Nigeria Data Protection Commission Issues Guidance Notice On Registration Of Data Controllers And Processors Of Major Importance: Highlights – Data Protection


To print this article, all you need is to be registered or login on Mondaq.com.

A. INTRODUCTION

The Nigeria Data Protection Commission (NDPC or “the
Commission”) on February 14, 2024 issued the
Guidance Notice (Notice) for the Registration Of Data
Controllers and Data Processors Of Major Importance (DCMI and
DPMI)
pursuant to Sections 5d, 6(c), 44, 45 and 65 of
the Nigeria Data Protection Act 2023 (NDPA).

This Guidance Notice serves to provide clarity on the
designation of DCMI and DPMI, and their subsequent registration.
The Notice outlines the criteria for the designation of businesses,
entities and organizations as DCMI and DPMI, and registration with
the NDPC. In this Alert, we summarize the key points from the
Notice.

B. DESIGNATION CRITERIA AS DCMI AND DPMI

Section 65 of the NDPA defines a DCMI and DPMI as a data
controller or data processor that is domiciled, resident in, or
operating in Nigeria and processes or intends to process personal
data of more than such number of data subjects who are within
Nigeria, as the Commission may prescribe, or such other class of
data controller or data processor that is processing personal data
of particular value or significance to the economy, society or
security of Nigeria as the Commission may designate.

By Paragraph 1(1) of the Notice, Data controllers or processors
are deemed to have “particular value or
significance to the economy, society or security of
Nigeria”
and designated as DCMI and DPMI if they
maintain a filing system (analog or digital) for processing
personal data, AND:

  • Process the personal data of more than 200 individuals within
    six months, OR

  • Provide commercial Information and Communication Technology
    (ICT) services on digital devices with storage capacity belonging
    to others, OR

  • Process personal data as an organization or service provider in
    any of these sectors: finance, communication, health, education,
    insurance, import/export, aviation, tourism, oil and gas, or
    electric power

Based on this provision, to be designated a DCMI or DPMI, an
entity must meet at least one (1) of the other three (3)
criteria.

By virtue of Article 2(2) of the Notice, Data Controllers and
Data Processors are deemed to be DCMI and DPMI if they have a
fiduciary relationship with a data subject, and by virtue of this
relationship are expected to keep confidential information on
behalf of such data subject, is to be identified as a DCMI and DPMI
due to the potential harm for significant harm if not subject to
the obligations of a DCMI or DPMI.

In the case of GTB Plc v.
Imananagha
1 the Court of Appeal examined the
borders of “fiduciary relationship” and held as
follows:

“Fiduciary or confidential relation is a very broad term
embracing both technical fiduciary relation and the informal
relation which exists wherever one man trusts in or relies upon
another. It is a relation founded on trust or confidence reposed by
one person in the integrity and fidelity of another. A fiduciary
relationship arises whenever confidence is reposed on one side and
domination and influence result on the other.”

C. CLASSIFICATION OF DCMIS AND DPMIS

The NDPC classifies DCMI and DPMI into three tiers for the
purposes of Registration with the NDPC as follows; Major Data
Processing – Ultra High Level (MDP-UHL), Major Data
Processing – Extra High Level (MDP-EHL), and Major Data
Processing – Ordinary High Level (MDP-OHL)

1. Major Data Processing – Ultra High Level
(MDP-UHL)

Classification under this tier is entrenched by the provisions
of Paragraphs 2(2) and 3(1)(a-b) of the Notice. By the provisions
of Article 3(1)(a-b) of the Notice, the following entities are
expressly classified as DCMI and DPMI under the MDP-UHL tier
without any other qualifications, for the purposes of ascertaining
the applicable sum for registration with the NDPC and applicable
standards:

Commercial banks operating at national or regional level,
telecommunication companies, Insurance companies, Multinational
companies, Electricity distribution companies, Oil and Gas
companies, Public social media app developers and proprietors,
Public e-mail App developers and proprietors, Communication devices
manufacturers, Payment gateway service providers, and other
organizations that process the personal data of over 5,000
individuals in 6 months.

DCMI and DPMI that will be classified in this tier by virtue of
Paragraph 2(2) of the Notice are those that are generally required
to ABIDE BY GLOBAL AND HIGHEST ATTAINABLE STANDARDS of data
protection taking into account at least five (5) of the following
factors for the purpose of categorization:

  1. The sensitivity of personal data in their care;

  2. Data driven financial assets entrusted in their care by data
    subjects;

  3. Reliance on third party servers or cloud computing services for
    the purpose of substantial processing of personal data;

  4. Substantial involvement in cross-border data flows;

  5. Processing the personal data of over 5,000 (Five-Thousand) data
    subjects through the means of technology under its technical
    control or through a service contract;

  6. Legal competence to generate revenue on a commercial
    scale;

  7. The need for international standard certifications for people,
    processes and technologies involved in data confidentiality,
    integrity and availability; and

  8. The need for accountability

The Notice makes no allusion regarding what constitutes global
and highest attainable standards of data protection. However, some
examples of the global and highest attainable standards of data
protection from international frameworks and standards include the
General Data Protection Regulations (GDPR) 2018, Payment Card
Industry Data Security Standard (PCI DSS) standards, the various
International Organization for Standardization standards, Cloud
Security Alliance standards, National Institute of Standards and
Technology standards, etc.

The implication of classification under this category is that
such entities are bound to the highest applicable standards of data
protection above others, and in the event of a breach of any data
privacy and protection obligation, would likely be subject to
higher punitive consequences than those in lower categories.

2. Major Data Processing – Extra High Level (MDP-EHL

The following entities by virtue of the provisions of Paragraph
3(1)(c-d) of the Notice, are expressly classified as DCMI and DPMI
under the MDP-UHL tier without any other qualifications, for the
purposes of ascertaining the applicable sum for registration with
the NDPC:

Ministries, Departments and Agencies (MDAs) of government, Micro
Finance Banks, Higher Institutions, Hospitals providing tertiary or
secondary medical services, Mortgage Banks; and organizations that
process personal data of over 1,000 (One thousand) data subjects
within 6 (six) months.

The DCMI and DPMI categorized in this tier by virtue of
Paragraph 2(3) of the Notice, are those that are generally required
to abide by global best practices of data protection taking into
account any five (5) of the following factors for the purpose of
categorization:

  1. The sensitivity of personal data in their care;

  2. Data driven financial assets entrusted in their care by data
    subjects;

  3. Functions as an establishment of government;

  4. Reliance on third-party servers or cloud computing services for
    the purpose of substantial processing of personal data;

  5. Substantial involvement in cross-border data flows;

  6. Processing the personal data of over 1,000 (One-Thousand) data
    subjects through the means of technology under their technical
    control or through a service contract;

  7. Legal competence to generate revenue on a commercial
    scale;

  8. The need for reputable and standardized certifications for
    people, process and technologies involved in data confidentiality,
    integrity and availability; and

  9. The need for accountability.

While the Notice does not define “global best practices of
data protection” under this tier, as distinguished from
“global and highest attainable standards of data
protection” under Paragraph 2(2) of the Notice, some global
best practices of data protection include privacy by design and
default, adequate data security measures, privacy policies that
comply with applicable privacy laws and regulations, respect for
user rights and exercise, adequate international data transfer
mechanisms, industry standards etc.

3. Major Data Processing – Ordinary High Level
(MDP-OHL)

The classification of DCMI and DPMI under this category is
ascertained by the provisions of Paragraphs 2(4) and 3(e-f) of the
Notice. By Paragraph 3 (e-f) of the Notice, they are as
follows:

Small and Medium Scale Enterprises (it must be such that have
access to personal data which they may share, transfer, analyse,
copy, compute or store in the course of carrying out their
individual businesses); Primary and Secondary Schools; Primary
Health Centres; and Agents, contractors and vendors who engage with
data subjects on behalf of other organisations that are in the
category of MDP-UHL and MDP-EHL; and organisations that process
personal data of over 200 (two hundred) data subjects within 6
(six) months.

The provisions of Paragraph 2(4) of the Notice state that DCMI
and DPMI under this category are those that are generally expected
to abide by global best practices of data protection taking into
account at least four (4) of the following factors for the purposes
of categorization:

  1. The sensitivity of data assets in their care;

  2. Inherent vulnerability of data subjects they typically engage
    with;

  3. High risk to the privacy of data subjects if such personal data
    are processed by the data controller or data processor in a
    systematic or automated manner;

  4. Processing the personal data of over 200 (two hundred) data
    subjects through the means of technology under their technical
    control or through a service contract;

  5. The need for adequate technical and organisational measures for
    data protection;

  6. The need for reputable and standardised certifications for
    people, processes and technologies involved in data
    confidentiality, integrity and availability; and

  7. The need for accountability.

DCMI and DPMI under this head are those required to abide by
global best practices of data protection which is the same criteria
as those under MDP-EHL, with the factors for consideration being
the differentiator for DCMI and DPMI not expressly mentioned.

D. ADDITIONAL FACTORS TO CONSIDER

Where a data controller or data processor meets the criteria for
classification as a DCMI or DPMI, they shall further be assessed to
determine which of the three categories they belong. Where a DPMI
or DCMI has not been expressly listed in the Notice as a member of
any category, then the number of data subject it has processed
within 6 months shall be taken into consideration alongside the
level of data protection practices it is expected to abide by
virtue of factors such as the sensitive nature of the personal data
it processes, the personal data transferred outside Nigeria, risks
and vulnerability to data subjects among others. It should be noted
that for the purposes of the tiered classification of DCMI and
DPMI, the nature of the personal data processed, and the
potential risks to data subjects shall always be key in determining
which tier a DCMI or DPMI belongs. 

E. REGISTRATION AND CONSEQUENCES FOR NON-COMPLIANCE

Existing data controllers and data processors are required by
Paragraph 3(2) of the Notice to register between 30th January, 2024
and 30th June, 2024. Paragraph 3(3) of the Notice provides that
late registration or failure to register after the due date incurs
penalties for defaulters as stipulated in the Act.

Section 48(1)(a) of the Nigeria Data Protection Act (2023)
provides that the Commission, upon completing an investigation
initiated by its own accord after reasonable belief of a violation
of the Act and if satisfied that a data controller or data
processor has violated any provision of the NDPA or subsidiary
legislation made under the Act, may make any appropriate
enforcement order or impose a sanction on the data controller or
data processor. Section 48(2)(d) of the NDPA provides that an
enforcement order includes a penalty or remedial fee. A penalty or
remedial fee under subsection (2)(d) may be an amount up to the
greater of — N10,000,000, and 2% of its annual gross revenue
in the preceding financial year, in the case of a DCMI or
DPMI.2

F. CONCLUSION

The Notice provides a much-needed guide following the
uncertainty that trailed the provision for DCMI and DPMI in the
NDPA 2023. It is noteworthy that there are likely to be overlaps in
the determination of the category a DCMI or DPMI where not
expressly mentioned in Paragraph 3 of the Notice, and in that case,
it is important to consult privacy professionals for expert
guide.

Footnotes

1. (2022) LPELR-56906(CA) Pp 55 – 56 Paras E –
B.

2. Sections 48(3)(a) and 48(4) of the NDPA
2023.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

title_words_as_hashtags

Leave a Comment

Your email address will not be published. Required fields are marked *