NDPC cautions Data Controllers to avoid putting citizens at risk

The Nigeria Data Protection Commission (NDPC) has issued a Guidance Notice (NDPC/HQ/GN/VOL.02/24) to data controllers and processors of major importance. This is to clarify the categories of organisations required to register with the Commission under the Nigeria Data Protection Act (NDPA) 2023.

The Commission, relying on sections 5(d), 44, and 65 of the NDPA, designates organizations that are of “particular value or significance to the economy, society, or security of Nigeria” as data controllers and processors of major importance.

According to the Guidance Notice dated 14th February and signed by the Commission’s Head of Legal Enforcement and Regulations, Babatunde Bamigboye, Esq., “A data controller or data processor shall be deemed to have particular value or significance to the economy, society, or security of Nigeria if it keeps or has access to a filing system (whether analogue or digital) for the processing of personal data.”

In addition to this, the Commission also identified specific data processing activities such as those involving sensitive personal data, cloud computing, transborder data transfers, processing the personal data of over 200 data subjects, and access to data storage platforms of third parties in commercial transactions as necessary factors in considering organizations as data controllers or processors of major importance.

To foster ease of doing business, particularly for small organizations involved in potentially high-risk data processing, the Commission has varied the payable fees according to the level of Major Data Processing (MDP) involved.

Major Data Processing (MDP) is classified into three levels, namely; Ultra High Level (UHL) – N250,000, Extra High Level (EHL) – N100,000 and Ordinary High Level (OHL) – N10,000.

Organisations in the MDP-UHL category include but are not limited to commercial banks operating at a national or regional level, merchant banks, telecommunication companies, insurance companies, multinational companies, and payment gateway service providers.

Similarly, organisations within the MDP-EHL category include ministries, departments, and agencies of government, microfinance banks, higher institutions, hospitals providing tertiary or secondary medical services, and mortgage banks.

Lastly, organisations within the MDP-OHL category include small and medium-scale enterprises (SMEs) that have access to personal data which they may share, transfer, analyse, copy, compute, or store in the course of carrying out their individual businesses, primary and secondary schools, primary health centers, and agents, contractors, and vendors who engage with data subjects on behalf of other organisations.

The breakdown of the categories is contained in the Guidance Notice posted on the Commission’s website www.ndpc.gov.ng.

The NDPC’s National Commissioner and CEO, Dr. Vincent Olatunji, urged data controllers to avoid activities that may put citizens at risk, especially when millions of Nigerians are sharing their personal data such as bank details, pictures, health, and academic records online.

According to Dr. Olatunji, “The risks are getting higher even as the opportunities are also increasing, we are reminded of the warning by those in the frontiers of the 4th Industrial Revolution that we have a price to pay for liberty. The price is eternal vigilance. It is therefore important to properly and functionally identify the persons and the data processing to which we must direct the torch of vigilance. Registration is one in a continuum of measures we are taking in this regard. It is, however, the entry point of accountability going forward