The Nigeria Data Protection Commission (NDPC) has asked banks, telecommunication firms, insurance companies, and multinational firms to register with it as data controllers and processors of major importance.
This is as the commission issued a guidance notice (NDPC/HQ/GN/VOL.02/24) to firms in these sectors to clarify the categories of organisations that are required to register in line with the Nigeria Data Protection Act (NDPA) 2023.
It said, “Relying on sections 5(d), 44 and 65 of the NDPA, organizations that are of “particular value or significance to the economy, society or security of Nigeria” are designated by the commission as data controllers and processors of major importance.”
The guidance notice dated 14th of February and signed by Babatunde Bamigboye, the NDPC’s head of legal enforcement and regulations, noted that a data controller or data processor shall be deemed to have particular value or significance to the economy, society or security of the country and “hence designated to be of major importance if it keeps or has access to a filing system (whether analogue or digital) for the processing of personal data.”
It added that the commission has also identified specific data processing such as those involving sensitive personal data, cloud computing, transborder data transfers, processing the personal data of over 200 data subjects and access to data storage platforms of third parties in commercial transactions as necessary factors in considering organisations that are data controllers or processors of major importance.
Based on this, it categorised organisations in the Major Data Processing (MDP) into 3 levels, namely: Ultra High Level (UHL), Extra High Level (EHL) and Ordinary High Level (OHL).
The MDP-UHL categories include commercial banks, merchant banks, telecommunication companies, insurance companies, multinational companies, and payment gateway service providers.
Some of the organisations in the MDP-EHL category include Ministries, Departments and Agencies of government, microfinance Banks, higher institutions, hospitals providing tertiary or secondary medical services, and mortgage banks.
Organisations in the MDP-EHL category include Small and medium-scale enterprises, primary and secondary schools, primary health centres, agents, contractors, and vendors who engage with data subjects on behalf of other organisations.
Contextualising this new requirement, Dr Vincent Olatunji, the NDPC’s national commissioner, explained that the risk of processing data is higher today and extra vigilance is the major way to protect citizens from data leaks and more.
“It is therefore important to properly and functionally identify the persons and the data processing to which we must direct the torch of vigilance. Registration is one in a continuum of measures we are taking in this regard. It is, however, the entry point of accountability going forward,” he declared.
