Understanding Data Controller and Processor Registration in Nigeria
The personal data of citizens and persons in Nigeria are being processed by various organisations for a myriad of reasons within and outside Nigeria.
It is important for the privacy and security of data subjects to ensure that their data are processed by only genuine persons or organizations for genuine reasons recognised by law.
The Nigeria Data Protection Act, 2023 under section 5(d), empowers the Nigeria Data Protection Commission to designate data controllers and data processors of major importance who are to register with the Commission. Read more here.
The Commission (NDPC) specifically referred to data controllers of major importance under section 5(d) of the NDPC Act as the only eligible organisations for registration. In line with its mandate to, among others, take into account data controllers and data processors with “particular value or significance to the economy, society or security of Nigeria” in the designation of data controllers and data processors of major importance NDPC has issued a Guidance Notice on the Registration of Data Controllers and Processors of Major Importance.
This guidance aims to ensure compliance with data handling rules and promote transparency in data management practices.
Who Needs to Register?
If you or your business handles or assists with data management, you may need to register with the NDPC. Specifically, you should register if;
You keep or have access to a filing system for processing personal data.
You process personal data of more than 200 data subjects in six months.
You carry out commercial Information Communication Technology (ICT) services on digital devices belonging to others.
You process personal data in sectors such as finance, communication, health, education, insurance, etc., or if you are in a fiduciary relationship with a data subject.
Classification of Data Controllers and Processors
NDPC classifies data controllers and processors into three levels:
1. Major Data Processing-Ultra High Level (MDP-UHL): This category includes entities that handle sensitive personal data, engage in substantial cross-border data flows, and process personal data on a large scale. Processing the personal data of over 5,000 (Five-Thousand) data subjects through the means of technology under its technical control or through a service contract.
2. Major Data Processing-Extra High Level (MDP-EHL): Entities falling under this category also handle significant amounts of personal data but may not reach the scale of MDP-UHL. They are still expected to follow global best practices in data protection. Processing the personal data of over 1,000 (One-Thousand) data subjects through the means of technology under their technical control or through a service contract.
3. Major Data Processing-Ordinary High Level (MDP-OHL): This category includes entities with lower volumes of personal data processing but are still subject to data protection regulations. Processing the personal data of over 200 (two hundred) data subjects through the means of technology under their technical control or through a service contract.
Specific Types of Data Controllers and Data Processors in Nigeria and Fees
MDP-UHL: Includes Commercial banks operating at national or regional level, Telecommunication companies, Insurance companies, Public social media app developers and proprietors, Communication devices manufacturer, and Payment gateway service providers. Fees for registration vary based on the entity's size and scope of operations.
MDP-EHL: Includes Ministries, Departments and Agencies (MDAs) of government, Micro Finance Banks, Higher Institution, Hospitals providing tertiary or secondary medical services, and Mortgage Banks. Fees are determined similarly based on the entity's characteristics.
MDP-OHL: Includes Small and Medium Scale Enterprises, Primary and Secondary Schools, Primary Health Centre, Agents, contractors and vendors who engage with data subjects
Registration Deadlines
Existing data controllers and processors must register with the NDPC between January 30, 2024, and June 30, 2024. Failure to register within this timeframe may result in penalties as stipulated in the Data Protection Act.
Ensuring compliance with data protection regulations is essential for businesses operating in Nigeria. By understanding the registration requirements and deadlines set forth by the NDPC, entities can uphold the privacy rights of individuals and maintain trust in their data management practices.
We can help you begin your registration with NDPC; Contact: support@smartcomplyapp.com cs@smartcomplyapp.com 08133262024
Follow our blogs here and here to read more updates from us.
Feel free to follow us across our social media platforms to learn more from us; Facebook, LinkedIn, Twitter and Instagram
Request an instant demo: https://www.smartcomplyapp.com/book-a-demo
Comments
Post a Comment