The Nigeria Data Protection Commission (NDPC) has listed organisations identified as data controllers and processors of major importance in the country and stipulated registration requirements.
The organisations are listed in a guidance notice dated February 14, 2024, and signed by Babatunde Bamigboye, the Commission’s head of legal enforcement and regulations.
The notice provides clarification on Data Controllers and Processors of Major Importance and the categories of organisations that are required to register with the commission in line with the Nigeria Data Protection Act (NDPA) 2023.
“Relying on sections 5(d), 44 and 65 of the NDPA, organizations that are of particular value or significance to the economy, society or security of Nigeria are designated by the Commission as data controllers and processors of major importance,” the notice reads.
“A data controller or data processor shall be deemed to have particular value or significance to the economy, society or security of Nigeria and hence designated to be of major importance if it keeps or has access to a filing system (whether analogue or digital) for the processing of personal data.”
NDPC identified specific data processing to include those involving sensitive personal data, cloud computing, and transborder data transfers.
The commission said processing the personal data of over 200 data subjects and access to data storage platforms of third parties in commercial transactions are necessary factors in considering organisations that are data controllers or processors of major importance.
“In order to foster ease of doing business, particularly for small organizations involved in potentially high-risk data processing, the Commission varies the payable fees according to the level of Major Data Processing (MDP) involved. Major Data Processing (MDP) is classified into 3 levels, namely: Ultra High Level (UHL), Extra High Level (EHL) and Ordinary High Level (OHL) of Major Data Processing,” NDPC added.
“The fees payable are N250,000, N100,000 and N10,000 respectively. Organisations in the MDP-UHL categories include but are not limited to the following are:
“Commercial banks operating at national or regional level, Merchant Banks; Telecommunication companies, iv. Insurance companies, Multinational companies, and Payment gateway service providers.
“Similarly, the following organizations, among others are organisations within MDP-EHL category: i. ministries, departments and agencies of government, ii. micro finance Banks, iii. higher institutions, iv. hospitals providing tertiary or secondary medical services, and v. Mortgage banks.
“Lastly, at the MDP-EHL category we have organisations such as: i. small and medium scale enterprises (it must be such that have access to personal data which they may share, transfer, analyse, copy, compute or store in the course of carrying out their individual businesses); primary and secondary schools; primary health centres, agents, contractors and vendors who engage with data-subjects on behalf of other organisations.
The breakdown of the categories is published in a notice posted on the commission’s website.
‘DON’T PUT CITIZENS AT RISK’
Commenting on the notice in the statement, Vincent Olatunji, NDPC’s national commissioner and chief executive officer (CEO), urged data controllers to abstain from activities that may put citizens at risk.
This, he said, is important especially when millions of Nigerians are sharing their data such as bank details, pictures, health, and academic records online.
“The risks are getting higher even as the opportunities are also increasing, we are reminded of the warning by those in the frontiers of the fourth Industrial Revolution that we have a price to pay for liberty,” Olatunji said.
“The price is eternal vigilance. It is therefore important to properly and functionally identify the persons and the data processing to which we must direct the torch of vigilance.”
He also said registration is one “in a continuum of measures we are taking in this regard”, adding that it is the entry point of accountability going forward.
