In a bid to enhance compliance and accountability in the handling of personal data, the Nigeria Data Protection Commission (NDPC) has announced an extension of the deadline for Data Controllers and Data Processors of Major Importance (DCPMIs) to register with the commission.
The new deadline without penalties is now the 31st of October, 2024.
The move comes as part of a broader effort by the NDPC to strengthen the data protection framework, as stipulated in the Nigeria Data Protection Act, 2024 (NDP Act).
The Commission, led by National Commissioner/CEO Dr. Vincent Olatunji, is also enforcing stricter rules on DCPMIs, requiring them to only engage registered agents and contractors for the processing of personal data.
According to the NDP Act, engaging unregistered data processors or agents is a violation of the law. Specifically, sections 24(3), 29(1)(a), and 44 mandate that all DCPMIs must ensure compliance with the Act when outsourcing personal data processing. Section 29(1)(a) states that a data controller or processor engaging another must ensure that the engaged party adheres to the same data protection principles and obligations that apply to the original entity.
This enforcement measure is designed to prevent unregulated and unauthorised handling of personal data.
The Commission clarified that as of October 15, 2024, all data processors engaged by DCPMIs must be duly registered with the NDPC to continue their operations without breaching the law.
Dr. Vincent Olatunji emphasised the importance of accountability in data processing, noting that compliance is essential for protecting individuals’ personal information.
Esq., Head of Legal, Enforcement & Regulations, Babatunde Bamigboye who signed the announcement, urged all relevant parties to act swiftly to avoid penalties after the October deadline.
The NDPC’s actions reflect growing concerns about data privacy and protection in Nigeria, as the digital economy continues to expand and the risks associated with improper data handling increase.