The Nigeria Data Protection Commission has issued a Guidance Notice detailing the categories of companies mandated to register with the Commission as data controllers and processors in the country.
Relying on sections 5(d), 44, and 65 of the NDPA, the Commission said organizations that are of “particular value or significance to the economy, society or security of Nigeria” are designated by the Commission as data controllers and processors of major importance.
According to the Guidance Notice dated 14th of February and signed by the Commission’s Head of Legal Enforcement and Regulations, Babatunde Bamigboye, Esq.:
- “A data controller or data processor shall be deemed to have particular value or significance to the economy, society or security of Nigeria and hence designated to be of major importance if it keeps or has access to a filing system (whether analogue or digital) for the processing of personal data”.
In addition to this, the Commission in a statement signed by Bamigboye also identified specific data processing such as those involving sensitive personal data, cloud computing, transborder data transfers, processing the personal data of over 200 data subjects, and access to the data storage platform of third parties in commercial transactions as necessary factors in considering organizations that are data controllers or processors of major importance.
Organisations and payable fees
To foster ease of doing business, particularly for small organizations involved in potentially high-risk data processing, the Commission said it varies the payable fees according to the level of Major Data Processing (MDP) involved. Major Data Processing (MDP) is classified into 3 levels, namely: Ultra High Level (UHL), Extra High Level (EHL) and Ordinary High Level (OHL) of Major Data Processing. The fees payable are N250,000, N100,000 and N10,000 respectively.
NDPC said organizations in the MDP-UHL categories include but are not limited to the following:
- Commercial banks operating at the national or regional level,
- Merchant Banks
- Telecommunication companies
- Insurance companies
- Multinational companies
- Payment gateway service providers
Similarly, the following organizations, among others are Organizations within MDP-EHL category:
- Ministries, Departments and Agencies of government,
- Micro finance Banks
- Higher Institutions
- Hospitals providing tertiary or secondary medical services, and
- Mortgage banks
Att the MDP-EHL category are organizations such as:
- Small and Medium Scale Enterprises (it must be such that have access to personal data which they may share, transfer, analyze, copy, compute or store in the course of carrying out their individual businesses)
- Primary and Secondary Schools
- Primary Health Centres
- Agents, contractors and vendors who engage with data-subjects on behalf of other organizations.
What the NDPC Commissioner said
The NDPC’s National Commissioner and CEO, Dr Vincent Olatunji, urged data controllers to eschew activities that may put citizens at risk especially when millions of Nigerians are sharing their personal data such as bank details, pictures, health and academic records online.
- “The risks are getting higher even as the opportunities are also increasing, we are reminded of the warning by those in the frontiers of the 4th Industrial Revolution that we have a price to pay for liberty. The price is eternal vigilance. It is therefore important to properly and functionally identify the persons and the data processing to which we must direct the torch of vigilance. Registration is one in a continuum of measures we are taking in this regard. It is, however, the entry point of accountability going forward,” Olatunji was quoted in the statement.