Legal Informer
INTRODUCTION
The Nigeria Data Protection Commission, also known as “the Commission,” published a Guidance Notice on the Registration of Data Controllers and Processors of Major Importance [NDPC/HQ/GN/VOL.02/24] in February 2024. This guidance notice clarified the designation and classification of those individuals as required to register with the Commission. Section 5(d) of the Nigeria Data Protection Act requires all public and private entities that handle personal data to register with the NDPC by no later than June 30, 2024.
A data controller or processor will be considered of considerable importance. If it maintains or has access to an analog or digital file system for the processing of personal data, and
processes the personal data of more than 200 data subjects in six months.
Performs commercial ICT (information and communication technology) services on any digital device that is owned by another person and has storage capacity; or
Processes personal data on behalf of an organization or a service provider in any of the following industries: financial institutions, communication, health, education, insurance, export and import, aviation, tourism, oil and gas, and electric power.
CLASSIFICATION OF DATA CONTROLLERS AND DATA PROCESSORS OF MAJOR IMPORTANCE
Additionally, the Guidance Notice categorized data processors and controllers into three (3) tiers or categories:
- Major Data Processing-Ultra High Level (MDP-UHL): This includes:Commercial banks operating at national or regional level, Telecommunication companies, Insurance companies, Multinational companies, Electricity distribution companies, Oil and Gas companies.
- Major Data Processing-Extra High Level (MDP-EHL): Entities that fall into this category include: Ministries, Departments and Agencies (MDAs) of government, Micro Finance Banks, Higher Institutions, Hospitals providing tertiary or secondary medical services.
- Major Data Processing-Ordinary High Level (MDP-OHL) – The organizations that fall into this category include: Small and Medium Scale Enterprises, Primary and Secondary Schools. Primary Health Centres.
Data controllers and processors subject to Paragraph 3(2) of the Notice must register on or before 30th June 2024. Paragraph 3(3) of the Notice also stipulates that late registration or failure to register after the due date will be penalized following the law. Section 48(1)(a) of the Nigerian Data Protection Act (2023) provides that the Commission, upon completion of, an investigation be commenced on its own initiative after having reasonable belief of a breach of law and if satisfied that the data controller or data processor has breached any provision of the NDPA or sub-legislation made under the Act, has may take any appropriate enforcement action or impose penalties on data controllers or data processors. Section 48(2)(d) of the NDPA provides that an enforcement order includes a penalty or remediation costs. The fine or remediation fee under subsection (2)(d) may be an amount up to, the greater of N10,000,000 and 2% of a person’s gross annual income in the previous financial year that is, in case of a DCMI or DPMI.
CONCLUSION
Data controllers and data processors must commence the registration process with the Commission. The services of a licensed Data Protection Compliance Officer (DPCO) should be engaged to ensure an efficient registration process. Units eligible under the guidelines must register before the deadline. Failure to register will potentially subject the organization to sanctions. Notably, the essence of data protection compliance is to gain customer trust. Therefore, we believe that any type of fine or imposition of penalty will inevitably damage the reputation of the organization.
This summary is intended for informational purposes only and does not constitute legal advice. For further guidance on interpreting the NDPC Notice, contact us at lawyers@nijioni.com for further guidance.