The Nigeria Data Protection Commission (NDPC) has issued a guidance notice (NDPC/HQ/GN/VOL.02/24) to firms in certain sectors to clarify which organizations are required to register under the Nigeria Data Protection Act (NDPA) of 2023.
According to the NDPC, organizations that are considered to be of significant value or importance to Nigeria’s economy, society, or security are designated as data controllers and processors of major importance. This designation is based on sections 5(d), 44, and 65 of the NDPA.
The guidance notice, signed by Babatunde Bamigboye, the NDPC’s head of legal enforcement and regulations, states that a data controller or processor is considered to have significant value or importance if it maintains or has access to a filing system for processing personal data, whether in analog or digital form.
The notice also highlights specific data processing activities, such as those involving sensitive personal data, cloud computing, transborder data transfers, processing the personal data of over 200 individuals, and accessing third-party data storage platforms in commercial transactions. These factors are taken into account when determining whether an organization is a data controller or processor of major importance.
Based on these criteria, organizations in the Major Data Processing (MDP) category are divided into three levels: Ultra High Level (UHL), Extra High Level (EHL), and Ordinary High Level (OHL).
Commercial banks, merchant banks, telecommunication companies, insurance companies, multinational companies, and payment gateway service providers fall under the MDP-UHL category.
Ministries, Departments, and Agencies of the government, microfinance banks, higher institutions, hospitals providing tertiary or secondary medical services, and mortgage banks are included in the MDP-EHL category.
Small and medium-scale enterprises, primary and secondary schools, primary health centers, agents, contractors, and vendors who handle data on behalf of other organizations are classified as MDP-OHL.
Dr. Vincent Olatunji, the NDPC’s national commissioner, explained that the increased risk of data processing necessitates extra vigilance to protect citizens from data breaches. He emphasized that registration is one of several measures being implemented to enhance accountability in data processing.
In summary, the NDPC has issued a guidance notice to clarify the registration requirements for organizations under the Nigeria Data Protection Act. The notice defines the criteria for determining organizations of major importance and categorizes them into different levels based on their role in data processing. The purpose of these measures is to enhance data protection and accountability.
About the Author
