{"id":4243,"date":"2024-04-21T17:18:54","date_gmt":"2024-04-21T17:18:54","guid":{"rendered":"https:\/\/trustedadvisorslaw.com\/?p=4243"},"modified":"2024-04-21T17:19:03","modified_gmt":"2024-04-21T17:19:03","slug":"ndpc-guidance-notice-registration-of-data-controllers-and-processors-in-nigeria-explained","status":"publish","type":"post","link":"https:\/\/trustedadvisorslaw.com\/ndpc-guidance-notice-registration-of-data-controllers-and-processors-in-nigeria-explained\/","title":{"rendered":"NDPC Guidance Notice: Registration of Data Controllers and Processors in Nigeria Explained"},"content":{"rendered":"\n

On June 12, 2023, the Nigeria Data Protection Act, 2023 (NDPA) was signed into law by President Bola Ahmed Tinubu marking a significant milestone in the Nigerian data privacy and protection jurisprudence. A major highlight of the NDPA however is the creation of Data Controllers and Data Processors of Major Importance (DCPMI) who must be registered with the commission within 6 months of the commencement of the Act or on becoming a DCPMI.<\/p>\n\n\n\n

While this has been lauded as a significant highlight of the Act, it has been criticized on the basis that the Act failed to specify who DCPMIs are. This has seen stakeholders and privacy enthusiasts wait for the NDPC\u2019s Notice\/Guideline in that regard. It therefore came as a relief when the NDPC by a guidance Notice dated February 14, 2024, and pursuant to Sections 5d, 6(c), 44, 45, and 65 <\/strong>of the NDPA released the Guidance Notice on Registration of DCPMIs.<\/p>\n\n\n\n

It is against this background that this piece aims to examine the NDPC\u2019s Guidance Notice dated February 14, 2024 viz-a-viz its provisions.<\/p>\n\n\n\n

WHO IS A DATA CONTROLLER AND PROCESSOR OF MAJOR IMPORTANCE (DCPMI)?<\/strong><\/p>\n\n\n\n

According to the NDPA, a DCPMI is a data controller or data processor that is domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria, as the Commission may prescribe, or such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society or security of Nigeria as the Commission may designate[i]<\/a><\/p>\n\n\n\n

Paragraph 1 of the NDPC’s Guidance Notice however defines a DCPMI as a data controller or processor with \u201cparticular value or significance to the economy, society or security of Nigeria\u201d who keeps or has access to a filing system (whether analog or digital) for the processing of personal data and<\/p>\n\n\n\n

    \n
  1. Processes the personal data of more than 200 (Two-Hundred) data subjects in six months; or<\/li>\n\n\n\n
  2. Carries out commercial Information Communication Technology (ICT) services on any digital device that has storage capacity and belongs to another individual; or<\/li>\n\n\n\n
  3. Processes personal data as an organization or a service provider in any of the following sectors:<\/li>\n\n\n\n
  4. Financial<\/li>\n\n\n\n
  5. Communication<\/li>\n\n\n\n
  6. Health<\/li>\n\n\n\n
  7. Education<\/li>\n\n\n\n
  8. Insurance<\/li>\n\n\n\n
  9. Export and Import<\/li>\n\n\n\n
  10. Aviation<\/li>\n\n\n\n
  11. Tourism<\/li>\n\n\n\n
  12. Oil and Gas<\/li>\n\n\n\n
  13. Electric Power<\/li>\n<\/ol>\n\n\n\n

    Additionally, data controllers and processors under a fiduciary relationship with a data subject by reason of which they are expected to keep confidential information on behalf of the data subject shall be regarded as a DCPMI.[ii]<\/a><\/p>\n\n\n\n

    CLASSIFICATION OF DCPMIs & FEES PAYABLE<\/strong><\/p>\n\n\n\n

    DCPMIs are classified into three categories namely:<\/p>\n\n\n\n

      \n
    1. Major Data Processing-Ultra High Level (MDP-UHL)<\/li>\n\n\n\n
    2. Major Data Processing-Extra High Level (MDP-EHL)<\/li>\n\n\n\n
    3. Major Data Processing-Ordinary High Level (MDP-OHL)<\/li>\n<\/ol>\n\n\n\n
        \n
      1. Major Data Processing-Ultra High Level (MDP-UHL):<\/strong><\/li>\n<\/ol>\n\n\n\n

        These are DCPMIs who, among other obligations, are generally expected to abide by global and highest attainable standards of data protection taking into account:<\/p>\n\n\n\n

          \n
        1. The sensitivity of personal data in their care;<\/li>\n<\/ol>\n\n\n\n
            \n
          1. Data-driven financial assets entrusted in their care by data subjects;<\/li>\n\n\n\n
          2. Reliance on third-party servers or cloud computing services for the purpose of substantial processing of personal data;<\/li>\n\n\n\n
          3. Substantial involvement in cross-border data flows;<\/li>\n\n\n\n
          4. Processing the personal data of over 5,000 (Five-Thousand data subjects through the means of technology under its technical control or through a service contract;<\/li>\n\n\n\n
          5. Legal competence to generate revenue on a commercial scale;<\/li>\n\n\n\n
          6. The need for international standard certifications for people, processes, and technologies involved in data confidentiality, integrity, and availability; and<\/li>\n\n\n\n
          7. The need for accountability<\/li>\n<\/ol>\n\n\n\n

            Organizations under this category of DCPMI include Commercial banks operating at the national or regional level, Telecommunication companies, Insurance companies, Multinational companies, Electricity distribution companies, Oil and Gas companies, Public social media app developers and proprietors, Public e-mail App developers and proprietors, Communication devices manufacturers, Payment gateway service providers, etc and are expected to pay a registration fee of N250,000 (Two hundred and Fifty Thousand Naira.<\/p>\n\n\n\n

            Additionally, organizations that process personal data of over 5,000 (Five Thousand) data subjects in 6 (six) months are also categorized under the MDP-UHL).<\/p>\n\n\n\n