This guide highlights key aspects of the Nigeria Data Protection Commission's (NDPC) Guidance Notice, the categorization of data controllers and processors, and critical deadlines and compliance requirements.
Following their February publication, titled “Highlights of the NDPC Notice on the Registration of Data Controllers and Data Processors of Major Importance”, regarding the Nigeria Data Protection Commission's (NDPC) Guidance Notice (the “Guidance Notice”), DOA reiterates the key points and provide further insights following the recent stakeholder Breakfast Summit organized by the NDPC where it made certain clarification in relation to the Guidance Notice.
This guide is designed to ensure your organization remains compliant with the Nigeria Data Protection Act of 2023 (the “Act”) by highlighting key aspects of the Guidance Notice, categorization of data controllers and processors, and critical deadlines and compliance requirements.
1. Definition of Data Controllers and Data Processors of Major Importance
According to the Guidance Notice, a data controller and data processor shall be designated as a Data Controllers and Data Processors of Major Importance (DCPMI):
a. if it keeps or has access to a filing system (whether analogue or digital) for the processing of personal data; and:
- processes the personal data of more than 200 data subjects within 6 months.
- carries out commercial information communication technology (ICT) services on any digital device that has storage capacity and belongs to another individual; or
- processes personal data as an organization or a service provider in any one of the following sectors: financial institutions, communication, health, education, insurance, export and import, aviation, tourism, oil and gas, and electric power.
b. Where a data controller or data processor is under a fiduciary relationship with a data subject by reason of which it is expected to keep confidential information on behalf of the data subject, taking into consideration the significant harm that may be done to a data subject if such data controller or processor is not under the obligations imposed on DCPMIs.
2. Classification of Data Controllers and Data Processors of major importance
The Guidance Notice classified DCPMIs into 3 (three) levels or categories:
- Major Data Processing-Ultra High Level (MDP-UHL): These are organisations processing sensitive data, managing substantial financial assets, using third-party servers or cloud services, engaging in cross- border data flows, handling personal data for over 5,000 data subjects within 6 months, adhering to international standards, and maintaining accountability such as commercial banks operating at national or regional level, telecommunication companies, insurance companies, multinationals, electricity distribution companies, oil and gas companies, public social media app developers, public email app developers, communication device manufacturers, and payment gateway service providers. The registration fee for MDP-UHL is N250,000 (Two Hundred and Fifty Thousand Naira).
- Major Data Processing-Extra High Level (MDP-EHL): These are organisations handling sensitive data, managing financial assets, government functions, relying on third-party servers or cloud services, engaging in cross-border data flows, processing data for over 1,000 data subjects within 6 months, requiring reputable certifications, and maintaining accountability such as government ministries, departments, and agencies (MDAs), microfinance banks, higher educational institutions, hospitals providing tertiary or secondary medical services, and mortgage banks. The registration fees payable by MDP-EHL is N100,000.00 (One Hundred Thousand Naira only).
- Major Data Processing-Ordinary High Level (MDP-OHL): These are organisations handling sensitive data, engaging with vulnerable data subjects, posing high privacy risks, processing data for over 200 data subjects within 6 months, requiring technical and organizational data protection measures, and maintaining standardized certifications such as Small and Medium Scale Enterprises (SMEs) with data access, primary and secondary schools, primary health centers, and agents, contractors, and vendors working with data subjects on behalf of MDP-UHL and MDPEHL organizations. The registration fee for MDP-OHL is N10,000 (Ten Thousand Naira). Notwithstanding the aforementioned considerations, the fundamental factors governing the classification of an organization as a DCPMI is primarily contingent upon two key determinants: the volume of data subjects whose personal data is processed by the organization and the nature of the personal data being processed.
3. Registration Timeline
The Guidance Notice requires DCPMIs to register with the Commission on or before 30th June 2024.
Registration after the due date or failure to register shall be deemed default and exposes the defaulting organization to the penalties prescribed by the Act.
4. Registration Requirements for Foreign Organizations Without Local Presence
As per the Commission's directive, it is imperative for a DCPMI to possess a local presence in order to facilitate registration with the Commission. This requirement stands notwithstanding the provisions of the Act, which extend its application to DCPMIs not domiciled, resident, or operating within Nigeria, but who engage in the processing of personal data pertaining to Nigerian data subjects.
Hence, in order to adhere to the stipulated registration prerequisites, foreign organizations must establish a local address within Nigeria and designate a Nigerian Data Protection Officer (DPO).
5. Conclusion
Ensuring compliance with the Act, the Guidance Notice, and maintaining adherence to data protection standards are fundamental for fostering trust and confidence among data subjects. It is vital for organizations to recognize that any instance of non-compliance, resulting in sanctions or penalties, could significantly tarnish the organization’s reputation.
Therefore, it is imperative for organisations qualifying as DCPMIs, to promptly register with the Commission before the specified deadline. This is essential for mitigating the risk of facing penalties as prescribed by the Act and for upholding robust data protection practices.
Should you require further assistance or support in confirming your status as a DCPMI or guidance through the registration process, our dedicated Data Privacy and Protection Team is available to provide expert legal assistance and support.
Read the full guide here
--
Read the original publication at Duale, Ovia & Alex-Adedipe