The Nigeria Data Protection Commission (‘the Commission'), on 4th October, 2024, published a press release extending the deadline for the registration of Data Controllers/Processors of Major Importance (DCPMI), without penalty to 31st October 2024.
This is following to the Guidance Notice published by the Commission on 14th February 2024, designating DCPMIs into three categories: Major Data Processing-Ultra High Level (MDP-UHL); Major Data Processing-Extra High Level (MDP-EHL); and Major Data Processing-Ordinary High Level (MDP-OHL), and mandating existing data controllers and data processors to register as DCPMIs with the Commission in accordance with section 44 of the Nigeria Data Protection Act (NDP Act) 2023. The Commission set the deadline for this directive for 30th June 2024. The Commission subsequently extended this deadline to 30th September 2024 by a public notice on the 29th of June 2024 to enable existing data controllers and data processors to meet up with the compliance requirement in the Guidance Notice and the NDP Act.
This recent extension of the deadline by the Commission is to further ensure that existing data controllers and data processors are given sufficient time to comply with the Guidance Notice and to ensure the compliance of their agents, contractors and vendors with the Guidance Notice.
The Commission has emphasised that in order to ensure accountability, DCPMIs shall only engage agents and contractors who, for the purpose of processing data, are duly registered with the Commission as of 15th October 2024. This is in line with section 29(1)(a) of the NDP Act, which states that where a data controller/processor engages the services of a data processor, they shall ensure that the engaged data processor is in compliance with the principles and obligations of a data processor in the NDP Act, including the registration with the Commission as a DCPMI.
The combined effect of the relevant provision within the NDP Act and the press release issued on 4th October 2024 is that, commencing on 15th October 2024, data controllers and data processors will be prohibited from entering into contractual arrangements with unregistered data processors acting as agents or contractors. This new regulatory requirement aims to enhance data privacy and security by ensuring that only entities that have met the established registration standards can handle sensitive personal data on behalf of other organisations.
Non-compliance
Failure of an existing data controller or data processor to register as a DCPMI with the Commission constitutes a violation of the NDP Act. Additionally, engaging with an unregistered data processor is also deemed a contravention of the NDP Act. Any entity that breaches these provisions faces a penalty of 2% of their annual gross revenue from the preceding financial year or ₦10,000,000 (ten million naira). To avoid these penalties, it is strongly recommended that existing data controllers and data processors register with the Commission and ensure that their contractors and agents are registered by 15th October 2024.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.