The Nigeria Data Protection Commission (NDPC) has announced an extension of the registration deadline for organizations designated as data controllers and data processors of major importance. The new deadline for registration is now September 30, 2024. This extension, in line with Section 44 of the Nigeria Data Protection Act, 2023 (NDPA), offers eligible organizations additional time to comply with the registration requirements and ensure the proper implementation of data protection measures.

This update is significant for organizations within Nigeria as it provides them with an extended timeline to fulfil their obligations regarding data protection. It is essential for designated entities to take advantage of this opportunity to register with the NDPC and uphold the necessary data protection standards outlined in the NDPA.

According to Section 65 of the NDPA, a data controller and a data processor of major importance are described as entities that are based, residing in, or operating within Nigeria and handle or plan to handle personal data of a significant number of data subjects within Nigeria, as determined by the Commission. The notice is in line with the commission’s responsibility under the NDPA to designate DCPMIs for registration with the Commission.

Who is Considered a DCPMI in Nigeria?

In Nigeria, a data controller or data processor is classified as a Data Controller or Data Processor of Major Importance (DCPMI) if they manage or have access to a filing system (analogue or digital) for processing personal data. This includes entities that:

• Process the personal data of over 200 data subjects within 6 months
• Offer Commercial Information Communication Technology (ICT) services on digital devices with storage capacity belonging to others
• Handle personal data as an organization or service provider in sectors such as finance, communication, health, education, insurance, export and import, aviation, tourism, oil and gas, or electric power

Additionally, data controllers or processors in a fiduciary relationship with a data subject, where maintaining confidentiality is a duty owed to the data subject, also meet the criteria to qualify as DCPMIs.

For detailed information on the cost of non-compliance, click here to read our previous publication, “Deadline Looms: The Importance of Data Protection Audits and The Cost of Non-Compliance”.

It is mandatory for every Data Controller or Data Processor of Major Importance (DCPMI) to complete registration with the National Data Protection Commission (NDPC) between January 30, 2024, and September 30, 2024. Failure to register within this timeframe constitutes a violation of the National Data Protection Act (NDPA) and is subject to penalties as stipulated by the NDPA. The NDPC is authorized to impose penalties for breaches and non-compliance. These penalties may include a fine amounting to 1% of the annual gross revenue of the preceding year or #2,000,000 (Two Million Naira), or 2% of 10,000,000 (Ten Million Naira), whichever is higher, based on the number of data subjects involved. To ensure compliance and avoid penalties, all DPCMI entities must complete their registration within the specified period.

Olisa Agbakoba Legal is a licensed Data Protection Compliance firm, and we are available to assist your organisation with data protection compliance services.