Guidance notice issued by the Nigerian Data Protection Commission on the Designation of Data Controllers and Processors of Major Importance and the Requirement for Registration of DCPMIS

28/2/2024
Udo Udoma & Belo-Osagie

The Nigerian Data Protection Commission has recently issued a Guidance Notice on the entities that are deemed to be Data Controllers and Data Processors of Major Importance (DCPMIs). The Notice was issued on 14 February 2024 and took effect from that date.

 

The Nigerian Data Protection Commission (‘’NDPC’’) has, pursuant to the powers conferred on it under the Nigeria Data Protection Act 2023 (“NDPA”) recently issued a Guidance Notice (“Notice’) on the entities that are deemed to be Data Controllers and Data Processors of Major Importance (DCPMIs). The Notice was issued on 14 February 2024 and took effect from that date.


Who is a DCPMI?


DCPMIs as defined in the NDPA


Section 65 of the NDPA defines DCPMIs as data controllers or processors that are based or operate in Nigeria and who process or intend to process personal data of a certain number of data subjects within Nigeria, as prescribed by the NDPC. DCPMIs are also entities that process personal data that is of particular value or significanceto the economy, society or security of Nigeria, as designated by the NDPC.

 

DCPMIs as defined in the Notice


The Notice sets out the criteria the NDPC has adopted to determine the entities that will be deemed to be DCPMIs. 


The Notice states that a DCPMI is:


An entity which keeps or has access to a filing system (whether analogue or digital) for the processing of personal data; and:


(a) processes the personal data of more than 200 data subjects within a six month period; or
(b) provides commercial Information Communication Technology (ICT) services on any digital device that has storage capacity and belongs to another individual; or
(c) processes personal data as an organisation or service provider in the financial, communication, health, education, insurance, export and import, aviation, tourism, oil and gas, or electric power sectors of the economy.


Classification of DCPMIs: 


The Notice creates 3 classes of DCPMIs based on the levels of personal data that is being processed:


i) Major Data Processing-Ultra High Level (MDP-UHL): these are entities that process the personal data of over 5,000 data subjects in a six-month period. In addition to entities that process the personal data of over 5,000 data subjects irrespective of their sector of operation, commercial banks, telecommunication companies, insurance companies, multinational companies, electricity distribution companies, oil and gas companies, public social media app developers and proprietors, public e-mail app developers and proprietors, communication devices manufacturers, and payment gateway service providers are also deemed to be MDP-UHLs. 


ii) Major Data Processing-Extra High Level (MDP-EHL): these are entities that process the personal data of over 1,000 data subjects within six months. In addition to entities that process the personal data of over 1,000 data subjects, entities such as ministries, departments, and agencies of government (MDAs), microfinance banks, higher institutions (Universities, Polytechnics, Colleges of Education etc), hospitals providing tertiary or secondary medical services, and mortgage banks are also designated MDP-EHL.


iii) Major Data Processing-Ordinary High Level (MDP-OHL): These are entities that process the personal data of over 200 data subjects within a six-month period. In addition, entities such as primary and secondary schools, primary health centres, agents, contractors and vendors who engage with data subjects on behalf of other organisations/entities (third party data processors) are deemed to be MDP-OHL. 


Registration Obligation and Timeline


The Notice requires all DCPMIs irrespective of their classification to register with the NDPC on or before 30 June 2024.


Timeline and cost for Registration


The registration fee payable to the NDPC for registration as an MDP-UHL is 
NGN250,000.00. For registration as an MDP-EHL the fee payable is NGN100,000, and  NGN10,000.00 for registration as an MDP-OHL.


Penalties for Non-Compliance

 

DCPMIs who fail to register with the NDPC before 30th June 2024 will be deemed to be in breach of the NDPA and liable to the penalties imposed for non-compliance in the NDPA. Under the NDPA, the penalty imposed on a DCPMI for non-compliance is the payment of a fine of up to NGN10,000,000 (ten million Naira) or 2% of the annual gross revenue from the preceding financial year (whichever is the greater of the two sums).

 

 

--

Read the original publication at Udo Udoma & Belo-Osagie