INTRODUCTION
On the 14th of February, in accordance with its mandate to
ensure the genuine processing of personal data by legitimate
persons or organizations, the Nigeria Data Protection Commission
(the “Commission”) issued a guidance notice on
Registering Data Controllers and Processors of Major Importance
(the “Notice”). The Nigeria Data Protection Act (the
“Act”), specifically in section 5 (c), stipulates that
one of the functions of the Commission shall be to register data
controllers and data processors of major importance. To carry out
this function, the Commission has issued this Notice to clearly
define the scope of the organizations that may be classified as
data controllers and data processors of major importance and
communicate the registration requirements for the relevant
controllers and processors.
In this newsletter, we provide an overview of the Notice and its
implications for data controllers and processors of major
importance.
Who are Data Controllers and Data Processors of Major
Importance?
According to the interpretation section of the Act –
Section 65, a data controller or data processor of major importance
is defined as an entity that is domiciled, resident in, or
operating in Nigeria and processes or intends to process personal
data of more than such number of data subjects who are within
Nigeria, as the Commission may prescribe.
Additionally, this definition includes any other class of data
controller or data processor that is processing personal data of
particular value or significance to the economy, society, or
security of Nigeria as designated by the Commission. From the
foregoing, it is safe to say that it is the volume and value of the
data in question that determines the categorization of a data
controllers and data processors as one of major importance.
Based on this definition, the Commission has now established
criteria to identify organizations that qualify as data controllers
or processors of major importance. In line with the notice,
organizations that are designated as data controllers or processors
of major importance include the ones that:
1.keep or have access to a filing system (analog or digital) for
processing personal data;
2.process personal data of more than 200 data subjects within a
six-month period; 3.carry out commercial Information Communication
Technology (ICT) services on digital devices belonging to others;
and
4.operate in sectors critical to Nigeria’s economy, society,
or security, including financial, communication, health, education,
insurance, and others listed in the Notice.
Moreover, entities under a fiduciary relationship with data
subjects, obligated to keep confidential information on their
behalf, are also regarded as data controllers or processors of
major importance.
Classification of Data Controllers and Data Processors of Major
Importance
The Commission has established a classification system to
categorize data controllers and data processors of major importance
based on the scale and significance of their data processing
activities. This classification aims to provide clarity on the
obligations and standards applicable to different organizations
within this category.
The Commission’s classification system includes three levels
or categories:
1.Major Data Processing-Ultra High Level
(MDP-UHL): Organizations falling under this category are
expected to adhere to global and highest attainable standards of
data protection. Criteria for classification include factors such
as: (i) the sensitivity
of personal data, reliance on third-party servers or cloud
computing services; (ii) involvement in cross-border data flows;
(iii) processing the personal data of over 5,000 data subjects
through technology under its control or through a service contract;
(iv) legal competence to generate revenue on a commercial scale;
and (v) the need for international standard certifications.
Entities falling under this category, such as commercial banks,
telecommunication companies, insurance companies, multinational
corporations, and others listed in the Notice, are required to
register as an MDP-UHL. Additionally, in any case, organizations
that process personal data of over 5,000 data subjects within six
months fall under this category.
2. Major Data Processing-Extra High Level
(MDP-EHL): Organizations categorized under this level are
required to abide by global best practices of data protection.
Criteria for classification include factors such as: (i) the
sensitivity of personal data; (ii) reliance on third-party servers
or cloud computing services; (iii) involvement in cross-border data
flows; (iv) processing the personal data of over 1,000 data
subjects through technology under their control or through a
service contract; (v) legal competence to generate revenue on a
commercial scale; and (vi) the need for reputable and standardized
certifications.
This category includes entities like ministries, departments,
and agencies (MDAs) of government, microfinance banks, higher
institutions, hospitals providing tertiary or secondary medical
services, and mortgage banks. These organizations are required to
register under the MDA-EHL category. Organizations processing
personal data of over 1,000 data subjects within six months also
fall under this category.
3.Major Data Processing-Ordinary High Level
(MDP-OHL): Organizations falling under this category are
also expected to adhere to global best practices of data
protection. Criteria for classification include factors such as:
(i) the sensitivity of data assets; (ii) inherent vulnerability of
data subjects; (iii) high risk to the privacy of data subjects if
personal data are processed in a systematic or automated manner;
(iv) processing the personal data of over 200 data subjects through
technology under their control or through a service contract; (v)
the need for adequate technical and organizational measures for
data protection; and (vi) the need for reputable and standardized
certifications.
Entities classified under MDP-OHL, such as small and
medium-scale enterprises, primary and secondary schools, primary
health centers, agents, contractors, and vendors engaging with data
subjects on behalf of other organizations, are required to register
with the Commission as such. Similarly, organizations processing
personal data of over 200 data subjects within six months are
included in this category.
By classifying data controllers and processors of major
importance into these levels, the Commission aims to ensure that
appropriate regulatory requirements and standards are applied,
taking into account the varying levels of risk and impact
associated with different organizations’ data processing
activities.
Conclusion
It is important to note that existing data controllers and data
processors of major importance are mandated to register as such
with the Commission between January 30, 2024, and June 30, 2024.
Failure to register within this timeframe or registering after the
due date will be deemed a default under the Act, subjecting the
defaulting organization to penalties as stipulated in the Act.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
title_words_as_hashtags