The Nigeria Data Protection Act, 2023 ("the Act") establishes a requirement for a specific category of data controllers and processors to mandatorily register with the Nigerian Data Protection Commission (NDPC). This mandatory registration serves as a crucial compliance measure, considering the heightened risks associated with mishandling or breaching data security in their operations. The criteria for this category, designated as data controllers and processors of major importance, are to be determined and outlined by the NDPC. In a Guidance Notice issued by the NDPC in February 14, 2024, the following criteria have been established for such a designation:
A data controller or processor is considered of major importance if it:
Keeps or has access to a system for processing personal data (like a database), whether it is physical or digital, and meets one of the following conditions:
Processes personal data of more than 200 individuals within six months.
Provides commercial Information Communication Technology (ICT) services on digital devices owned by others, with storage capacity.
Operates in specific sectors such as finance, communication, health, education, insurance, export and import, aviation, tourism, oil and gas, or electric power.
2. Is in a fiduciary relationship with a data subject, meaning it holds confidential information on behalf of the data subject. This is particularly significant because of the potential harm to the data subject if the controller or processor fails to protect their data properly.
For the purpose of registration, data controllers and processors of major significance are further classified into 3 levels:
(a) Major Data Processing-Ultra High Level (MDP-UHL)
(b) Major Data Processing-Extra High Level (MDP-EHL)
(c) Major Data Processing-Ordinary High Level (MDP-OHL)
Implications of Registrations
Compliance with the Act
Publication on the NDPC website for being in compliance.
Close monitoring by the NDPC as data controllers or processors are required to notify the Commission of any significant changes to the information provided during registration. This ensures that the Commission remains informed about developments in data processing activities and can assess their compliance with regulatory requirements.
Although there is no requirement for incorporation in Nigeria, registration mandates providing the name and address of the data processor or its representative, whether operating directly or indirectly, acting on behalf of a data controller. Additionally, it is required to specify the country to which the data controller or processor intends to transfer the personal data, either directly or indirectly.
Finally, data controllers and processors are mandated to finalise their registration within the designated period, which commences on January 30th, 2024, and concludes on June 30th, 2024. Neglecting to register within this timeframe or registering after the designated deadline will constitute a breach of the Act. Furthermore, data controllers or processors found to be in default of this obligation will be subject to penalties as outlined in the Act. Notably, data controllers and processors of major importance may face penalties at the maximum amount of Ten Million Naira or 2% of their annual gross revenue for the preceding financial year, whichever is higher.