Nigeria's Data Protection Commission issued a highly-anticipated guidance notice 14 Feb. on the "Registration of Data Controllers and Data Processors of Major Importance."
Enacted 12 June 2023, Section 65 of Nigeria's Data Protection Act introduced data controllers and data processors of major importance without a concrete definition, leaving that task to the NDPC. The NDPA's mandate for data controllers and data processors of major importance to register with the NDPC within six months of the act's coming into force, or after being categorized as such, worsened uncertainty. The original deadline as directed by the act for registration passed in December 2023.
This was a bumpy introduction of a seemingly important concept with obligations that could not be explained at the time without venturing into a world of conjectures.
Guidance on designations
According to the DPC's guidance, pursuant to Sections 5d, 6(c), 44, 45 and 65 of the NDPA, data controllers and processors of major importance are deemed to have "particular value or significance to the economy, society or security of Nigeria."
A data controller or processor is designated to be of major importance if it maintains a filing system, analog or digital, for processing personal data and does any of the following: Processes the personal data of more than 200 individuals within six months; Provides commercial information and communication technology services on digital devices with storage capacity belonging to others; or Processes personal data as an organization or service provider in the finance, communication, health, education, insurance, import/export, aviation, tourism, oil and gas, or electric power sectors.
Data controllers and data processors are also deemed to be of major importance if confidential information is kept on a data subject's behalf due to a fiduciary relationship.
Considering the nature and volume of processing activities occurring in Nigeria, and the breakdown and further categorization within the DPC's guidance, it appears almost every conceivable entity operating within Nigeria is a data controller and data processor of major importance. This seems somewhat antithetical to the NDPA's intention for data controllers and processors of major importance to be a special group distinct from ordinary entities.
This opinion is further strengthened by the classification of data controllers and data processors of major importance into three categories: "Major Data Processing — Ultra High Level," "Major Data Processing — Extra High Level," and "Major Data Processing — Ordinary High Level." Entities were categorized to ascertain applicable data protection compliance standards and registration costs for each category: NGN250,000, NGN100,000 and NGN10,000, respectively.
Data controllers and data processors of major importance under the top tier are commercial banks operating at national or regional levels, multinationals, telecommunication, insurance, oil and gas and electricity distribution companies, public social media app developers and proprietors, public email app developers and proprietors, communication device manufacturers, payment gateway service providers, and other organizations that process the personal data of over 5,000 individuals in six months.
These entities are generally required to abide by the highest attainable global standards of data protection, considering at least five of eight factors listed within the DPC's notice, some of which may include "sensitivity of personal data in their care" and "substantial involvement in cross-border data flows." The notice does not define these standards, but it is presumed reference shall be made by data controllers and data processors of major importance to international and industry standards for this purpose.
Entities falling under the mid-tier category are government ministries, departments and agencies, mortgage banks, higher institutions, micro finance banks, hospitals providing tertiary or secondary medical services, and organizations that process personal data of over 1,000 data subjects within six months.
They are expected to abide by global best practices of data protection considering at least five of nine factors listed within the DPC's notice, some of which may include "the need for reputable and standardized certifications for people, process and technologies involved in data confidentiality, integrity and availability," and substantial involvement in cross-border data flows and the need for accountability.
Those under the lowest tier are contractors and vendors who engage with data subjects on behalf of other organizations in the higher categories, small- and medium-scale enterprises — which have access to personal data they may analyze, compute, share, transfer, copy, or store in the course of conducting business — primary health centers, primary and secondary schools, and organizations that process personal data of over 200 data subjects within six months.
They are expected to abide by global best practices of data protection considering at least four of seven factors listed within the DPC's notice, some of which may include “the sensitivity of data assets in their care," "inherent vulnerability of the data subjects they typically engage with," and the need for accountability.
Compliance
Data controllers and data processors of major importance are required to register between 30 Jan.-30 June 2024. Late registration or failure to register after the due date incurs penalties under the act. The presumed implication of the tiered classification is that entities that fall in a higher category are likely to face greater regulatory scrutiny and higher punitive consequences than those in lower categories in the event of noncompliance.
Under section 48(1)(a) of the NDPA, penalty for noncompliance for a data controller or processor of major importance may be a sanction or enforcement order which includes a penalty or remedial fee that may be an amount greater than NGN10 million and 2% of an entities' annual gross revenue in the preceding financial year.
Beyond registration of data controllers and data processors of major importance, it is also believed that entities' processing practices will be under constant scrutiny by Nigeria's DPC to ensure this notice does not end up an instrument primarily for revenue generation.
However, the apparent watering down of the composition of data controllers and data processors of major importance to include almost every data controller and processor, and the size of registration fees imposed — even though a one-time fee — may have tainted this provision of the NDPA. The notice also makes no provisions for natural persons who may be data controllers and processors who process data to the extent qualified in the notice.
Since registration compliance is just a single obligation under the act, it has the potential to be grossly misconstrued by data controllers and data processors of major importance as evidence of adequate data protection. Nigeria's DPC in July 2023 fined three major banks over data breaches and a perusal of its website, containing the database of organizations that regularly file data protection audits since the introduction of the Nigeria Data Protection Regulation in 2019, reveals that major banks are compliant in filing data protection audits but still fell short of adequate compliance.
The registration of data controllers and data processors of major importance is not an automatic mechanism that will aid compliance with the Nigeria Data Protection Act 2023, and it could possibly lose its intended effect if registered entities are allowed to rely on the fact of registration as prima facie evidence of compliance.
The DPC's commendable increase in investigating complaints and imposing fines, especially on heavy-duty data controllers and processors, sends a strong message and raises awareness to help data subjects be more conscious of their data protection rights and the DPC's online portal for breach reporting. These efforts remain the route to effective enforcement by Nigeria's DPA.
