On February 14, 2024, the Nigeria Data Protection Commission ("NDPC"), pursuant to its mandate under the Nigeria Data Protection Act of 2023, issued a Guidance Notice on the Registration of Data Controllers and Data Processors of Major Importance. The Notice, which coincided with the operational launch of the registration portal by the NDPC, explains the criteria for designation of data controllers and data processors as Data Controllers or Data Processors of Major Importance, and sets the registration requirements. This article highlights key points from the Guidance Notice which relevant and affected entities should know.

Who is a Data Controller or Data Processor of Major Importance?

a. Anyone that keeps or has access to a filing system for the processing of personal data and processes the personal data of more than 200 data subjects in six months;'

b. Anyone that carries out commercial information communication technology services on any digital device which has storage capacity and belongs to another individual,

c. Anyone that processes personal data as an organisation or a service provider in the financial, communication, health, education, insurance, export and import, aviation, tourism, oil and gas, or electric power sector,

d. A data controller or a data processor under a fiduciary relationship with a data subject

e. Entities operating in Nigeria that process or intend to process personal data of a specified number of data subjects, as prescribed by the NDPC, or those handling personal data deemed of significant value to the economy, society, or security of Nigeria fall under this category.

Categories of Data Controllers and Data Processors of Major Importance:

a. Major Data Processing-Ultra High Level (MDP-UHL): This category includes Data Controllers and Data Processors of Major Importance who are, among other obligations, generally expected to abide by global and highest attainable standards of data protection, considering the: (a) sensitivity of personal data in their care; (b) data driven financial assets entrusted in their care by data subjects; (c) reliance on third party servers or cloud computing services for the purpose of substantial processing of personal data; (d) substantial involvement in cross-border data flows; (e) processing the personal data of over 5,000 data subjects through the means of technology under its technical control or through a service contract; (f) legal competence to generate revenue on a commercial scale; (g) requirement for international standard certifications for people, processes and technologies involved in data confidentiality, integrity and availability; and (h) need for accountability. Any five of the foregoing factors will suffice for the purposes of categorization as MDP-UHL.

Organizations within this category include commercial banks, telecommunication companies, insurance companies, multinational corporations, electricity distribution companies, oil and gas companies, public social media app developers, public email app developers, communication device manufacturers, and payment gateway service providers across Nigeria.

The registration fee for an MDP-UHL is N250,000 (Two Hundred and Fifty Thousand Naira).

b. Major Data Processing-Extra High Level (MDP-EHL): This category applies to Data Controllers and Data Processors of Major Importance who are, among other obligations, generally expected to abide by global best practices of data protection considering the: (a) sensitivity of personal data in their care; (b) data driven financial assets entrusted in their care by data subjects; (c) functions as an establishment of government; (d) reliance on third-party servers or cloud computing services for the purpose of substantial processing of personal data; (e) substantial involvement in cross-border data flows; (f) processing the personal data of over 1,000 data subjects through the means of technology under their technical control or through a service contract; (g) legal competence to generate revenue on a commercial scale; (h) need for reputable and standardized certifications for people, process and technologies involved in data confidentiality, integrity and availability; and (i) need for accountability. Any five of the foregoing factors will suffice for the purposes of categorization as MDP-EHL.

Organizations within this category include government ministries, departments, and agencies (MDAs), microfinance banks, higher educational institutions, hospitals providing tertiary or secondary medical services, and mortgage banks across Nigeria.

The registration fee for an MDP-EHL is N100,000 (One Hundred Thousand Naira).

c. Major Data Processing-Ordinary High Level (MDP-OHL): This category includes data controllers and data processors of major importance who are, among other obligations, generally expected to abide by global best practices of data protection considering the: (a) sensitivity of data assets in their care; (b) Inherent vulnerability of data subjects they typically engage with; (c) high risk to the privacy of data subjects if such personal data are processed by the data controller or data processor in a systematic or automated manner; (d) processing the personal data of over 200 data subjects through the means of technology under their technical control or through a service contract; (e) need for adequate technical and organisational measures for data protection; (f) need for reputable and standardised certifications for people, processes and technologies involved in data confidentiality, integrity and availability; and (g) Need for accountability. Any 4 (four) of the foregoing factors will suffice for the purposes of categorization as MDP-OHL.

Organizations within this category include Small and Medium Scale Enterprises that have access to personal data which they may share, transfer, analyse, copy, compute or store in the course of carrying out their individual businesses, primary and secondary schools, primary health centres, and agents, contractors and vendors who engage with data subjects on behalf of other organisations that are in the category of MDPUHL and MDP-EHL.

The registration fee for an MDP-OHL is N10,000 (Ten Thousand Naira).

Registration of eligible data controllers and data processors is in progress and will close on June 30, 2024. Failure to register or registration after the deadline is a violation of the NDPA and will attract penalties for non-compliance, as prescribed by the Act.

Commentary

Section 65 of the NDPA defines a Data Controller or Data Processor of Major Importance as a data controller or data processor that is domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria, as the Commission may prescribe, or such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society or security of Nigeria as the Commission may designate.

While the NDPA makes reference to personal data which is of particular value or significance to Nigeria's economy, society or security, it appears that the NDPC, in formulating these guidelines, has focused on data controllers and processors with particular significance to Nigeria's economy, society, or security. Contrary to the intent outlined in the NDPA, the guidelines seem to emphasize the value of the data controllers and processors rather than the intrinsic value of the personal data itself.

While it is conceivable that considering the value of the personal data may have resulted in the same organisations being generally classified as Data Controllers/Data Processors of Major Importance, an emphasis on the value of the personal data would have resulted in certain organisations being classified differently. For instance, government ministries, departments, and agencies (MDAs), which are classified as MDP-EHL, should have been classified as MDP-UHL considering that MDAs typically process the personal data of more than 5,000 data subjects within 6 months, handle sensitive personal data, depending on their statutory duties, and are at significant risk of data breaches, which could have far reaching economic, political, and national security implication.

Nonetheless, it is commendable that the NDPC has offered much-anticipated guidance on this matter. The true impact of this designation is anticipated to manifest through the adherence of eligible data controllers and data processors, and the subsequent enforcement actions by the NDPC.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.