Nigeria: Regulatory Update: Guidance Notice On Registering Data Controllers And Processors Of Major Importance

INTRODUCTION

On the 14th of February, in accordance with its mandate to ensure the genuine processing of personal data by legitimate persons or organizations, the Nigeria Data Protection Commission (the "Commission") issued a guidance notice on Registering Data Controllers and Processors of Major Importance (the "Notice"). The Nigeria Data Protection Act (the "Act"), specifically in section 5 (c), stipulates that one of the functions of the Commission shall be to register data controllers and data processors of major importance. To carry out this function, the Commission has issued this Notice to clearly define the scope of the organizations that may be classified as data controllers and data processors of major importance and communicate the registration requirements for the relevant controllers and processors.

In this newsletter, we provide an overview of the Notice and its implications for data controllers and processors of major importance.

Who are Data Controllers and Data Processors of Major Importance?

According to the interpretation section of the Act – Section 65, a data controller or data processor of major importance is defined as an entity that is domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria, as the Commission may prescribe.

Additionally, this definition includes any other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society, or security of Nigeria as designated by the Commission. From the foregoing, it is safe to say that it is the volume and value of the data in question that determines the categorization of a data controllers and data processors as one of major importance.

Based on this definition, the Commission has now established criteria to identify organizations that qualify as data controllers or processors of major importance. In line with the notice, organizations that are designated as data controllers or processors of major importance include the ones that:

1.keep or have access to a filing system (analog or digital) for processing personal data;

2.process personal data of more than 200 data subjects within a six-month period; 3.carry out commercial Information Communication Technology (ICT) services on digital devices belonging to others; and

4.operate in sectors critical to Nigeria's economy, society, or security, including financial, communication, health, education, insurance, and others listed in the Notice.

Moreover, entities under a fiduciary relationship with data subjects, obligated to keep confidential information on their behalf, are also regarded as data controllers or processors of major importance.

Classification of Data Controllers and Data Processors of Major Importance

The Commission has established a classification system to categorize data controllers and data processors of major importance based on the scale and significance of their data processing activities. This classification aims to provide clarity on the obligations and standards applicable to different organizations within this category.

The Commission's classification system includes three levels or categories:

1.Major Data Processing-Ultra High Level (MDP-UHL): Organizations falling under this category are expected to adhere to global and highest attainable standards of data protection. Criteria for classification include factors such as: (i) the sensitivity

of personal data, reliance on third-party servers or cloud computing services; (ii) involvement in cross-border data flows; (iii) processing the personal data of over 5,000 data subjects through technology under its control or through a service contract; (iv) legal competence to generate revenue on a commercial scale; and (v) the need for international standard certifications.

Entities falling under this category, such as commercial banks, telecommunication companies, insurance companies, multinational corporations, and others listed in the Notice, are required to register as an MDP-UHL. Additionally, in any case, organizations that process personal data of over 5,000 data subjects within six months fall under this category.

2. Major Data Processing-Extra High Level (MDP-EHL): Organizations categorized under this level are required to abide by global best practices of data protection. Criteria for classification include factors such as: (i) the sensitivity of personal data; (ii) reliance on third-party servers or cloud computing services; (iii) involvement in cross-border data flows; (iv) processing the personal data of over 1,000 data subjects through technology under their control or through a service contract; (v) legal competence to generate revenue on a commercial scale; and (vi) the need for reputable and standardized certifications.

This category includes entities like ministries, departments, and agencies (MDAs) of government, microfinance banks, higher institutions, hospitals providing tertiary or secondary medical services, and mortgage banks. These organizations are required to register under the MDA-EHL category. Organizations processing personal data of over 1,000 data subjects within six months also fall under this category.

3.Major Data Processing-Ordinary High Level (MDP-OHL): Organizations falling under this category are also expected to adhere to global best practices of data protection. Criteria for classification include factors such as: (i) the sensitivity of data assets; (ii) inherent vulnerability of data subjects; (iii) high risk to the privacy of data subjects if personal data are processed in a systematic or automated manner; (iv) processing the personal data of over 200 data subjects through technology under their control or through a service contract; (v) the need for adequate technical and organizational measures for data protection; and (vi) the need for reputable and standardized certifications.

Entities classified under MDP-OHL, such as small and medium-scale enterprises, primary and secondary schools, primary health centers, agents, contractors, and vendors engaging with data subjects on behalf of other organizations, are required to register with the Commission as such. Similarly, organizations processing personal data of over 200 data subjects within six months are included in this category.

By classifying data controllers and processors of major importance into these levels, the Commission aims to ensure that appropriate regulatory requirements and standards are applied, taking into account the varying levels of risk and impact associated with different organizations' data processing activities.

Conclusion

It is important to note that existing data controllers and data processors of major importance are mandated to register as such with the Commission between January 30, 2024, and June 30, 2024. Failure to register within this timeframe or registering after the due date will be deemed a default under the Act, subjecting the defaulting organization to penalties as stipulated in the Act.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.