On 14 February 2024, the Nigeria Data Protection Commission (also known as NDPC or ‘the Commission’) published a Guidance Notice (referred to as ‘the Notice’) outlining the procedure and requirements for registering significant data controllers and processors with the Commission. The Notice classified such data controllers into three categories based on the scale of their processing and required registration between 30 January 2024 and 30 June 2024.
Details of the Notice
In June 2023, the Nigeria Data Protection Act (known as NDPA) was signed into law. Section 44 of the NDPA mandates that data controllers and processors of major significance register with the Commission within six months of the Act taking effect or becoming a significant controller/processor. As a result, the NDPC issued the ‘Registration of Data Controllers and Data Processors of Major Importance’ Guidance Notice to provide guidelines around the registration process, necessary information, timeline, and non-compliance consequences. Key details from the Notice are summarized below:
Criteria for Designating Controllers and Processors of Major Significance
An organization will be considered a significant data controller/processor under the following conditions:
- If the organization is crucial to Nigeria’s economy, society or security and maintains or accesses a filing system (physical or digital) to process personal data, meeting one of the following:
- Processes over 200 individuals’ data in six months
- Provides commercial ICT services on digital devices storing others’ data
- Processes data in sectors like finance, communications, health, education, etc.
- If the organization holds a fiduciary relationship with a data subject, expected to keep sensitive information private due to potential harm from non-compliance.
Classification and Registration Fees
Major Data Processing – Ultra High Level (MDP-UHL):
- Commercial banks operating at national or regional level
- Telecommunication companies
- Insurance companies
- Multinational companies
- Electricity distribution companies
- Oil and Gas companies
- Public social media app developers and proprietors
- Public e-mail App developers and proprietors
- Communication devices manufacturers
- Payment gateway service providers
- Organisations processing personal data of over 5,000 individuals’ data in six months.
Registration is ₦250,000 as a data controller and data processor falling in this category
Major Data Processing – Extra High Level (MDP-EHL):
- Ministries, Departments and Agencies (MDAs) of government
- Micro Finance Banks
- Higher Institutions
- Hospitals providing tertiary or secondary medical services
- Mortgage Banks
- Any other organisation that processes personal data of over 1,000 data subjects within six months.
Registration is ₦100,000 for this category.
Major Data Processing – Ordinary High Level (MDP-OHL):
- Small and Medium Scale Enterprises (it must be such that have access to personal data which they may share, transfer, analyse, copy, computer or store in the course of carrying out their individual businesses)
- Primary and Secondary Schools
- Primary Health Centres
- Agents, contractors and vendors who engage with data subjects on behalf of other organisations that are in the category of MDP-UHL and MDP-EHL;
- Any other organisation that processes personal data of over 200 data subjects within six months.
Registration is ₦10,000.
Timeline and Consequences
All existing significant controllers/processors must register by 30 June 2024 via the NDPC portal. Late or non-registrants will face regulatory penalties under the Act, including fines.
What does this mean for Data Controllers and Processors?
To avoid sanctions, organizations meeting the criteria should start registration as a significant controller/processor under the appropriate tier by the deadline, guided by their Data Protection Officer. Uncertainty can be clarified through licensed Data Protection Compliance Organizations, who may also liaise with the NDPC.
Get Started with AutoComply to Stay Compliant with NPDC Obligations
One thought on “Nigeria Data Protection Commission Guidance Notice: New Rules for Data Handlers in Nigeria”