By 
The Nigeria Data Protection Commission (NDPC) has released a Guidance Notice (NDPC/HQ/GN/VOL.02/24) aimed at providing clarity on the registration requirements for data controllers and processors deemed of major importance under the Nigeria Data Protection Act (NDPA) 2023.
RELATED: NDPC probes MTN’s MoMo PSB over privacy breach
The NDPC’s Head Legal, Enforcement and Regulations, Babatunde Bamigboye, revealed this in an official statement.
As per sections 5(d), 44, and 65 of the NDPA, organisations considered to be of “particular value or significance to the economy, society, or security of Nigeria” fall under the designation of data controllers and processors of major importance.
Outlined in the Guidance Notice, organizations qualify for this designation if they maintain or have access to a filing system (whether analog or digital) for the processing of personal data.
Additionally, specific data processing activities, including those involving sensitive personal data, cloud computing, transborder data transfers, processing the personal data of over 200 data subjects, and access to data storage platforms of third parties in commercial transactions, are key factors considered in determining major importance.
To streamline the registration process, particularly for small organizations engaged in potentially high-risk data processing, the Commission has introduced a tiered fee structure based on the level of Major Data Processing (MDP) involved.
MDP is categorised into three levels: Ultra High Level (UHL), Extra High Level (EHL), and Ordinary High Level (OHL) of Major Data Processing. The corresponding fees are N250, 000, N100, 000, and N10, 000, respectively.
This Guidance Notice aims to facilitate compliance with data protection regulations while ensuring a fair and accessible registration process for organizations of varying sizes and capacities.
Organisations in the MDP-UHL categories include but are not limited to the following:
- Commercial banks operating at national or regional level,
- Merchant Banks
- Telecommunication companies
- Insurance companies
- Multinational companies
- Payment gateway service providers
Similarly, the following organisations are within MDP-EHL category:
- Ministries, Departments and Agencies of government
- Micro finance Banks
- Higher Institutions
- Hospitals providing tertiary or secondary medical services
- Mortgage banks
Lastly, at the MDP-EHL level are organisations such as:
- Small and Medium Scale Enterprises (it must be such that have access to personal data which they may share, transfer, analyze, copy, compute or store in the course of carrying out their individual businesses)
- Primary and Secondary Schools
- Primary Health Centres
- Agents, contractors and vendors who engage with data-subjects on behalf of other organizations.
The breakdown of the categories are contained in the Guidance Notice posted on the commission’s website: www.ndpc.gov.ng.
The NDPC’s National Commissioner and CEO, Dr Vincent Olatunji, urged data controllers to eschew activities that may put citizens at risk especially when millions of Nigerians are sharing their personal data such as bank details, pictures, health and academic records online.
“The risks are getting higher even as the opportunities are also increasing, we are reminded of the warning by those in the frontiers of the 4th Industrial Revolution that we have a price to pay for liberty. The price is eternal vigilance. It is therefore important to properly and functionally identify the persons and the data processing to which we must direct the torch of vigilance. Registration is one in a continuum of measures we are taking in this regard. It is, however, the entry point of accountability going forward,” said Olatunji.
