Who is a Data Controller or Processor of Major Importance (DCPMI) in Nigeria?

Under the relevant privacy laws in Nigeria, you attain the status of a DCPMI if you:

• Are domicile, resident, or operating in Nigeria who processes or;
• Intends to process personal data of data subjects of more than such number within Nigeria as the Commission may prescribe,
• One who processes personal data of particular significance to the economy, society or security of Nigeria as the commission may designate. (Section 65 NDPA). These cut across various industries such as; Financial, Communication, Health, Education, Insurance, Export and Import, Aviation, Tourism, Oil and Gas, Electric Power.
• Has access to a filing system that process personal data of more than more than 200 data subject in 6 months.
• Under a fiduciary relationship with a data subject by reason of which it is expected to keep confidential information based on the harm that can be done to the data subject if such data controller or processor is not under the obligation imposed under the DCPMIs. (Section 1, 1(2) of Guidance Notice).

Classification of Data Controllers/Processors of Major Importance

Organizations that process personal data at various levels of risk are classified into

WHY IS REGISTRATION WITH THE NIGERIA DATA PROTECTION COMMISSION IMPORTANT?

Registering as a Data Controller or Processor of Major Importance serves the following purposes:

• Evidence of Compliance: Registration with the NDPC demonstrates your organization's compliance with the relevant laws. It provides verifiable and rebuttable evidence that your organization adheres to mandatory regulatory requirement, helping establish your business as trustworthy and accountable.
• Build Customer Trust and Confidence: In today's digital world, trust is everything. Customers are more likely to interact with businesses that take proactive organizational, technical and regulatory measures to protect their personal data. Registration signals that your organization values data privacy and security, building long-term confidence with clients, users and partners.
• Avoid Regulatory Fines and penalties: Failure to comply with the NDPA 2023, NDPC guidelines or other relevant data protection regulation can result in significant fines and penalties. Registration ensures that your organization is aligned with the regulatory framework, mitigating risks and non-compliance.
• Secure Business Continuity: Compliance is key to long-term business success. Organization with a strong regulatory framework can navigate Nigeria's evolving data protection landscape more effectively, ensuring continuous relevance and competitive while safeguarding their operations against legal risks.
• It Facilitates Supervision and Guidance: Registration and licensing gives the relevant data protection authorities' visibility into the processing activities of an organization and enables easier communication with the Commission in the event of liaising with the commission. This can also provide tailored guidance and monitor compliance effectively. It equally shows commitment to accountability and prima facie good faith in data processing.
• Appointment of Data Protection Officer: In Nigeria, a requirement of successful registration is the appointment of a Data Protection Officer who must be a citizen of Nigeria. This in turn assists the organization with the mandatory provision to designate a data protection officer. The DPO may be a member of staff with recognized certification or fulfil the tasks on the basis of a service contract.
• Entry into the Commission's Register for Data Controllers or Processor of Major Importance: Successfully registered and licensed businesses or institutions are entered into the register of data controllers and processors of major importance with the Commission, thereby demonstrating accountability, transparency and trust with both partners, customers and the regulators. The Commission publishes on its website the register of data controllers and data processors of major importance that may have duly registered with it and updates the register a least once annually.

REQUIREMENTS FOR REGISTRATION OF DATA CONTROLLERS/ PROCESSORS OF MAJOR IMPORTANCE WITH THE NIGERIA DATA PROTECTION COMMISSION

Registration as a DCPMI follows a series steps with questions and details to be filled out on the forms provided on the Commission's website on opening an account on the registration portal. These steps include the following;

1. STEP 1: Data Controller/Processor Information:
   • What type of business do you run?
   • What is your Corporate Affairs Commission (CAC) RC number? If you are an individual provide your National Identification Number (NIN).
   • What is your name (individual) or the name of the Organization?
   • What is your official Contact Address?
   • What is your official Phone number?
   • What is your official Email Address?
   • What is your operational Sector?
   • What state in the country do you function in?
2. STEP 2: Data Processing Details:
   • What is the number of data subjects?
   • What are the categories of data recipients? That is, organizations you share personal data with?
   • Do you transfer data to other countries?
   • What are your purposes for data processing?
   • Describe personal data processed by the organization? (sensitive or non-sensitive personal data)
   • What is the Category of data processed?
3. STEP 3: Data Protection Officer Details:
   • National Identification Number (NIN)
   • First name
   • Last name
   • Official email Address
   • Official phone number
   • Official Contact Address
   • Certificate (Evidence of certified training as a data protection officer)
4. STEP 4: Data Controller/Processor Representative(s):
   • First name
   • Last name
   • Official email address
   • Official phone number
   • Official contact address
5. STEP 5: Safety Precautions:
   • What is the risk level of data processing activities within your organization?
   • What security measures does your organizations adopt? (Safeguards & security Measures)
6. Technical measures: Please tick which measure (s) you have in place

Network security and firewalls, Data security systems, Data loss prevention solutions, Data recovery systems, Data encryption, Audit trail and loggings, Data access authorization, Data minimization

7. Organizational measures: Please tick which measure(s) you have in place

Data retention policies, Data protection policies, Remediation and incidence response systems, Specialized trainings, Publicity of data subject rights, Active grievance redress Mechanism, Cooke Consent DPO Designation, Regular Security Audits, Vendor and Third-Party Agreement, Data Privacy Impact Assessment (DPIAs)

Step 7: Verify Information:

Check relevant information before submission and payment.

Step 8: Payment:

Depending on your answers to assessment provided in your Data Inventory and the NDPC DC/PC Registration Guideline Notice.

Step 9: Finish

After payment is made, the registration must be submitted and concluded by clicking on "finish". Upon successful registration it registered name is published on the website as a DCPMI.

SEIZURE AND REMOVAL AS DATA CONTROLLER OR PROCESSOR OF MAJOR IMPORTANCE

Where a data controller or processor no longer qualifies as a data controller or data processor of major importance, they can request removal from the register by providing the information required by the Commission through any electronic submission system provided by the commission, or in the absence of which email to an address that the Commission shall publish on its website. However, such seizure or removal from the register does not preclude the former data controller and processor of paying any outstanding fees from the then- current or any prior annual registration periods.

WHO ARE NOT DATA CONTROLLER OR PROCESSOR OF MAJOR IMPORTANCE?

The GAID provides a list of institutions that are not DCPMI. These include:

• Traders or artisans who do not transmit personal data as a trade or business object to other data controllers or processors that may process the transmitted personal data for their business goals.
• Traders with less than fifteen (15) employees, or Artisans who do not keep any specific filing system of personal data relating to their customers except routine phone contacts files, receipts data, contact addresses and electronic mail addresses.
• A Community of Friends, Professionals or People of Common Interest who interact on Social Media Platforms.

WHICH INSTITUTIONS ARE EXEMPTED FROM REGISTRATION AS DATA CONTROLLERS OR DATA PROCESSORS OF MAJOR IMPORTANCE?

In line with section 44(6) of the NDP Act, the Commission exempts the following categories of data controllers of major importance from registration:

• Community-Based Associations;
• Faith-Based Organizations;
• Foreign Embassies and High Commissions;
• Judicial establishments or bodies carrying out adjudicatory functions; and
• Multi-governmental Organizations.