Understanding Data Controller and Processor Registration in Nigeria

In Nigeria, various organisations process the personal data of citizens for numerous reasons, both within and outside the country. Ensuring the privacy and security of data subjects is crucial, and it's essential that only legitimate entities process data for legally recognized purposes.

Legal Framework

The Nigeria Data Protection Act, 2023, empowers the Nigeria Data Protection Commission (NDPC) under section 5(d) to designate certain data controllers and processors of major importance, who must register with the Commission. The NDPC's mandate includes considering entities with significant economic, societal, or security importance when designating these data controllers and processors.

Who is a Data Controller/Data Processor in Nigeria?

As per Section 65 of the NDPC Act, a data controller or processor of major importance is defined as an entity domiciled in, resident in, or operating in Nigeria that processes or intends to process the personal data of a prescribed number of data subjects. This includes entities processing data of significant value to Nigeria's economy, society, or security.

You or your business may be a data controller or processor of major importance if:

- You maintain a filing system (analog or digital) for processing personal data.

- You process personal data of over 200 data subjects within six months.

- You provide commercial ICT services using digital devices with storage capacity.

- You operate in sectors such as finance, communication, health, education, insurance, export/import, aviation, tourism, oil and gas, or electric power.

- You are in a fiduciary relationship, expected to protect confidential information of data subjects.

Who Needs to Register?

You must register with the NDPC if:

- You manage or access a filing system for personal data processing.

- You process personal data of more than 200 individuals in six months.

- You offer commercial ICT services on digital devices owned by others.

- You process personal data in significant sectors like finance, health, education, etc., or hold a fiduciary relationship with a data subject.

Classification of Data Controllers and Processors

The NDPC categorises data controllers and processors into three levels:

1. Major Data Processing-Ultra High Level (MDP-UHL): Handles sensitive personal data and substantial cross-border data flows. Processes personal data of over 5,000 data subjects via technology or service contracts.

2. Major Data Processing-Extra High Level (MDP-EHL): Processes significant amounts of personal data but less than MDP-UHL. Processes personal data of over 1,000 data subjects via technology or service contracts.

3. Major Data Processing-Ordinary High Level (MDP-OHL): Processes lower volumes of personal data but remains subject to regulations. Processes personal data of over 200 data subjects via technology or service contracts.

Specific Types and Registration Fees

MDP-UHL: Includes national/regional commercial banks, telecom companies, insurance companies, social media app developers, communication device manufacturers, and payment gateway providers. Registration fees vary by the entity's size and scope.

MDP-EHL: Includes government ministries, departments, agencies, microfinance banks, higher education institutions, hospitals, and mortgage banks. Fees are based on entity characteristics.

MDP-OHL: Includes SMEs, primary/secondary schools, primary health centers, agents, contractors, and vendors dealing with data subjects.

Registration Deadlines

Existing data controllers and processors must register with the NDPC between January 30, 2024, and June 30, 2024. Non-compliance may result in penalties as outlined in the Data Protection Act.

Ensuring compliance with data protection regulations is crucial for businesses in Nigeria. By understanding the registration requirements and deadlines set by the NDPC, entities can protect individuals' privacy rights and maintain trust in their data management practices.

Get Help with Registration

Contact us to begin your registration with NDPC:

Email: Inquiries@386konsult.com

Phone: +234 706 970 3016, +1 438 509 7383

Website: www.386konsult.com

Follow us on social media: Facebook, LinkedIn, Twitter, Instagram