major Data Processing – Ordinary High Level (MDP-OHL)

The classification of DCMI and DPMI under this category is ascertained by the provisions of Paragraphs 2(4) and 3(e-f) of the Notice. By Paragraph 3 (e-f) of the Notice, they are as follows:

Small and Medium Scale Enterprises (it must be such that have access to personal data which they may share, transfer, analyse, copy, compute or store in the course of carrying out their individual businesses); Primary and Secondary Schools; Primary Health Centres; and Agents, contractors and vendors who engage with data subjects on behalf of other organisations that are in the category of MDP-UHL and MDP-EHL; and organisations that process personal data of over 200 (two hundred) data subjects within 6 (six) months.

The provisions of Paragraph 2(4) of the Notice state that DCMI and DPMI under this category are those that are generally expected to abide by global best practices of data protection taking into account at least four (4) of the following factors for the purposes of categorization:

  1. The sensitivity of data assets in their care;
  2. Inherent vulnerability of data subjects they typically engage with;
  3. High risk to the privacy of data subjects if such personal data are processed by the data controller or data processor in a systematic or automated manner;
  4. Processing the personal data of over 200 (two hundred) data subjects through the means of technology under their technical control or through a service contract;
  5. The need for adequate technical and organisational measures for data protection;
  6. The need for reputable and standardised certifications for people, processes and technologies involved in data confidentiality, integrity and availability; and
  7. The need for accountability.

DCMI and DPMI under this head are those required to abide by global best practices of data protection which is the same criteria as those under MDP-EHL, with the factors for consideration being the differentiator for DCMI and DPMI not expressly mentioned.

D. ADDITIONAL FACTORS TO CONSIDER

Where a data controller or data processor meets the criteria for classification as a DCMI or DPMI, they shall further be assessed to determine which of the three categories they belong. Where a DPMI or DCMI has not been expressly listed in the Notice as a member of any category, then the number of data subject it has processed within 6 months shall be taken into consideration alongside the level of data protection practices it is expected to abide by virtue of factors such as the sensitive nature of the personal data it processes, the personal data transferred outside Nigeria, risks and vulnerability to data subjects among others. It should be noted that for the purposes of the tiered classification of DCMI and DPMI, the nature of the personal data processed, and the potential risks to data subjects shall always be key in determining which tier a DCMI or DPMI belongs. 

E. REGISTRATION AND CONSEQUENCES FOR NON-COMPLIANCE

Existing data controllers and data processors are required by Paragraph 3(2) of the Notice to register between 30th January, 2024 and 30th June, 2024. Paragraph 3(3) of the Notice provides that late registration or failure to register after the due date incurs penalties for defaulters as stipulated in the Act.

Section 48(1)(a) of the Nigeria Data Protection Act (2023) provides that the Commission, upon completing an investigation initiated by its own accord after reasonable belief of a violation of the Act and if satisfied that a data controller or data processor has violated any provision of the NDPA or subsidiary legislation made under the Act, may make any appropriate enforcement order or impose a sanction on the data controller or data processor. Section 48(2)(d) of the NDPA provides that an enforcement order includes a penalty or remedial fee. A penalty or remedial fee under subsection (2)(d) may be an amount up to the greater of — N10,000,000, and 2% of its annual gross revenue in the preceding financial year, in the case of a DCMI or DPMI.2

F. CONCLUSION

The Notice provides a much-needed guide following the uncertainty that trailed the provision for DCMI and DPMI in the NDPA 2023. It is noteworthy that there are likely to be overlaps in the determination of the category a DCMI or DPMI where not expressly mentioned in Paragraph 3 of the Notice, and in that case, it is important to consult privacy professionals for expert guide.

Footnotes

1. (2022) LPELR-56906(CA) Pp 55 - 56 Paras E – B.

2. Sections 48(3)(a) and 48(4) of the NDPA 2023.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.