The Nigeria Data Protection Commission (NDPC) recently released a Guidance Notice on the Registration of Data Controllers and Data Processors of Major Importance, in accordance with Sections 5d, 6(c), 44, 45, and 65 of the Nigeria Data Protection Act 2023.1 This development provides some long awaited clarification on the kinds of data controllers and processors with "particular value or significance to the economy, society or security of Nigeria" as envisaged in the Act and affords guidance on the types of entities designated as Data Controllers and Processors of Major Importance.
The Guidance Notice underscores the following key aspects:
A. Purposive Designation of Data Controllers and Data Processors of Major Importance
The Notice introduces a 'purposive designation' for identifying Data Controllers and Processors of Major Importance based on the following parameters:
a) entities who keep or have access to a filing system (whether analogue or digital) for the processing of personal data of more than 200 data subjects in 6 months;
b) entities who carry out commercial Information Communication Technology (ICT) services on any digital device which has storage capacity and belongs to another individual;
c) entities who process personal data as organisations or service providers in any of the following sectors: financial, communication, health, education, insurance, export and import, aviation, tourism, oil and gas and electric power.
d) Controllers/Processors who are under a fiduciary relationship with a data subject and are obligated to keep confidential information on behalf of the data subject will be regarded as Data Controllers or Processors of Major Importance, especially if their failure to carry out this obligation may result in significant harm to the data subject.
B. Classification of Data Controllers and Data Processors of Major Importance
The Commission classifies Data Controllers and Processors into the following 3 (three) levels or categories of data processing:
- Major Data Processing-Ultra High Level (MDP-UHL)
- Major Data Processing-Extra High Level (MDP-EHL)
- Major Data Processing-Ordinary High Level (MDP-OHL)
Controllers/Processors that fall under any of these categories are expected to abide by global best practices on data protection and should consider other important factors identified in the table below to be associated with their level/categorization.
C. Specific Types of Controllers/ Processors and Applicable Registration Fees
The Guidance Notice outlines the specific types of data controllers and processors of major importance subject to registration, along with corresponding registration fees required of them. These fees are structured to reflect the varying nature of data processing activities undertaken by the entities. For ease of reference, the fees have been identified in the table below for each category of data controller/processor.
|
S/N |
Levels/Categories of Data Processing |
Factors to be considered for categorization |
Types of Data Controllers/Processors of Major Importance under each level |
Registration Fee |
|
1. |
Major Data Processing-Ultra High Level (MDP-UHL): Generally required to abide by global and highest attainable standards of data protection. |
Must meet at least any 5 of the following factors: a) The sensitivity of personal data in your care; b) Data driven financial assets entrusted in your care by data subjects; c) Reliance on third party servers or cloud computing services for the purpose of substantial processing of personal data; d) Substantial involvement in cross-border data flows; e) Processing the personal data of over 5,000 (Five-Thousand data subjects through the means of technology under your technical control or through a service contract; f) Legal competence to generate revenue on a commercial scale; g) The need for international standard certifications for people, processes and technologies involved in data confidentiality, integrity, and availability; and h) The need for accountability. |
i. Commercial banks operating at national or regional level; ii. Telecommunication companies; iii. Insurance companies; iv. Multinational companies; v. Electricity distribution companies; vi. Oil and Gas companies; vii. Public social media app developers and proprietors; viii. Public e-mail App developers and proprietors; ix. Communication devices manufacturers; x. Payment gateway service providers; and xi. Entities that process personal data of over 5,000 (Five-Thousand) data subjects in 6 (six) months. |
N250, 000 |
|
2. |
Major Data Processing-Extra High Level (MDP-EHL): Generally expected to abide by global best practices of data protection. |
Must meet at least any 5 of the following factors: a) The sensitivity of personal data in your care; b) Data driven financial assets entrusted in your care by data subjects; c) Functions as an establishment of government; d) Reliance on third-party servers or cloud computing services for the purpose of substantial processing of personal data; e) Substantial involvement in cross-border data flows; f) Processing the personal data of over 1,000 (One-Thousand) data subjects through the means of technology under your technical control or through a service contract; g) Legal competence to generate revenue on a commercial scale; h) The need for reputable and standardized certifications for people, process and technologies involved in data confidentiality, integrity and availability; and i) The need for accountability. |
i. Ministries, Departments and Agencies (MDAs) of government; ii. Micro Finance Banks; iii. Higher Institutions; iv. Hospitals providing tertiary or secondary medical services, and v. Mortgage Banks; and vi. Entities that process personal data of over 1,000 data subjects within 6 (six) months. |
N100, 000 |
|
3. |
Major Data Processing Ordinary High Level (MDP-OHL): Generally expected to abide by global best practices of data protection. |
Must meet at least any 4 of the following factors: a) The sensitivity of data assets in your care; b) Inherent vulnerability of data subjects you typically engage with; c) High risk to the privacy of data subjects if such personal data are processed by the data controller or data processor in a systematic or automated manner; d) Processing the personal data of over 200 (two hundred) data subjects through the means of technology under your technical control or through a service contract; e) The need for adequate technical and organizational measures for data protection; f) The need for reputable and standardized certifications for people, processes and technologies involved in data confidentiality, integrity, and availability; and g) The need for accountability. |
i. Small and Medium Scale Enterprises (it must be such that have access to personal data which they may share, transfer, analyse, copy, compute or store in the course of carrying out their individual businesses); ii. Primary and Secondary Schools; iii. Primary Health Centres; iv. Agents, contractors and vendors who engage with data subjects on behalf of other organizations that are in the category of MDPUHL and MDP-EHL); v. Entities that process personal data of over 200 data subjects within a 6 (six) month period. |
N10, 000 |
Furthermore, the Guidance Notice requires existing Data Controllers and Processors to register with the Commission on or before 30th June, 2024.
In light of these developments, Data Controllers and Processors of Major Importance are urged to familiarize themselves with the Guidance Notice and take appropriate steps to ensure timely registration and compliance with regulatory requirements. Compliance with registration requirements is essential to avoid penalties and sanctions which may be imposed by the Commission in accordance with the Nigeria Data Protection Act.
For further details and access to the Guidance Notice, kindly visit the following link: https://ndpc.gov.ng/Files/registration.pdf
Footnote
1. See, Punch Newspaper, "Nigeria Data Protection Commission (NDPC) Announces Registration Notice for Data Controllers and Processors" available at: https://punchng.com/nigeria-data-protection-commission-ndpc-announces-registration-notice-for-data-controllers-and-processors/ accessed 15th February 2024.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
