On the 14th Day of February 2023, the Nigeria Data Protection Commission (“the commission” or “NDPC”) issued a Guidance Notice on the Registration of Data Controllers and Data Processors of Major Importance (“Guidance Notice”). In this publication, we provide an insight into what businesses need to know for the purpose of compliance with the Notice.
Who is a data controller or data processor of major importance?
The Nigeria Data Protection Act (“the Act”) defines a “data controller or data processor of major importance” as a data controller or data processor that is domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria, as the Commission may prescribe, or such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society or security of Nigeria as the Commission may designate.
A data controller or data processor shall qualify to be one of Major Importance if it keeps or has access to a filing system (whether analogue or digital) for the processing of personal data; and:
- Processes the personal data of more than 200 (Two-Hundred) data subjects in six months; or
- Carries out commercial Information Communication Technology (ICT) services on any digital device which has storage capacity and belongs to another individual; or
- Processes personal data as an organisation or a service provider in anyone of the following sectors: financial, communication, health, education, insurance, export and import, aviation, tourism, oil and gas, and electric power.
Is there any other category of data controllers or data processors that can qualify to be of major importance?
Yes. A Data Controller or a Data Processor who is under a fiduciary relationship with a data subject by reason of which it is expected to keep confidential information on behalf of the data subject shall be regarded as a Data Controller or a Data Processor of Major Importance. This category of data controller or processor is quite vague. At any rate, any organization that by its nature keeps confidential information of data subjects is deemed a data controller or processor of major importance.
What are the categories of Data Controllers and Data Processors of Major Importance?
The three categories of Data Controllers and Data Processors of Major Importance are as follows:
- Major Data Processing-Ultra High Level (MDP-UHL)
- Major Data Processing-Extra High Level (MDP-EHL)
- Major Data Processing-Ordinary High Level (MDP-OHL)
How do I determine a Data Controller or Data Processor of Major Importance in the category of Major Data Processing-Ultra High Level (MDP-UHL)?
A Data Controller or a Data Processor of Major Importance is regarded to be in category of Major Data Processing-Ultra High Level (MDP-UHL) if among other obligations, such entity is generally expected to abide by global and highest attainable standards of data protection taking into account the following factors:
- The sensitivity of personal data in their care;
- Data driven financial assets entrusted in their care by data subjects;
- Reliance on third party servers or cloud computing services for the purpose of substantial processing of personal data;
- Substantial involvement in cross-border data flows;
- Processing the personal data of over 5,000 (Five-Thousand data subjects through the means of technology under its technical control or through a service contract;
- Legal competence to generate revenue on a commercial scale;
- The need for international standard certifications for people, processes and technologies involved in data confidentiality, integrity and availability; and
- The need for accountability.
Note: The presence of any 5 (five) of the above-listed factors suffices for being classified as a Data Controller or a Data Processor of Major Importance in the category of Major Data Processing-Ultra High Level (MDP-UHL).
Examples include: commercial banks operating at national or regional level, telecommunication companies, insurance companies, multinational companies, electricity distribution companies, oil and gas companies, public social media app developers and proprietors, public e-mail app developers and proprietors, communication devices manufacturers, payment gateway service providers etc.
Also, any organisation, aside from those listed above, that processes personal data of over 5,000 (Five-Thousand) data subjects in 6 (six) months also fall in the category of Major Data Processing-Ultra High Level (MDP-UHL).
How do I determine a Data Controller or a Data Processor of Major Importance in the category of Major Data Processing-Extra High Level (MDP-EHL)?
A Data Controller or a Data Processor of Major Importance is regarded to be in category of Major Data Processing-Extra High Level (MDP-EHL) if among other obligations, such entity is generally expected to abide by global and highest attainable standards of data protection taking into account the following factors:
- The sensitivity of personal data in their care;
- Data driven financial assets entrusted in their care by data subjects;
- Functions as an establishment of government;
- Reliance on third-party servers or cloud computing services for the purpose of substantial processing of personal data;
- Substantial involvement in cross-border data flows;
- Processing the personal data of over 1,000 (One-Thousand) data subjects through the means of technology under their technical control or through a service contract;
- Legal competence to generate revenue on a commercial scale;
- The need for reputable and standardized certifications for people, process and technologies involved in data confidentiality, integrity and availability; and
- The need for accountability.
Note: The presence of any 5 (five) of the above-listed factors suffices for being classified as a Data Controller or a Data Processor of Major Importance in the category of Major Data Processing-Extra High Level (MDP-EHL).
Examples include: Ministries, departments and agencies (MDAs) of government; micro finance banks; higher institutions; hospitals providing tertiary or secondary medical services; and mortgage banks.
Also, any organisation, aside from those listed above, that processes personal data of over 1,000 (One-Thousand) data subjects in 6 (six) months also fall in the category of Major Data Processing-Extra High Level (MDP-EHL).
How do I determine a Data Controller or a Data Processor of Major Importance in the category of Major Data Processing-Ordinary High Level (MDP-OHL)?
A Data Controller or a Data Processor of Major Importance is regarded to be in category of Major Data Processing-Ordinary High Level (MDP-OHL) if among other obligations, such entity is generally expected to abide by global and highest attainable standards of data protection taking into account the following factors:
- The sensitivity of data assets in their care;
- Inherent vulnerability of data subjects they typically engage with;
- High risk to the privacy of data subjects if such personal data are processed by the data controller or data processor in a systematic or automated manner;
- Processing the personal data of over 200 (two hundred) data subjects through the means of technology under their technical control or through a service contract;
- The need for adequate technical and organisational measures for data protection;
- The need for reputable and standardised certifications for people, processes and technologies involved in data confidentiality, integrity and availability; and
- The need for accountability.
The presence of any 4 (four) of the above-listed factors suffices for being classified as a Data Controller or a Data Processor of Major Importance in the category of Major Data Processing-Ordinary High Level (MDP-OHL).
Examples include: Small and medium scale Enterprises (it must be such that have access to personal data which they may share, transfer, analyse, copy, compute or store in the course of carrying out their individual businesses); primary and secondary schools; primary health centres; and agents, contractors and vendors who engage with data subjects on behalf of other organisations that are in the category of MDPUHL and MDP-EHL).
Also, any organisation, aside from those listed above, that processes personal data of over 200 (Two-Hundred) data subjects in 6 (six) months also fall in the category of Major Data Processing-Extra High Level (MDP-EHL).
Is Registration Mandatory for a Data Controller or a Data Processor of Major Importance?
Yes.
Is there a fee payable for Registration by a Data Controller or a Data Processor of Major Importance?
The fee payable is determined by the category which the Data Controller or a Data Processor of Major Importance falls. These are:
- Major Data Processing-Ultra High Level (MDP-UHL) –
N250,000 (Two Hundred and Fifty Thousand Naira) - Major Data Processing-Extra High Level (MDP-EHL) –
N100,000 (One Hundred Thousand Naira) - Major Data Processing-Ordinary High Level (MDP-OHL) –
N10,000 (Ten Thousand Naira).
When is the registration window opened?
Registration for existing data controllers and data processors is between 30th January, 2024 and 30th June, 2024. Registration after the due date or failure to register is considered as a default under the Act and a data controller or data processor who is in default is liable to a penalty as assessed by the Commission.
DISCLAIMER: This publication is only intended to provide general information on the subject matter and does not by itself create a client/attorney relationship between readers and our Law Firm or serve as legal advice. We are available to provide specialist legal advice on the readers’ specific circumstances when they arise. Contact us at info@folegal.net +234 906 632 4982