This guide highlights key aspects of the Nigeria Data Protection Commission's (NDPC) Guidance Notice, the categorization of data controllers and processors, and critical deadlines and compliance requirements.
Following their February publication, titled “Highlights of the NDPC Notice on the Registration of Data Controllers and Data Processors of Major Importance”, regarding the Nigeria Data Protection Commission's (NDPC) Guidance Notice (the “Guidance Notice”), DOA reiterates the key points and provide further insights following the recent stakeholder Breakfast Summit organized by the NDPC where it made certain clarification in relation to the Guidance Notice.
This guide is designed to ensure your organization remains compliant with the Nigeria Data Protection Act of 2023 (the “Act”) by highlighting key aspects of the Guidance Notice, categorization of data controllers and processors, and critical deadlines and compliance requirements.
According to the Guidance Notice, a data controller and data processor shall be designated as a Data Controllers and Data Processors of Major Importance (DCPMI):
a. if it keeps or has access to a filing system (whether analogue or digital) for the processing of personal data; and:
processes the personal data of more than 200 data subjects within 6 months.
carries out commercial information communication technology (ICT) services on any digital device that has storage capacity and belongs to another individual; or
processes personal data as an organization or a service provider in any one of the following sectors: financial institutions, communication, health, education, insurance, export and import, aviation, tourism, oil and gas, and electric power.
b. Where a data controller or data processor is under a fiduciary relationship with a data subject by reason of which it is expected to keep confidential information on behalf of the data subject, taking into consideration the significant harm that may be done to a data subject if such data controller or processor is not under the obligations imposed on DCPMIs.
The Guidance Notice classified DCPMIs into 3 (three) levels or categories:
The Guidance Notice requires DCPMIs to register with the Commission on or before 30th June 2024.
Registration after the due date or failure to register shall be deemed default and exposes the defaulting organization to the penalties prescribed by the Act.
As per the Commission's directive, it is imperative for a DCPMI to possess a local presence in order to facilitate registration with the Commission. This requirement stands notwithstanding the provisions of the Act, which extend its application to DCPMIs not domiciled, resident, or operating within Nigeria, but who engage in the processing of personal data pertaining to Nigerian data subjects.
Hence, in order to adhere to the stipulated registration prerequisites, foreign organizations must establish a local address within Nigeria and designate a Nigerian Data Protection Officer (DPO).
Ensuring compliance with the Act, the Guidance Notice, and maintaining adherence to data protection standards are fundamental for fostering trust and confidence among data subjects. It is vital for organizations to recognize that any instance of non-compliance, resulting in sanctions or penalties, could significantly tarnish the organization’s reputation.
Therefore, it is imperative for organisations qualifying as DCPMIs, to promptly register with the Commission before the specified deadline. This is essential for mitigating the risk of facing penalties as prescribed by the Act and for upholding robust data protection practices.
Should you require further assistance or support in confirming your status as a DCPMI or guidance through the registration process, our dedicated Data Privacy and Protection Team is available to provide expert legal assistance and support.
Read the full guide here
--
Read the original publication at Duale, Ovia & Alex-Adedipe