Understanding Data Controller and Processor Registration in Nigeria

 The personal data of citizens and persons in Nigeria are being processed by various organisations for a myriad of reasons within and outside Nigeria.

It is important for the privacy and security of data subjects to ensure that their data are processed by only genuine persons or organizations for genuine reasons recognised by law.

The Nigeria Data Protection Act, 2023 under section 5(d), empowers the Nigeria Data Protection Commission to designate data controllers and data processors of major importance who are to register with the Commission. Read more here.

The Commission (NDPC) specifically referred to data controllers of major importance under section 5(d) of the NDPC Act as the only eligible organisations for registration. In line with its mandate to, among others, take into account data controllers and data processors with “particular value or significance to the economy, society or security of Nigeria” in the designation of data controllers and data processors of major importance NDPC has issued a Guidance Notice on the Registration of Data Controllers and Processors of Major Importance.

This guidance aims to ensure compliance with data handling rules and promote transparency in data management practices.

Who is a Data Controller/Data Processor in Nigeria?

Section 65 of the NDPC Act defines a data controller and a data processor of major importance as a domiciled entity, resident in, or operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria, as the Commission may prescribe, or such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society, or security of Nigeria as the Commission may designate.

Here is how to know if you or your business is a data controller or processor of major importance in Nigeria.

- If you or your business keeps or has access to a filing system (whether analog or digital) for the processing of personal data.

- If you or your business process the personal data of more than 200 (Two-Hundred) data subjects in six months.

- If you or your business carry out commercial Information Communication Technology (ICT) services on any digital device which has storage capacity and belongs to another individual.

- If you or your business process personal data as an organisation or a service provider in any of the following sectors: 

i.  Financial

ii.  Communication

iii.  Health

iv.  Education

v.  Insurance

vi.  Export and Import

vii.  Aviation

viii.  Tourism

ix.  Oil and Gas

x.  Electric Power

- If you or your business is in a fiduciary relationship with a data subject, expected to keep their confidential information.

Who Needs to Register?

If you or your business handles or assists with data management, you may need to register with the NDPC. Specifically, you should register if;

• You keep or have access to a filing system for processing personal data.

• You process personal data of more than 200 data subjects in six months.

• You carry out commercial Information Communication Technology (ICT) services on digital devices belonging to others.

• You process personal data in sectors such as finance, communication, health, education, insurance, etc., or if you are in a fiduciary relationship with a data subject.

Classification of Data Controllers and Processors

NDPC classifies data controllers and processors into three levels:

1. Major Data Processing-Ultra High Level (MDP-UHL): This category includes entities that handle sensitive personal data, engage in substantial cross-border data flows, and process personal data on a large scale. Processing the personal data of over 5,000 (Five-Thousand) data subjects through the means of technology under its technical control or through a service contract.

2. Major Data Processing-Extra High Level (MDP-EHL): Entities falling under this category also handle significant amounts of personal data but may not reach the scale of MDP-UHL. They are still expected to follow global best practices in data protection. Processing the personal data of over 1,000 (One-Thousand) data subjects through the means of technology under their technical control or through a service contract.

3. Major Data Processing-Ordinary High Level (MDP-OHL): This category includes entities with lower volumes of personal data processing but are still subject to data protection regulations. Processing the personal data of over 200 (two hundred) data subjects through the means of technology under their technical control or through a service contract.

Specific Types of Data Controllers and Data Processors in Nigeria and Fees

• MDP-UHL: Includes Commercial banks operating at national or regional level, Telecommunication companies, Insurance companies, Public social media app developers and proprietors, Communication devices manufacturer, and Payment gateway service providers. Fees for registration vary based on the entity's size and scope of operations.

• MDP-EHL: Includes Ministries, Departments and Agencies (MDAs) of government, Micro Finance Banks, Higher Institution, Hospitals providing tertiary or secondary medical services, and Mortgage Banks. Fees are determined similarly based on the entity's characteristics.

• MDP-OHL: Includes Small and Medium Scale Enterprises, Primary and Secondary Schools, Primary Health Centre, Agents, contractors and vendors who engage with data subjects

Registration Deadlines

Existing data controllers and processors must register with the NDPC between January 30, 2024, and June 30, 2024. Failure to register within this timeframe may result in penalties as stipulated in the Data Protection Act.

Ensuring compliance with data protection regulations is essential for businesses operating in Nigeria. By understanding the registration requirements and deadlines set forth by the NDPC, entities can uphold the privacy rights of individuals and maintain trust in their data management practices.

We can help you begin your registration with NDPC; Contact: support@smartcomplyapp.com cs@smartcomplyapp.com 08133262024

Follow our blogs  here and here to read more updates from us.

Feel free to follow us across our social media platforms to learn more from us; Facebook, LinkedIn, Twitter and Instagram

Speak to our customer care representative; 08133262024

Request an instant demo: https://www.smartcomplyapp.com/book-a-demo