The Nigeria Data Protection Commission (NDPC) recently issued a Guidance Notice outlining who needs to register as a data controller or processor of major importance. This article will help you understand if your business falls under this category and the steps involved in registering with the NDPC.
What’s the Nigeria Data Protection Act (NDPA)?
Enacted in 2023, the NDPA establishes data protection regulations in Nigeria. It outlines how personal data should be handled, the rights that accrue to individuals regarding the processing of their data, and the responsibilities of organizations that process personal data.
Who Needs to Register?
The NDPC classifies data controllers and processors into three categories based on the volume and sensitivity of data they handle, their role in the economy, and potential risks associated with their data processing activities. Here’s a simplified breakdown:
Major Data Processing (MDP): Organizations handling more than 200 data over a month are considered Data Controllers or Processors of major importance or carry out commercial Information Communication Technology (ICT) services on any digital device that has storage capacity and belongs to another individual. Similarly, an organization or a service provider in any one of the following sectors: i. Financial ii. Communication iii. Health iv. Education v. Insurance vi. Export and Import vii. Aviation viii. Tourism ix. Oil and Gas x. Electric Power which processes personal data is all needed to register as MDP. The NDPC further divides MDP into three subcategories based on factors like data volume, processing methods, and potential risks:
• Major Data Processing-Ultra High Level (MDP-UHL): This category includes entities like commercial banks, telecom companies, and social media platforms. The registration fee is N250,000.
• Major Data Processing-Extra High Level (MDP-EHL): This category includes government agencies, higher education institutions, and hospitals. The registration fee is N100,000.
• Major Data Processing-Ordinary High Level (MDP-OHL): This category includes small and medium businesses, primary and secondary schools, and agents handling personal data. The registration fee is N10,000.
Why Register?
Registering signifies to your customers, partners, and regulators your commitment to data protection best practices. It shows that you take data privacy seriously and are proactively implementing measures to safeguard personal information. This can enhance trust and brand reputation in an increasingly privacy-conscious world.
Important Deadlines:
Existing data controllers and processors of major importance have a window to register between January 30th and June 30th, 2024. It is important to check the NDPC website or social media platform for any updates on deadlines.
What Happens if You Don’t Register?
The NDPC has the authority to investigate non-compliant organizations. Where the Commission is satisfied that a data controller or data processor has violated or is likely to violate any of the requirements of the Act, the Commission may make an appropriate compliance order against such data controller or data processor.
Similarly, non-compliance with the orders of the Commission made under the Act amounts to an offense punishable with a fine or imprisonment not more than a year upon conviction.
Conclusion:
Understanding your obligations under the NDPA is essential for businesses operating in Nigeria. By reviewing the NDPC’s Guidance Notice and consulting with legal professionals if needed, you can determine your registration status and ensure compliance with data protection regulations. Data protection regulations are constantly evolving. We recommend subscribing to updates from the NDPC to stay informed about any changes. By following these guidelines and staying updated, you can ensure your business operates in compliance with the NDPA and protects the privacy of your customers.