Introduction to NDPC Compliance for Data Controllers and Data Processors in Nigeria
The Nigeria Data Protection Commission [hereinafter “NDPC”] is a public institution in the federal Republic of Nigeria established for the protection of data privacy of individuals in Nigeria and the regulation of data controllers and data processors in the country. The NDPC oversees the implementation and enforcement of data protection laws in Nigeria and the NDPC plays a very important role in regulating the processing, storage and transfer of personal data by organizations operating within and outside Nigeria which processes the private data of individuals in Nigeria. The NDPC was created after the enactment of the Nigeria Data Protection Regulation [NDPR] in the year 2019.
As a mandate, the NDPC is responsible for registering Data Protection Compliance Organizations [DPCOs], investigating instances of privacy breach reports by Nigerian nationals and auditing firms that process and control private data of individuals in Nigeria.
NDPC Regulations that regulate the protection of personal Data in Nigeria
Section 44 of the Nigerian Data Protection Act mandates data controllers and processors of major importance to register with the NDPC within a period of six months from the date of commencement of the Act upon becoming a data controller or data processor of major importance. To smoothen the process and clarify public concerns about who data controllers and data processors of major importance are, the NDPC released the “Guidance Notice for Registration of Data Controllers and Data Processors of Major Importance” [hereinafter “Guidance Notice”] which stipulates compliance requirements for the categories of controllers and processors mentioned.
The Guidance Notice for Registration of Organizations of “Major Importance”
On the 14th day of February, 2024, the NDPC issued a Guidance Notice to govern the registration of data controllers and processors of major importance in Nigeria. This compliance requirement from the Guidance Notice is in accordance with section 5 of the Nigerian Data Protection Act, 2023.
NDPC Registration Process for Data Controllers and Processors under the Guidance Notice
With the NDPC empowered by its parent law the Nigerian Data Protection Act to designate data controllers and processors of major importance who are to register with the NDPC, the NDPC issued the Guidance Notice for data controllers and processors of major importance to register with the NDPC.
Which Organizations need to register with the NDPC?
Organizations that need to register with the NDPC are controllers of “major importance”. The NDPC designated those who are thus of “major importance” to register with the Commission and they are mandated to register if:
- They process the personal data or more than 200 data subjects in six months;
- They carry out commercial ICT services on digital devices with storage capacity and belongs to another individual, or;
- As an organization, processes personal data in the financial, communications, health, education, insurance, export & import, aviation, tourism, oil & gas and electric power sectors.
Distinction between Data Controllers and Processors for purposes of registration with the NDPC
Section 65 of the Nigerian Data Protection Act defines “data controller” as an individual, private entity, agency or other Body who, either alone of jointly with others, determines the purposes and means of processing personal data.
The same section further defines “data controller or data processor of major importance” as a data controller or data processor which is domiciled, resident in, or operating in Nigeria and processes or intends to process the personal data of more than such number of data subjects who are within Nigeria.
“Data Processor” is any individual, private entity or other Body that processes personal data on behalf of or at the direction of a data controller or another data processor.
Classifications of Data Controllers and Processors of Major Importance
The NDPC classifies controllers and processors into three levels of data processing:
- Major Data Processing-Ultra High Level (MVP-UHL): controllers and processors in this designation are expected to abide by the highest level of global standards of data protection given the sensitivity of data in their care, their cross-border data flows, their processing of the personal data of over 5,000 data subjects, among others.
Entities that fall into this category are:
- Commercial banks which operate at national or regional levels;
- Telecommunications companies,
- Insurance companies,
- Multinationals,
- Electricity distribution companies,
- Oil & gas companies,
- Public social media app developers,
- Communications device manufacturers
- Payment gateway service providers.
- Any entity that processes the data of over five thousand data subjects in six months.
- Major Data Processing-Extra High Level (MVP-EHL): controllers and processors in this designation are expected to abide by the highest level of global standards of data protection given the sensitivity of data in their care, their cross-border data flows, their processing of the personal data of over 1,000 data subjects, among others.
Entities that fall into this category are:
- Ministries, Departments and Agencies of Government;
- Micro Finance Banks,
- Higher Institutions,
- Hospitals that provide tertiary or secondary medical services
- Mortgage Banks.
- Any entity that processes the data of over one thousand data subjects in six months.
- Major Data Processing-Ordinary High Level (MDP-OHL): controllers and processors in this designation are expected to abide by the highest level of global standards of data protection given the sensitivity of data in their care, their cross-border data flows, their processing of the personal data of over 200 data subjects, among others.
Entities that fall into this category are:
- Small and medium scale enterprises,
- Primary and secondary schools,
- Primary Health Centres
- Agents, contractors and vendors who engage with data subjects on behalf of other organizations who are in the two higher-scale categories aforementioned.
- Any entity that processes the data of over two hundred data subjects in six months.
Any existing data controller or data processor of major importance that falls into either of the three aforementioned categories, are expected to register with the NDPC as a compliance requirement between the 30th of January, 2024 and the 30th of June, 2024.
Documents and Information Required of Data Controllers and Data Processors for Registration with the NDPC
The first step towards compliance with the Guidance Notice issued by the NDPC is to provide all the necessary information required of your organization as a data controller or data processor. The documents required include the following:
- Your company’s data protection policy
- Data Impact Assessment Procedure and Workbook
- Your company’s Privacy Policy
- Data Subject Consent Form
- Internal breach Register
- Audit Schedule
- Retention Schedule
- Your company’s Data breach Notification Schedule
- Document which stipulates your company’s management of sub-contract processing
- Data subject access request procedure and form
- Subject access request record
The information you are required to provide includes the following:
- Information about your company’s training of its staff and the awareness of said staff on data protection requirements and process.
- Category of personal data processed by the organization and how the organization stores this data.
- How the organization determines the relevance and adequacy of the personal data obtained for each processing purpose
- Contingency plans developed to handle data losses, breaches, destruction and damage of data and the security measures the organization established to mitigate against these occurrences
- How you determine lawful basis for processing individuals’ personal data.
Penalties against Data Controllers and Processors for failure to Register with the NDPC
Where an individual, entity or organization that falls into any of the categories of data controllers and processors that should comply with registration fail to register within the required window, they will be deemed to be in default of the NDPA 2023 and are therefore subject to whatever monetary penalties that the NDPC mandates them to pay for their default to comply with registration requirements.
Benefits of Compliance with the NDPC Guidance Notice to Data Controllers and Processors
It should be noted that registration and compliance does not directly offer benefits, but there are indirect benefits an organization that complies with the Guidance Notice will enjoy and these include:
- No risk of penalties: upon compliance, an organization of importance avoids having to pay the prescribed penalties for non-compliance with the Guidance Notice.
- Improved Data Security: When an organization go through the audit process of providing all the comprehensive documentation and information required of them prior to registration with the NDPC, this should help them review their data security practices in order to make compliance easier for them.
Conclusion
Like other countries around the world, the government of the Federal Republic of Nigeria is laying more emphasis on individual data security and has thus developed national policy frameworks for its protection. Organizations that fall into the purview of the data protection frameworks are expected and required to be audited and registered with the NDPC.
Kindly note that this Article is provided for information purposes only and for general guidance on the subject matter. It does not constitute legal advice.
If you are a Nigerian entity or foreign entity that operates in Nigeria and falls in within the category of data controllers and data processors that must comply with the NDPC Guidance Notice, we invite you to reach out to us at contact@kabbizlegal.com so we can assist. You can also call us on +2348064231176 or alternatively click the link here to chat us on WhatsApp. We respond to all business enquiries within twenty-four hours.
This Article was written by the Corporate Governance and Regulatory Compliance Practice at Kabbiz Legal & Advisory.
About the Author
