Nigeria: NDPC Guidance Notice: Registration Of Data Controllers And Processors In Nigeria Explained

On June 12, 2023, the Nigeria Data Protection Act, 2023 (NDPA) was signed into law by President Bola Ahmed Tinubu marking a significant milestone in the Nigerian data privacy and protection jurisprudence. A major highlight of the NDPA however is the creation of Data Controllers and Data Processors of Major Importance (DCPMI) who must be registered with the commission within 6 months of the commencement of the Act or on becoming a DCPMI.

While this has been lauded as a significant highlight of the Act, it has been criticized on the basis that the Act failed to specify who DCPMIs are. This has seen stakeholders and privacy enthusiasts wait for the NDPC's Notice/Guideline in that regard. It therefore came as a relief when the NDPC by a guidance Notice dated February 14, 2024, and pursuant to Sections 5d, 6(c), 44, 45, and 65 of the NDPA released the Guidance Notice on Registration of DCPMIs.

It is against this background that this piece aims to examine the NDPC's Guidance Notice dated February 14, 2024 viz-a-viz its provisions.

WHO IS A DATA CONTROLLER AND PROCESSOR OF MAJOR IMPORTANCE (DCPMI)?

According to the NDPA, a DCPMI is a data controller or data processor that is domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria, as the Commission may prescribe, or such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society or security of Nigeria as the Commission may designate¹

Paragraph 1 of the NDPC's Guidance Notice however defines a DCPMI as a data controller or processor with "particular value or significance to the economy, society or security of Nigeria" who keeps or has access to a filing system (whether analog or digital) for the processing of personal data and

a. Processes the personal data of more than 200 (Two-Hundred) data subjects in six months; or

b. Carries out commercial Information Communication Technology (ICT) services on any digital device that has storage capacity and belongs to another individual; or

c. Processes personal data as an organization or a service provider in any of the following sectors:

d. Financial

e. Communication

f. Health

g. Education

h. Insurance

i. Export and Import

j. Aviation

k. Tourism

l. Oil and Gas

m. Electric Power

Additionally, data controllers and processors under a fiduciary relationship with a data subject by reason of which they are expected to keep confidential information on behalf of the data subject shall be regarded as a DCPMI.²

CLASSIFICATION OF DCPMIs & FEES PAYABLE

DCPMIs are classified into three categories namely:

a. Major Data Processing-Ultra High Level (MDP-UHL)

b. Major Data Processing-Extra High Level (MDP-EHL)

c. Major Data Processing-Ordinary High Level (MDP-OHL)

a. Major Data Processing-Ultra High Level (MDP-UHL):

These are DCPMIs who, among other obligations, are generally expected to abide by global and highest attainable standards of data protection taking into account:

i. The sensitivity of personal data in their care;

ii. Data-driven financial assets entrusted in their care by data subjects;

iii. Reliance on third-party servers or cloud computing services for the purpose of substantial processing of personal data;

iv. Substantial involvement in cross-border data flows;

v. Processing the personal data of over 5,000 (Five-Thousand data subjects through the means of technology under its technical control or through a service contract;

vi. Legal competence to generate revenue on a commercial scale;

vii The need for international standard certifications for people, processes, and technologies involved in data confidentiality, integrity, and availability; and

vii. The need for accountability

Organizations under this category of DCPMI include Commercial banks operating at the national or regional level, Telecommunication companies, Insurance companies, Multinational companies, Electricity distribution companies, Oil and Gas companies, Public social media app developers and proprietors, Public e-mail App developers and proprietors, Communication devices manufacturers, Payment gateway service providers, etc and are expected to pay a registration fee of N250,000 (Two hundred and Fifty Thousand Naira.

Additionally, organizations that process personal data of over 5,000 (Five Thousand) data subjects in 6 (six) months are also categorized under the MDP-UHL).

• Major Data Processing-Extra High Level (MDP-EHL)

These are DCPMIs who, among other obligations, are generally expected to abide by global and highest attainable standards of data protection taking into account:

i.The sensitivity of personal data in their care;

ii. Data-driven financial assets entrusted in their care by data subjects;

iii. Functions as an establishment of government;

iv. Reliance on third-party servers or cloud computing services for the purpose of substantial processing of personal data;

v. Substantial involvement in cross-border data flows;

vi. Processing the personal data of over 1,000 (One-Thousand) data subjects through the means of technology under their technical control or through a service contract;

vii. Legal competence to generate revenue on a commercial scale;

viii. The need for reputable and standardized certifications for people, processes, and technologies involved in data confidentiality, integrity, availability; and

ix. The need for accountability.

Organizations under this category of DCPMIs include Ministries, Departments, and Agencies (MDAs)of government, Micro Finance Banks, Higher Institutions, Hospitals providing tertiary or secondary medical services, and Mortgage Banks. These categories of DCPMIs are required to pay the sum of N100,000 (One Hundred Thousand Naira).

Additionally, organizations that process personal data of over 1,000 (One Thousand) data subjects in 6 (six) months are also categorized under the MDP-EHL).

• Major Data Processing-Ordinary High Level (MDP-OHL)

These are DCPMIs who, among other obligations, are generally expected to abide by global and highest attainable standards of data protection taking into account:

i. The sensitivity of data assets in their care;

ii. Inherent vulnerability of data subjects they typically engage with;

iii. High risk to the privacy of data subjects if such personal data are processed by the data controller or data processor in a systematic or automated manner;

iv. Processing the personal data of over 200 (two hundred) data subjects through the means of technology under their technical control or through a service contract;

v. The need for adequate technical and organizational measures for data protection;

vi. The need for reputable and standardized certifications for people, processes and technologies involved in data confidentiality, integrity and availability; and

vii. The need for accountability

viii. Organizations under this category of DCPMIs include Small and Medium Scale Enterprises (it must be such that have access to personal data which they may share, transfer, analyze, copy, compute or store in the course of carrying out their individual businesses), Primary and Secondary Schools, Primary Health Centers; and Agents, contractors and vendors who engage with data subjects on behalf of other organizations that are in the category of MDP- UHL and MDP-EHL).

These categories of DCPMIs are required to pay the sum of N10,000 (Ten Thousand Naira). Additionally, organizations that process personal data of over 200 (Two Hundred) data subjects in 6 (six) months are also categorized under the MDP-OHL).

REGISTRATION REQUIREMEMNT FOR EXISTING DCPMIs

Existing DCPMIs are required to register with the NDPC between January 30, 2024 – June 30, 2024.

FAILURE TO REGISTER

Failure of DCPMIs to register on or before the due date as well as failure to register at all shall be deemed a default on the part of the DCPMI concerned which shall attract penalties as stipulated under the NDPA. The appropriate penalty shall be the greater of the sum of N10,000,000 (Ten Million Naira) and 2% of the DCPMI's annual gross revenue in the preceding financial year.

CONCLUSION

The NDPC's Guideline on Registration of DCPMIs is a welcome development as it is a long overdue guideline helping to put succor and provide guidance to the absence of a direction on the registration requirement for DCPMIs as stipulated under the NDPA.

Footnotes

1. See section 65 of the NDPA

2. This is important taking into consideration the significant harm that may be done to a data subject if such data controller or processor is not under the obligations imposed on a DCPMI.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.