Breakdown of the Nigeria Data Protection Commission’s Guidance Notice on Registration of Data Controllers and Data Processors of Major Importance.

In June 2023 the Nigeria Data Protection Act (the Act) was signed into Law in response to providing a safe mechanism for processing its citizens’ data and meeting international standards regarding the privacy and protection of personal data. The Act imposes specific compliance obligations on businesses and data handlers concerning the processing of personal data. One crucial requirement is registration with the Nigeria Data Protection Commission (the Commission). This registration enables the commission to maintain a comprehensive list of compliant organizations and efficiently identify those that have failed to adhere to the provisions of the Act. Section 44(1) of the Act mandates that data controllers and data processors of significant importance must register with the commission within six (6) months following the commencement of the Act or upon assuming the role of a data controller or data processor of significant importance.

However, the Act does not explicitly outline the requirements and the criteria for identifying data controllers and processors of significant importance. To address this, the commission, exercising its power under Section 6(c) of the Act to establish rules and regulations as needed, issued a guidance notice on February 14, 2024, regarding the registration of data controllers and data processors of major importance. This guidance notice provides guidance concerning the designation, and classification of data controllers and processors of major importance; requirements, timeframe, and consequences of non-compliance.

The initial June 30th, 2024 registration deadline for data controllers and data processors of major importance has now been extended by the commission to September 30th, 2024.

The details of the guidance are stated below:

Purposive designation of data controllers and data processors of major importance.

An organization will be designated as a data controller and data processor of major importance based on the following circumstances:

1. Where a data controller or data processor has particular value or significance to the economy, society, or security of Nigeria, and if it keeps or has access to a filing system (whether analogue or digital) for the processing of personal data, it shall be designated as a data controller or data processor of major importance if any of the following criteria are met:

• Processes the personal data of more than 200 (Two-Hundred) data subjects in six months; or
• Carries out commercial Information Communication Technology (ICT) services on any digital device that has storage capacity and belongs to another individual; or
• Processes personal data as an organisation or a service provider in any of the following sectors: i. Financial ii. Communication iii. Health iv. Education v. Insurance vi. Export and Import vii. Aviation viii. Tourism ix. Oil and Gas x. Electric Power

2. Where a data controller or a data processor is in a fiduciary relationship with a data subject by reason of which it is expected to keep confidential information on behalf of the data subject, it shall be regarded as a data controller or a data processor of major importance, taking into consideration the significant harm that may be done to a data subject if such a data controller or processor is not under the obligations imposed on data controllers or processors of major importance.?

Classification of Data Controllers and Data Processors of Major Importance

The Commission classifies data controllers and data processors of major importance into 3 (three) categories based on the level of data processing, namely:

1. Major Data Processing-Ultra High Level (MDP-UHL)
2. Major Data Processing-Extra High Level (MDP-EHL)
3. Major Data Processing-Ordinary High Level (MDP-OHL)

1. Major Data Processing-Ultra High Level (MDP-UHL) :

a. Organisations covered under this category:

i. Commercial banks operating at national or regional level, ii. Telecommunication companies, iii. Insurance companies, iv. Multinational companies, v. Electricity distribution companies, vi. Oil and Gas companies vii. Public social media app developers and proprietors, viii. Public e-mail App developers and proprietors, ix. Communication devices manufacturers, x. Payment gateway service providers; xi. Any other organization that processes the personal data of over 5,000 data subjects in six months.

b. Factors to consider in determining data controllers and processors of major importance that fall under the MDP-UHL:

• Processing of personal data of over 5,000 data subjects in six months.
• The sensitivity of personal data in their care;
• Data-driven financial assets entrusted in their care by data subjects;
• Reliance on third-party servers for the purpose of substantial processing of personal data;
• Substantial involvement in cross-border data flows;
• Legal competence to generate revenue on a commercial scale;
• The need for international standard certifications for people, processes, and technologies involved in data confidentiality, integrity, and availability; and
• The need for accountability;

c. Compliance for organisations under this classification

Data controllers and data processors under this classification (MDP-UHL), amongst other compliance obligations, are generally expected to abide by Global and the Highest Attainable Standards of Data Protection. Data controllers and data processors in the MDP-UHL are required to pay two hundred and fifty thousand Naira (N250,000) as registration fees.

2. Major Data Processing-Extra High Level (MDP-EHL)

a. Organisations covered under this category:

i. Ministries, Departments, and Agencies (MDAs) of government, ii. Micro Finance Banks, iii. Higher Institutions, iv. Hospitals providing tertiary or secondary medical services, and v. Mortgage Banks; vi. Any other organisation that processes personal data of over 1,000 data subjects in six months.

b. Factors to consider in determining data controllers and processors of major importance that fall under the MDP-EHL:

• Processing of personal data of over 1,000 data subjects in six months.
• Functions as an establishment of government;
• The sensitivity of personal data in their care;
• Data-driven financial assets entrusted in their care by data subjects;
• Reliance on third-party servers for the purpose of substantial processing of personal data;
• Substantial involvement in cross-border data flows;
• Legal competence to generate revenue on a commercial scale;
• The need for international standard certifications for people, processes, and technologies involved in data confidentiality, integrity, and availability; and
• The need for accountability;

c. Compliance for organisations under this classification

Data Controllers and Data Processors under this classification (MDP-EHL) amongst other compliance obligations are generally expected to abide by Global Best Practices of Data Protection. Data controllers and data processors in the MDP-EHL are required to pay one hundred thousand Naira (N100,000) as registration fees.

3. Major Data Processing-Ordinary High Level (MDP-OHL)

a. Organisations covered under this category:

i. Small and Medium Scale Enterprises (it must be such that have access to personal data which they may share, transfer, analyse, copy, compute, or store in the course of carrying out their businesses); ii. Primary and Secondary Schools; iii. Primary Health Centres; and iv. Agents, contractors, and vendors who engage with data subjects on behalf of other organisations that are in the category of MDPUHL and MDP-EHL) v. Any other organisation that processes personal data of over 200 data subjects in six months.

b. Factors to consider in determining data controllers and processors of major importance that fall under the MDP-OHL:

• Processing of personal data of over 200 data subjects in six months.
• The sensitivity of personal data in their care;
• Inherent vulnerability of data subjects they typically engage with;
• High risk to the privacy of data subjects if such personal data are processed by the data controller or data processor in a systematic or automated manner;
• The need for adequate technical and organisational measures for data protection;
• The need for international standard certifications for people, processes, and technologies involved in data confidentiality, integrity, and availability; and
• The need for accountability;

c. Compliance for organisations under this classification:

Data Controllers and Data Processors under this classification (MDP-OHL) amongst other compliance obligations are generally expected to abide by Global Best Practices of Data Protection. Data controllers and data processors in the MDP-OHL are required to pay ten thousand Naira (N10,000) as registration fees.

The time frame for compliance and liability upon default

Existing data controllers and data processors that fall under any of the above classifications are required to register with the Commission by the extended date, September 30th, 2024. Any data controller or data processor that fails to register or registers after the due date shall be deemed a default under the Act, and a data controller or data processor who is in default is liable to regulatory sanction in the form of an enforcement commencement action or fine. Registration can be done via the Commission’s Information Management Portal. https://services.ndpc.gov.ng/

Registration with the Commission- Section 44 (2) of the Act

Pursuant to Section 44 of the Act, the existing data controllers and data processors shall register with the Commission by notifying and providing the Commission with the following information:

• the name and address of the data controller or data processor, and name and address of the data protection officer of the data controller or data processor;
• a description of personal data and the categories and number of data subjects to which the personal data relate;
• the purposes for which personal data is processed;
• the categories of recipients to whom the data controller or data processor intends or is likely to disclose personal data;
• the name and address, or name and address of any representative of any data processor operating directly or indirectly on its behalf;
• the country to which the data controller or data processor intends, directly or indirectly to transfer the personal data;
• a general description of the risks, safeguards, security measures and mechanisms to ensure the protection of the personal data; and
• Payment of the required fees
• any other information required by the Commission.

It is imperative for all data controllers and data processors that meet the registration threshold to comply with the regulation to avoid any form of penalty.