On February 14, 2024, Nigeria’s Data Protection Commission, the DPC, published a guidance on the way data controllers and data processors of major importance have to register with the authority, in line with the provisions of the Nigeria Data Protection Act, or NDPA, Nigeria’s data privacy regulation, which was signed into law on June 12, 2023 when it also became effective.
The guidance brings some clarification on Section 65 of the NDPA, namely it expands the definition for data controller or data processor of major importance which is defined in the text of the law as a data controller or data processor that is domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria, as the Commission may prescribe, or such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society or security of Nigeria as the Commission may designate, by offering additional criteria for what is considered to be a data controller and data processor of major importance.
Key points from the guidance include the following:
- The purpose and importance of registration: the aim of the guidance is to ensure that the personal data of Nigerian citizens is processed only by legitimate entities and for lawful reasons. As such, it categorizes data controllers and processors based on their impact on Nigeria's economy, society, or security.
- The criteria for designation: any entity processing the data of more than 200 individuals within six months or operating in key sectors like finance, health, or education, among others, has to register as a data controller or processor of major importance.
- The levels of importance of data processing: The DPC classifies entities into three categories based on the sensitivity of the personal data, the volume of personal data processed, reliance on any third-party services, cross-border data flows, and legal and financial capacities, as follows:
- Major Data Processing-Ultra High Level (MDP-UHL): "a category of data controllers and data processors of major importance who are, among other obligations, generally expected to ABIDE BY GLOBAL AND HIGHEST ATTAINABLE STANDARDS of data protection."
- Major Data Processing-Extra High Level (MDP-EHL): "a category of data controllers and data processors of major importance who are, among other obligations, generally expected to abide by global best practices of data protection."
- Major Data Processing-Ordinary High Level (MDP-OHL): "a category of data controllers and data processors of major importance who are, among other obligations, generally expected to abide by global best practices of data protection" which differ from the EHL in that they have to take into account less factors and only process the personal data of over 200 data subjects, not 1000 as the EHL.
- Fees for each category: The fees data controllers and data processors have to pay will vary based on their classification level. Some specifics are provided for different organization types including banks, telecom companies, and educational institutions.
- MDP-UHL entities pay N250,000 (approx. $157);
- MDP-EHL entities pay N100,000 (approx. $ 63);
- MDP-OHL entities pay N10,000 (approx. $ 6.3).
- Registration deadline: Entities are required to register between January 30, 2024, and June 30, 2024. Failure to register within this period is considered a violation of the NDPA and can result in penalties - the higher maximum amount, meaning ₦10,000,000 (approx. $6,200) or two percent of its annual gross revenue derived from Nigeria in the preceding financial year, whichever is greater.