REGULATORY UPDATE

On 14th February 2024 the Nigeria Data Protection Commission (‘the Commission’) released a Guidance Noticeon the Registration of Data Controllers and Processors of Major Importance [NDPC/HQ/GN/VOL.02/24] (‘theGuidance Notice’) providing clarity as to designation and categorisation of Data Controllers and Data Processors of Major Importance who are required to register with the Commission.

A. Background

The Nigeria Data Protection Act (NDPA) 2023, introduced the categorisation of data processors and data controllers into data controllers and processors of major importance and data controllers and processors not of major importance. Section 44 of the NDPA provides that data processors and data controllers of major importance are required to register with the Commission 6 months after the commencement of the Act. Section 65 of the NDPA further defines a data processor and controller of major importance as an organisation that ‘is domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria, as the Commission may prescribe, or such other class of data controller or data processor that is processing personal data of particular valueor significance to the economy, society or security of Nigeria as the Commission may designate.

B. Designation of Data Controllers and Processors of Major Importance

Further to the definition of data controllers and data processors of major importance, and the provision of section 5(d) of the NDPA that empowers the Commission to designate data controllers and processors of major importance who are to register with the Commission, the Commission issued the aforementioned Guidance Notice to provide a clear description in the determination of a data controller or processor of major importance. Thus, a data controller and processor shall be designated to be a data controller and processor of major importance and deemed to carry on processing of ‘particular value or significance to the economy, society or security of Nigeriaif:

a. It keeps or has access to a filing system (whether analogue or digital) for the processing of personal data; and
b. Processes the personal data of more than 200 (two hundred) data subjects in six months; or
c. Carries out commercial Information Communication Technology (ICT) services on any digital device which has storage capacity and belongs to another individual; or
d. Processes personal data as an organisation or a service provider in any of the following sectors:

Financial

Communication

Health

Education

Aviation

Insurance

Export and Import

Electric Power

Tourism

Oil and Gas

Furthermore, a data controller or data processor shall be designated a data controller or data processor of major importance where such a data controller or processor is under a fiduciary relationship with a data subject by reason of which it is expected to keep confidential information on behalf of the data subject, taking into account the significant harm that may be done by the data subject if such a data controller or processor is not under such obligations imposed by virtue of being designated a data controller or processor of major importance.

C. Classification of Data Controllers and Processors of Major Importance

The Commission has classified data controllers and data processors into 3 categories of data processing. The registration of data controllers and processors of major importance are subject to these categories and their prescribed official fees, and the sectors/organisations that fall within the categories, as provided for by the Commission. These categories are:

1. Major Data Processing-Ultra High Level (MDP-UHL): This category of data controllers and processors of major importance are required to, among other obligations, abide by global and highest attainable standards of data protection, taking into account any 5 (five) of the following factors:
a. The sensitivity of personal data in their care;
b. Data driven financial assets entrusted in their care by data subjects;
c. Reliance on third party servers or cloud computing services for the purpose of substantial processing of personal data;
d. Substantial involvement in cross-border data flows;
e. Processing the personal data of over 5,000 (Five-Thousand data subjects through the means of technology under its technical control or through a service contract;
f. Legal competence to generate revenue on a commercial scale;
g. The need for international standard certifications for people, processes and technologies involved in data confidentiality, integrity and availability; and
h. The need for accountability

MDP-UHL shall also include organisations that process personal data of over 5,000 (five thousand) data subjects within 6 (six) months.

2. Major Data Processing-Extra High Level (MDP-EHL): this category of data controllers and processors of major importance are, among other obligations, generally expected to abide by global best practices of data protection taking into account any 5 (five) of the following factors:
a. The sensitivity of personal data in their care;
b. Data driven financial assets entrusted in their care by data subjects;
c. Functions as an establishment of government;
d. Reliance on third-party servers or cloud computing services for the purpose of substantial processing of personal data;
e. Substantial involvement in cross-border data flows;
f. Processing the personal data of over 1,000 (one thousand) data subjects through the means of technology under their technical control or through a service contract;
g. Legal competence to generate revenue on a commercial scale;
h. The need for reputable and standardised certifications for people, process and technologies involved in data confidentiality, integrity and availability; and
i. The need for accountability.

MDP-EHL shall also include organisations that process personal data of over 1,000 (one thousand) data subjects within 6 (six) months.

3. Major Data Processing-Ordinary High Level (MDP-OHL): this category of data controllers and processors of major importance are, among other obligations, generally expected to abide by global best practices of data protection taking into account any 4 (four) of the following factors:
a. The sensitivity of data assets in their care;
b. Inherent vulnerability of data subjects they typically engage with;
c. High risk to the privacy of data subjects if such personal data are processed by the data controller or data processor in a systematic or automated manner;
d. Processing the personal data of over 200 (two hundred) data subjects through the means of technology under their technical control or through a service contract;
e. The need for adequate technical and organisational measures for data protection;
f. The need for reputable and standardised certifications for people, processes and technologies involved in data confidentiality, integrity and availability; and
g. The need for accountability.

MDP-OHL shall also include organisations that process personal data of over 200 (two hundred) data subjects within 6 (six) months.

Conclusion

Existing data controllers and data processors are to register with the Commission between 30th January 2024 and 30th June 2024. Failure to register or registration after the due date shall be deemed a default under the NDPA and such defaulting data controller or processor shall be liable to the penalty.

It is therefore imperative that data controllers and data processors commence the registration process with the Commission. It is advisable that the services of a licensed Data Protection Compliance Officer (DPCO) be engaged to ensure an efficient registration process.

About Stren & Blan Partners: 

Stren & Blan Partners is a full-service commercial Law Firm that provides legal services to diverse local and multinational corporations. We have developed a clear vision for anticipating our clients’ business needs and surpassing their expectations, and we do this with an uncompromising commitment to Client service and legal excellence. Stren & Blan Partners is a licensed Data Protection Compliance Officers (DPCOs)