{"id":4243,"date":"2024-04-21T17:18:54","date_gmt":"2024-04-21T17:18:54","guid":{"rendered":"https:\/\/trustedadvisorslaw.com\/?p=4243"},"modified":"2024-04-21T17:19:03","modified_gmt":"2024-04-21T17:19:03","slug":"ndpc-guidance-notice-registration-of-data-controllers-and-processors-in-nigeria-explained","status":"publish","type":"post","link":"https:\/\/trustedadvisorslaw.com\/ndpc-guidance-notice-registration-of-data-controllers-and-processors-in-nigeria-explained\/","title":{"rendered":"NDPC Guidance Notice: Registration of Data Controllers and Processors in Nigeria Explained"},"content":{"rendered":"\n
On June 12, 2023, the Nigeria Data Protection Act, 2023 (NDPA) was signed into law by President Bola Ahmed Tinubu marking a significant milestone in the Nigerian data privacy and protection jurisprudence. A major highlight of the NDPA however is the creation of Data Controllers and Data Processors of Major Importance (DCPMI) who must be registered with the commission within 6 months of the commencement of the Act or on becoming a DCPMI.<\/p>\n\n\n\n
While this has been lauded as a significant highlight of the Act, it has been criticized on the basis that the Act failed to specify who DCPMIs are. This has seen stakeholders and privacy enthusiasts wait for the NDPC\u2019s Notice\/Guideline in that regard. It therefore came as a relief when the NDPC by a guidance Notice dated February 14, 2024, and pursuant to Sections 5d, 6(c), 44, 45, and 65 <\/strong>of the NDPA released the Guidance Notice on Registration of DCPMIs.<\/p>\n\n\n\n It is against this background that this piece aims to examine the NDPC\u2019s Guidance Notice dated February 14, 2024 viz-a-viz its provisions.<\/p>\n\n\n\n WHO IS A DATA CONTROLLER AND PROCESSOR OF MAJOR IMPORTANCE (DCPMI)?<\/strong><\/p>\n\n\n\n According to the NDPA, a DCPMI is a data controller or data processor that is domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria, as the Commission may prescribe, or such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society or security of Nigeria as the Commission may designate[i]<\/a><\/p>\n\n\n\n Paragraph 1 of the NDPC’s Guidance Notice however defines a DCPMI as a data controller or processor with \u201cparticular value or significance to the economy, society or security of Nigeria\u201d who keeps or has access to a filing system (whether analog or digital) for the processing of personal data and<\/p>\n\n\n\n Additionally, data controllers and processors under a fiduciary relationship with a data subject by reason of which they are expected to keep confidential information on behalf of the data subject shall be regarded as a DCPMI.[ii]<\/a><\/p>\n\n\n\n CLASSIFICATION OF DCPMIs & FEES PAYABLE<\/strong><\/p>\n\n\n\n DCPMIs are classified into three categories namely:<\/p>\n\n\n\n These are DCPMIs who, among other obligations, are generally expected to abide by global and highest attainable standards of data protection taking into account:<\/p>\n\n\n\n Organizations under this category of DCPMI include Commercial banks operating at the national or regional level, Telecommunication companies, Insurance companies, Multinational companies, Electricity distribution companies, Oil and Gas companies, Public social media app developers and proprietors, Public e-mail App developers and proprietors, Communication devices manufacturers, Payment gateway service providers, etc and are expected to pay a registration fee of N250,000 (Two hundred and Fifty Thousand Naira.<\/p>\n\n\n\n Additionally, organizations that process personal data of over 5,000 (Five Thousand) data subjects in 6 (six) months are also categorized under the MDP-UHL).<\/p>\n\n\n\n These are DCPMIs who, among other obligations, are generally expected to abide by global and highest attainable standards of data protection taking into account:<\/p>\n\n\n\n Organizations under this category of DCPMIs include Ministries, Departments, and Agencies (MDAs)of government, Micro Finance Banks, Higher Institutions, Hospitals providing tertiary or secondary medical services, and Mortgage Banks. These categories of DCPMIs are required to pay the sum of N100,000 (One Hundred Thousand Naira).<\/p>\n\n\n\n Additionally, organizations that process personal data of over 1,000 (One Thousand) data subjects in 6 (six) months are also categorized under the MDP-EHL).<\/p>\n\n\n\n These are DCPMIs who, among other obligations, are generally expected to abide by global and highest attainable standards of data protection taking into account:<\/p>\n\n\n\n These categories of DCPMIs are required to pay the sum of N10,000 (Ten Thousand Naira). Additionally, organizations that process personal data of over 200 (Two Hundred) data subjects in 6 (six) months are also categorized under the MDP-OHL).<\/p>\n\n\n\n REGISTRATION REQUIREMEMNT FOR EXISTING DCPMIs<\/strong><\/p>\n\n\n\n Existing DCPMIs are required to register with the NDPC between January 30, 2024 \u2013 June 30, 2024.<\/p>\n\n\n\n FAILURE TO REGISTER<\/strong><\/p>\n\n\n\n Failure of DCPMIs to register on or before the due date as well as failure to register at all shall be deemed a default on the part of the DCPMI concerned which shall attract penalties as stipulated under the NDPA. The appropriate penalty shall be the greater of the sum of N10,000,000 (Ten Million Naira) and 2% of the DCPMI\u2019s annual gross revenue in the preceding financial year.<\/p>\n\n\n\n CONCLUSION<\/strong><\/p>\n\n\n\n The NDPC\u2019s Guideline on Registration of DCPMIs is a welcome development as it is a long overdue guideline helping to put succor and provide guidance to the absence of a direction on the registration requirement for DCPMIs as stipulated under the NDPA.<\/p>\n\n\n\n [i]<\/a> See section 65 of the NDPA<\/p>\n\n\n\n [ii]<\/a> This is important taking into consideration the significant harm that may be done to a data subject if such data controller or processor is not under the obligations imposed on a DCPMI.<\/p>\n\n\n\n <\/p>\n\n\n\n Written by\u00a0<\/strong>Muhiz Adisa<\/strong><\/a>\u00a0for\u00a0The Trusted Advisors<\/strong><\/a><\/p>\n\n\n\n\n
\n
\n
\n
\n
\n
\n
\n
\n
\n\n\n\n