Faven LP Logo

Blog

Insights and analysis on legal technology, compliance, and business strategy

Faven LP at NADPA Conference 2025

Delegates from Faven LP were honoured to participate in the 2025 NADPA Conference, held at the prestigious Transcorp Hilton, Abuja, from the 6th to 8th of May, 2025.

The conference proved to be an enriching experience—offering invaluable insights, engaging conversations, and strategic networking with leading figures in the global digital and data protection space.

Our team had the privilege of interacting with esteemed industry leaders and dignitaries, including:

  • Dr. Vincent Olatunji, National Commissioner/CEO, Nigeria Data Protection Commission (NDPC)
  • Immaculate Kassait, Commissioner, Office of the Data Protection Commissioner (ODPC), Kenya
  • Derek Ho, Deputy Chief Privacy Officer, AI & Data Responsibility, Mastercard
  • Susan, Privacy Professional, Mastercard
  • Bojana Bellamy, President, Centre for Information Policy Leadership (CIPL) and Mark Smith, also delegate from CIPL
  • Adewale Obadare, Founder and Chief Visionary Officer (CVO), Digital Encode Limited
  • Dr. Favour Femi-Oyewole, Group Chief Information Security Officer, Access Bank | Forbes Best of Africa Outstanding Cybersecurity Leader | Forbes Technology Council Member

Notably, CIPL in collaboration with the Global System for Mobile Communication (GSMA) hosted an official side event on " Data Policy and Governance for AI: Fostering Responsible Innovation and Adoption."

Representing Faven LP were:

  • Ikionana Ezekiel, Principal Partner
  • Oluwatoboloba Adewum, Partner
  • Kosisochukwu, IT Compliance and Startup Advisor
  • Prosper I. Akinlawon, Media and Publicity Lead

At Faven LP, we remain committed to strengthening privacy, data protection, and regulatory compliance in Nigeria and across Africa. Participating in events like the NADPA Conference allows us to stay at the forefront of conversations shaping the future of the digital economy.

Privacy Compliance Series 1.2

Ikionana Ezekiel,Kosisochukwu J Akonani,Hephzibah Olutona.

How to Register as a Data Controller and Data Processor of Major Importance in Nigeria

An organization or individual becomes a Data Controller or Processor of Major Importance (DCPMI) under law when its/their processing activities pose potential risks to personal data of Nigerian citizens under its/their disposal and where such processing of personal data is of particular value or significance to the economy, society or security of Nigeria as determined by the Nigeria Data Protection Commission (“Commission”). Hence, organizations or individuals are categorized into different risk levels based on the risk level associated with such processing activities. These categories are a creation of various data protection laws and guidelines in Nigeria. Specifically, Sections 5(d), 6(c), 44, and 66 of the Nigeria Data Protection Act (NDPA) 2023, Article 8 and Schedule 7 of the General Application and Implementation Directive (GAID), 2025, alongside the Data Controller or Data Processor Registration Guidance Notice provides for the designation and registration as DCPMI.

Who is a Data Controller or Processor of Major Importance (DCPMI) in Nigeria?

Under the relevant privacy laws in Nigeria, you attain the status of a DCPMI if you:

  • Are domicile, resident, or operating in Nigeria who processes or;
  • Intends to process personal data of data subjects of more than such number within Nigeria as the Commission may prescribe,
  • One who processes personal data of particular significance to the economy, society or security of Nigeria as the commission may designate. (Section 65 NDPA). These cut across various industries such as; Financial, Communication, Health, Education, Insurance, Export and Import, Aviation, Tourism, Oil and Gas, Electric Power.
  • Has access to a filing system that process personal data of more than more than 200 data subject in 6 months.
  • Under a fiduciary relationship with a data subject by reason of which it is expected to keep confidential information based on the harm that can be done to the data subject if such data controller or processor is not under the obligation imposed under the DCPMIs. (Section 1, 1(2) of Guidance Notice).

Classification of Data Controllers/Processors of Major Importance

Organizations that process personal data at various levels of risk are classified into

1. Major Data Processing – Ultra High Level (MDP – UHL ): Examples of organization under this include:

  • Commercial Banks operating at national and regional levels,
  • Telecommunication Companies
  • Insurance Companies
  • Multinational companies
  • Public social media app developers and proprietors
  • Electricity distribution companies
  • Oil and Gas companies
  • Public email App developers and proprietors
  • Communication devices manufacturers
  • Payment gateway service providers
  • Process over 5000 data subjects within six months

2. Major Data Processing – Extra High Level (MDP – EHL): You are likely under this category if you are:

  • Ministries, Department and Agencies (MDAs) of government
  • Micro Finance Banks
  • High Institutions
  • Hospitals providing tertiary or secondary medical services
  • Mortgage Banks.
  • Process personal data of over 1000 data subjects within 6 months.

3. Major Data Processing - Ordinary High levels (MDP –EHL): organization under this category include:

  • Small and Medium Scale Enterprises (that have access to personal data which they may share transfer, analyze, copy, compute or store in the course of carrying out their individual businesses)
  • Primary and Secondary School
  • Primary Health Centers
  • Agents, contractors and vendors who engage with data subjects on behalf of the other organizations that are in the categories of MDL-UHL AND MDP-EHL

WHY IS REGISTRATION WITH THE NIGERIA DATA PROTECTION COMMISSION IMPORTANT?

Registering as a Data Controller or Processor of Major Importance serves the following purposes:

  • Evidence of Compliance: Registration with the NDPC demonstrates your organization's compliance with the relevant laws. It provides verifiable and rebuttable evidence that your organization adheres to mandatory regulatory requirement, helping establish your business as trustworthy and accountable.
  • Build Customer Trust and Confidence: In today's digital world, trust is everything. Customers are more likely to interact with businesses that take proactive organizational, technical and regulatory measures to protect their personal data. Registration signals that your organization values data privacy and security, building long-term confidence with clients, users and partners.
  • Avoid Regulatory Fines and penalties: Failure to comply with the NDPA 2023, NDPC guidelines or other relevant data protection regulation can result in significant fines and penalties. Registration ensures that your organization is aligned with the regulatory framework, mitigating risks and non-compliance.
  • Secure Business Continuity: Compliance is key to long-term business success. Organization with a strong regulatory framework can navigate Nigeria's evolving data protection landscape more effectively, ensuring continuous relevance and competitive while safeguarding their operations against legal risks.
  • It Facilitates Supervision and Guidance: Registration and licensing gives the relevant data protection authorities' visibility into the processing activities of an organization and enables easier communication with the Commission in the event of liaising with the commission. This can also provide tailored guidance and monitor compliance effectively. It equally shows commitment to accountability and prima facie good faith in data processing.
  • Appointment of Data Protection Officer: In Nigeria, a requirement of successful registration is the appointment of a Data Protection Officer who must be a citizen of Nigeria. This in turn assists the organization with the mandatory provision to designate a data protection officer. The DPO may be a member of staff with recognized certification or fulfil the tasks on the basis of a service contract.
  • Entry into the Commission's Register for Data Controllers or Processor of Major Importance: Successfully registered and licensed businesses or institutions are entered into the register of data controllers and processors of major importance with the Commission, thereby demonstrating accountability, transparency and trust with both partners, customers and the regulators. The Commission publishes on its website the register of data controllers and data processors of major importance that may have duly registered with it and updates the register a least once annually.

REQUIREMENTS FOR REGISTRATION OF DATA CONTROLLERS/ PROCESSORS OF MAJOR IMPORTANCE WITH THE NIGERIA DATA PROTECTION COMMISSION

Registration as a DCPMI follows a series steps with questions and details to be filled out on the forms provided on the Commission's website on opening an account on the registration portal. These steps include the following;

  1. STEP 1: Data Controller/Processor Information:
    • What type of business do you run?
    • What is your Corporate Affairs Commission (CAC) RC number? If you are an individual provide your National Identification Number (NIN).
    • What is your name (individual) or the name of the Organization?
    • What is your official Contact Address?
    • What is your official Phone number?
    • What is your official Email Address?
    • What is your operational Sector?
    • What state in the country do you function in?
  2. STEP 2: Data Processing Details:
    • What is the number of data subjects?
    • What are the categories of data recipients? That is, organizations you share personal data with?
    • Do you transfer data to other countries?
    • What are your purposes for data processing?
    • Describe personal data processed by the organization? (sensitive or non-sensitive personal data)
    • What is the Category of data processed?
  3. STEP 3: Data Protection Officer Details:
    • National Identification Number (NIN)
    • First name
    • Last name
    • Official email Address
    • Official phone number
    • Official Contact Address
    • Certificate (Evidence of certified training as a data protection officer)
  4. STEP 4: Data Controller/Processor Representative(s):
    • First name
    • Last name
    • Official email address
    • Official phone number
    • Official contact address
  5. STEP 5: Safety Precautions:
    • What is the risk level of data processing activities within your organization?
    • What security measures does your organizations adopt? (Safeguards & security Measures)
  6. Technical measures: Please tick which measure (s) you have in place

    7. Network security and firewalls, Data security systems, Data loss prevention solutions, Data recovery systems, Data encryption, Audit trail and loggings, Data access authorization, Data minimization

  7. Organizational measures: Please tick which measure(s) you have in place

    8. Data retention policies, Data protection policies, Remediation and incidence response systems, Specialized trainings, Publicity of data subject rights, Active grievance redress Mechanism, Cooke Consent DPO Designation, Regular Security Audits, Vendor and Third-Party Agreement, Data Privacy Impact Assessment (DPIAs)

Step 7: Verify Information:

Check relevant information before submission and payment.

Step 8: Payment:

Depending on your answers to assessment provided in your Data Inventory and the NDPC DC/PC Registration Guideline Notice.

Step 9: Finish

After payment is made, the registration must be submitted and concluded by clicking on "finish". Upon successful registration it registered name is published on the website as a DCPMI.

SEIZURE AND REMOVAL AS DATA CONTROLLER OR PROCESSOR OF MAJOR IMPORTANCE

Where a data controller or processor no longer qualifies as a data controller or data processor of major importance, they can request removal from the register by providing the information required by the Commission through any electronic submission system provided by the commission, or in the absence of which email to an address that the Commission shall publish on its website. However, such seizure or removal from the register does not preclude the former data controller and processor of paying any outstanding fees from the then- current or any prior annual registration periods.

WHO ARE NOT DATA CONTROLLER OR PROCESSOR OF MAJOR IMPORTANCE?

The GAID provides a list of institutions that are not DCPMI. These include:

  • Traders or artisans who do not transmit personal data as a trade or business object to other data controllers or processors that may process the transmitted personal data for their business goals.
  • Traders with less than fifteen (15) employees, or Artisans who do not keep any specific filing system of personal data relating to their customers except routine phone contacts files, receipts data, contact addresses and electronic mail addresses.
  • A Community of Friends, Professionals or People of Common Interest who interact on Social Media Platforms.

WHICH INSTITUTIONS ARE EXEMPTED FROM REGISTRATION AS DATA CONTROLLERS OR DATA PROCESSORS OF MAJOR IMPORTANCE?

In line with section 44(6) of the NDP Act, the Commission exempts the following categories of data controllers of major importance from registration:

  • Community-Based Associations;
  • Faith-Based Organizations;
  • Foreign Embassies and High Commissions;
  • Judicial establishments or bodies carrying out adjudicatory functions; and
  • Multi-governmental Organizations.

Registration as a data controller or processor of major importance with the Nigeria Data Protection Commission (NDPC) not only shows adherence to legal obligations but also gains a competitive edge in building trust, avoiding sanctions and sustaining growth in an increasingly data-driven economy.At Faven LP, our expert team of data protection and privacy compliance help organizations like yours stay compliance with relevant privacy legislations and keeps you ahead of the curve. Click here to begin your registration as a data controller or processor of major importance with the Commission.

Multichoice Fined ₦766,242,500 for Violating Nigeria's Data Protection Law: A Wake-Up Call for Private Companies

Introduction

The Nigeria Data Protection Commission (NDPC) has fined Multichoice Nigeria the sum of ₦766,242,500 (Seven Hundred and Sixty-Six Million, Two Hundred and Forty-Two Thousand, Five Hundred Naira) for violating key provisions of the Nigeria Data Protection Act (NDPA) 2023 and Section 37 of the 1999 Constitution of the Federal Republic of Nigeria.

This development highlights the growing enforcement capacity of the NDPC and sends a strong message to all businesses handling personal data in Nigeria: compliance is no longer optional.

What Happened?

Multichoice was found to have violated the privacy rights of both subscribers and non-subscribers. The Commission discovered the following:

  • Mishandling of personal data belonging to subscribers.
  • Exposure of personal data of individuals who were not even customers.
  • Illegal cross-border transfer of personal data.

The NDPC described the company's data processing practices as “intrusive, unfair, unnecessary, and disproportionate.”

Worse still, when the Commission directed Multichoice to take corrective steps, the company's response was deemed unsatisfactory.

Why It Matters

For any organisation operating in Nigeria and dealing with personal data, this enforcement action by the NDPC is a critical reminder of the risks that come with non-compliance:

  • Risk to business continuity: Multichoice faces the possibility of a stall in its business operations unless the fine is being paid or the matter is laid to rest.
  • Loss of customer trust: With the increasing knowledge of customers on how their personal information is utilized, Multichoice stands to lose its customers trust.
  • Heightened regulatory scrutiny: The Commission has instructed that every outlet of Multichoice be investigated to monitor its compliance with privacy laws. This means that the Commission is set to play watchdog and end up taking a deep bite with every given chance.
  • Hefty financial penalties: It appears that the fine of ₦766,242,500 is just the first of many to come with the Commission still actively sneefing around to pick up a non-compliance scents.

What Could Have Been Done Differently?

Multichoice could have avoided this regulatory showdown by putting intentional structures in place early.

  • Treating data protection as a boardroom issue: Not something to fix only when the Commission comes knocking. Privacy compliance starts from the top.
  • Engaging professionals who understand regulatory direction: There is a clear difference between ticking boxes and building a privacy culture. Startups and legacy businesses alike must know when to seek expert support.
  • Responding responsibly and transparently to the Commission's directives: The right response, delivered promptly and with clarity, can change the tone of regulatory engagement.
  • Running periodic compliance reviews to catch red flags before they explode: The absence of internal assessment mechanisms is what creates a blind spot in organisations. Multichoice had one too many.

We can still recall the ongoing WhatsApp appeal. The same issues of lack of transparency, unequal treatment of users, and ignoring regulatory advice landed them in hot water.

A Final Words

Data is the New gold mine. In today's digital world, data is a valuable asset. But like every gold mine, it must be carefully monitored, protected, and managed.

Privacy laws act as the fences, warning signs, and surveillance systems around that gold mine. Ignoring them puts your entire operation at risk.

If you run a company that collects or processes personal data, now is the time to ask yourself:

Are we ready for regulatory scrutiny?

If you are unsure, that is your starting point. The cost of inaction is far greater than the investment in doing things right.

DISCLAIMER: This content is for EDUCATIONAL purposes ONLY. Do well to consult an expert where necessary.

At Faven LP, we help companies stay compliant, reduce regulatory risks, and build trusted systems around data protection.

📩 Reach out today: favenchambers@gmail.com

DATA SUBJECT ACCESS REQUESTS (DSARS): BEST PRACTICES FOR MEETING LEGAL REQUIREMENTS

WHAT IS DATA SUBJECT ACCESS REQUEST?

A Data Subject Access Request (DSAR) is a request directed to the organization by a data subject (individual), granting the data subject right to access information about his/her personal data the organization is processing.

This request is made by a data subject to understand how and why their personal data is being used, and how to check that it is being used lawfully. It is one of the fundamental rights of the data subject which allows for the exercise of other rights including the (legal) right to obtain a copy of their personal data.

WHAT INFORMATION CAN DATA SUBJECTS REQUEST FROM DATA CONTROLLERS?

  • Confirmation that the data Controller/Processor is processing their personal data.
  • A copy of their personal data.
  • Other supplementary information. E.g. copies of email correspondence, list of third parties their information is shared with or any other information contained in the organization's privacy policy documentations.

It is worthy of note that data subjects access requests may be limited where disclosing their data may also lead to the disclosure of other individual's data or when they are exercising another Individual's right of access on their behalf.

HOW DO DATA SUBJECTS MAKE ACCESS REQUESTS?

An individual can make a request for rectification, erasure or sharing of their personal data verbally or in writing.

Such requests can be made to any department of the organization or to designated personnel assigned for such purposes.

A practical approach is to publish the details of the Data Protection Officer (DPO) on your website or other media platforms to which requests can be directed.

Likewise, social media companies and online platforms simply provide user activity logs where a user can download all the information about them. Organisation with sufficient resources can also add this feature into their platforms.

PRACTICAL STEPS FOR HANDLING DATA SUBJECTS ACCESS REQUESTS

Handling DSARs adequately and effectively requires the following steps:

  • Designation of office: Allocate data protection to a “lead” if not already in place. It enables the organization specify a contact point in the event of a DSAR.
  • Acknowledgement of the request: A simple acknowledgement can build trust, followed by timely feedback with the expected time.
  • Confirmation of identity: Request recognized identity where necessary to prevent data leaks.
  • Check validity and scope: Ensure the request is appropriate and determine the extent of information required.
  • Set reminders: Monitor and track pending requests that need answers.
  • Double-check requests: Verify the nature of information requested.
  • Search for relevant information: Only disclose devolved information within scope.
  • Consider impact on other people: Ensure other people's data is not inadvertently disclosed.
  • Prepare your response: Use templates as required under data privacy laws.
  • Send reply in machine-readable format: Maintain security and records of the response.

Having an appropriate DSAR mechanism cannot be underrated. Failure to respond may cause affected individuals to complain to data protection authorities, leading to investigations, fines, and penalties.

Constant and unsolicited access requests may hamper a data controller's trust and regulation.

Overall, responding to DSARs is not just about compliance, but maintaining trust and transparency with your data subjects.

Faven LP provides data protection and privacy compliance across various sectors. You can speak to one of our experts to build a comprehensive data protection and privacy framework that is suited for your institution. Through our specialized services, we have worked with edtech, fintech, medtech and legaltech to attain compliance and remain relevant in today's constantly evolving digital landscape.

Email us at favenchambers@gmail.com

References

  • Nigeria Data Protection Act, 2023, Section 34(1)(b), 54.
  • Digital Rights Lawyers Initiative & Ors V. National Identity Management Commission (Nimc) (2021) LPELR-55623(CA)
  • General Application and Implementation Directive (GAID), 2025
  • National Identity Management Commission Act, 2007, S. 31(d)(i) and (ii)
  • Muhammad Deckri, Algamar et al, “Data Subject Access Request: What Indonesia Can Learn and Operationalise in 2024?”, [2023] Journal of Central Banking Law and Institutions, Vol. 2(3), pp. 481–512, available at https://www.jcli-bi.org/index.php/jcli/article/view/171/47 accessed 21st January, 2024.

This content of this article is for general information on the subject matter only. Consult with an expert on your specific circumstance before taking any further actions.

What the Nigeria Tax Act, 2025 Means for Technological Companies in Nigeria: 7 Things Every Startup Founder Needs to Know.

The Nigeria Tax Act, 2025 is a major reform in Nigeria's tax system. It brings together and replaces several older tax laws, such as the Companies Income Tax Act, Value Added Tax Act, and Capital Gains Tax Act.

More importantly, it introduces new rules that apply directly to Nigeria's growing digital economy. For technological companies, whether Nigerian or foreign, this new law marks a turning point. It sets out clear rules for how digital businesses will be taxed and what is expected of them in terms of compliance.

Of course, technology Companies are not left of the picture. Some of the key updates provided in the Act that relate to tax exemption and tax imposed on technology companies include the following:

1. The inclusion of digital and virtual assets as taxable items

According to Section 4(1)(i) and Section 34(1)(a), income arising from dealing, selling, or trading in digital assets such as cryptocurrencies, are chargeable to tax. This implies that if a business earns profits through such transactions, such profits are to be declared and tax paid in consequence.

However, there are certain exceptions:

  • Where the company's annual sales are below ₦150 million and the company's profit is below ₦10 million, no tax would be levied.
  • Where the proceeds from selling such digital assets are re-invested in Nigerian enterprises within a single year, the company may be granted partial exemption from capital gains tax.

2. Compulsory tax on foreign technology companies

The Act stipulates that foreign technology companies must be taxed in Nigeria if they are making profits from Nigerian consumers. This is based on a principle referred to as Significant Economic Presence (SEP), provided for under Section 17(9)(b) of the Act.

Foreign companies like Meta, Google, Tiktok, Microsoft clouds, Adobe Reader, etc., that offer services like online advertisements, online payment, cloud computing, or digital training to Nigerian consumers will be taxed.

This applies even if these technology companies have no physical offices or workers in Nigeria. These companies will pay tax for the income they derive from Nigerian customers, and where there is no withholding of tax at source, they will be taxed at least 4% of such income for the Nigerian government.

Hence, it is vital for local companies in partnership with these foreign companies to ensure such tax clearances are included into their operations before or at the time of venturing into such partnerships.

3. Provision of Value Added Tax (VAT) on Online Services

The Nigeria Tax Act reiterates the addition of VAT on online services. Sections 144 to 151 of the Act imply that VAT is payable on digital services provided to Nigerian consumers, irrespective of the residence of the company.

This includes software downloads, mobile apps, cloud computing, video and music streaming services, and even web-based lessons paid for. Even if the service is offered by a local IT company or an offshore firm, 7.5% VAT must be collected and remitted to the tax department.

4. Incentive to Local Technology Companies

The Act gives relief and incentive to local technology companies and start-ups. Section 13(2) of the Act relieves the salaries of employees of a technology start-up with non-resident (foreign) employees, provided that they are taxed in the country of origin.

This is a welcome relief for start-ups that collaborate with remote teams or offshore developers.

Are there any exceptions for which local companies get the reliefs?

Yes, the act provides an exemption. It expressly provides that the employer has to be an established startup or a "technology-driven service' company. Sub-section 13(6) lists such services as financial technology companies (fintech), application development, online education platforms, and software companies.

5. Provision of Research and Development (R&D) relief

Another benefit for technology companies is in the form of R&D relief. Through Section 13, companies can offset against taxable profits the cost they spend on R&D up to 5% of their turnover annually. This will encourage innovation and help companies developing new software or building technology products.

6. Imposition of new requirements on Multinational Technology Companies

The Act imposes new requirements on multinational technology companies. Section 192 requires that all transactions between a Nigerian company and its foreign parent or subsidiary have to be on an arm's length basis.

That is, the prices have to be reasonable and similar to what would be charged by or to unrelated parties. These provisions are most relevant to companies offering group-shared services, licensing intellectual property, or offering cloud infrastructure.

Equally, Section 6(3) states that when a foreign technology subsidiary of a Nigerian company pays less than the minimum rate in its country of origin, its Nigerian parent company must remit the deficit in Nigeria.

This prevents companies from relocating earnings to locations with little or no taxes, and guarantees Nigeria gets its share of taxes from activities related to its economy.

7. Exemption from personal income tax for angel investors, venture capitalists, private equity funds, accelerators and incubators

Section 163(1)(m) provides for exemption from payment of personal income tax for gains accruing from the disposal of assets by an angel investor, venture capitalist, private equity fund, accelerators, or incubators with respect to a labelled startup provided the assets have been held in Nigeria for a minimum of 24 months.

Summarily, the Nigeria Tax Act, 2025 shows that the Nigerian government is seriously paying attention to the digital economy. The law puts down clear tax regulations for local and foreign technological companies and offers modern tax doctrines that cover how digital companies presently operate. From digital assets and virtual services to cloud platforms and cross-border transactions, the law covers a wide array of technology operations.

Faven LP provides compliance advisory services for Startups across various sectors. We seek to serve with excellence and enable founders like you build lasting solutions that lead your chosen industry. Through our specialized services, startups across edtech, fintech, medtech and legaltech have attained compliance and remain relevant in today's constantly evolving digital landscape.

Email us at favenchambers@gmail.com

References

  • The Nigerian Tax Act, 2025, 13, 17, 144, 151, 192, 163(1)(m)

This content of this article is for general information on the subject matter only. Consult with an expert on your specific circumstance before taking any further actions.