The Nigerian Data Protection Commission has recently issued a Guidance Notice on the entities that are deemed to be Data Controllers and Data Processors of Major Importance (DCPMIs). The Notice was issued on 14 February 2024 and took effect from that date.
Section 65 of the NDPA defines DCPMIs as data controllers or processors that are based or operate in Nigeria and who process or intend to process personal data of a certain number of data subjects within Nigeria, as prescribed by the NDPC. DCPMIs are also entities that process personal data that is of particular value or significanceto the economy, society or security of Nigeria, as designated by the NDPC.
The Notice sets out the criteria the NDPC has adopted to determine the entities that will be deemed to be DCPMIs.
An entity which keeps or has access to a filing system (whether analogue or digital) for the processing of personal data; and:
(a) processes the personal data of more than 200 data subjects within a six month period; or
(b) provides commercial Information Communication Technology (ICT) services on any digital device that has storage capacity and belongs to another individual; or
(c) processes personal data as an organisation or service provider in the financial, communication, health, education, insurance, export and import, aviation, tourism, oil and gas, or electric power sectors of the economy.
The Notice creates 3 classes of DCPMIs based on the levels of personal data that is being processed:
i) Major Data Processing-Ultra High Level (MDP-UHL): these are entities that process the personal data of over 5,000 data subjects in a six-month period. In addition to entities that process the personal data of over 5,000 data subjects irrespective of their sector of operation, commercial banks, telecommunication companies, insurance companies, multinational companies, electricity distribution companies, oil and gas companies, public social media app developers and proprietors, public e-mail app developers and proprietors, communication devices manufacturers, and payment gateway service providers are also deemed to be MDP-UHLs.
ii) Major Data Processing-Extra High Level (MDP-EHL): these are entities that process the personal data of over 1,000 data subjects within six months. In addition to entities that process the personal data of over 1,000 data subjects, entities such as ministries, departments, and agencies of government (MDAs), microfinance banks, higher institutions (Universities, Polytechnics, Colleges of Education etc), hospitals providing tertiary or secondary medical services, and mortgage banks are also designated MDP-EHL.
iii) Major Data Processing-Ordinary High Level (MDP-OHL): These are entities that process the personal data of over 200 data subjects within a six-month period. In addition, entities such as primary and secondary schools, primary health centres, agents, contractors and vendors who engage with data subjects on behalf of other organisations/entities (third party data processors) are deemed to be MDP-OHL.
The Notice requires all DCPMIs irrespective of their classification to register with the NDPC on or before 30 June 2024.
The registration fee payable to the NDPC for registration as an MDP-UHL is
NGN250,000.00. For registration as an MDP-EHL the fee payable is NGN100,000, and NGN10,000.00 for registration as an MDP-OHL.
DCPMIs who fail to register with the NDPC before 30th June 2024 will be deemed to be in breach of the NDPA and liable to the penalties imposed for non-compliance in the NDPA. Under the NDPA, the penalty imposed on a DCPMI for non-compliance is the payment of a fine of up to NGN10,000,000 (ten million Naira) or 2% of the annual gross revenue from the preceding financial year (whichever is the greater of the two sums).
--
Read the original publication at Udo Udoma & Belo-Osagie