How to Obtain NDPC License as a Data Protection Compliance Organisation (DPCO), Data Controller, or Data Processor of Major Importance

In Nigeria, as businesses increasingly handle vast amounts of personal data, ensuring compliance with data protection laws has never been more critical. With over 200 companies now registered as Data Protection Compliance Organisations (DPCOs), the Nigeria Data Protection Bureau (NDPB) is cracking down on non-compliance, offering licenses to those who meet strict guidelines. Whether you are a small business or a major corporation, understanding how to obtain the NDPC license for Data Controllers or Processors is essential to avoid hefty fines and protect your clients’ privacy. Keep reading to learn the step-by-step process, associated costs, and the key requirements for becoming a licensed DPCO or Data Processor in Nigeria.
How to Obtain NDPC License as a Data Protection Compliance Organisation (DPCO), Data Controller, or Data Processor of Major Importance

In the digital age, the importance of data protection cannot be overstated. In Nigeria, obtaining a license as a Data Protection Compliance Organisation (DPCO) or registering as a Data Controller or Data Processor of Major Importance is a critical step for organisations to ensure compliance with data protection laws, specifically the Nigeria Data Protection Act (NDPA) 2023. This guide provides a comprehensive, step-by-step breakdown of the process, requirements, and associated costs.


Table of Contents

  1. Understanding DPCOs, Data Controllers, and Data Processors
  2. Categories and Registration Requirements
  3. Step-by-Step Registration Process
    • For DPCOs
    • For Data Controllers and Data Processors
  4. Costs Involved
  5. Common Misconceptions
  6. Frequently Asked Questions

Understanding DPCOs, Data Controllers, and Data Processors

What is a Data Protection Compliance Organisation (DPCO)?

A DPCO is an entity accredited by the Nigeria Data Protection Bureau (NDPB) to offer services like:

  • Data protection audits
  • Compliance training
  • Policy drafting
  • Data impact assessments
  • Consultancy services

These organisations ensure that data controllers and processors adhere to the Nigeria Data Protection Regulation (NDPR).

Who are Data Controllers and Data Processors of Major Importance?

Under the NDPA 2023, a Data Controller or Data Processor of Major Importance includes entities that:

  • Process data from over 200 individuals in six months.
  • Operate in critical sectors such as finance, communication, health, education, or aviation.
  • Handle sensitive data crucial to Nigeria’s economy or security.

Categories and Registration Requirements

The NDPC classifies entities into three categories based on their data handling capacity and sector of operation.

Category Examples Registration Fee
Major Data Processing – Ultra High Level (MDP-UHL) Banks, telecoms, insurance companies, social media platforms ₦250,000
Major Data Processing – Extra High Level (MDP-EHL) Universities, hospitals, government agencies, microfinance banks ₦100,000
Major Data Processing – Ordinary High Level (MDP-OHL) Schools, clinics, small vendors ₦10,000

Step-by-Step Registration Process

For Data Protection Compliance Organisations (DPCOs)

  1. Corporate Registration
    • Incorporate your business with the Corporate Affairs Commission (CAC).
    • Cost: Starts at ₦100,000 for share capital of ₦1 million.
  2. Obtain Professional Certifications
    • Employ at least two professionals certified in data protection.
    • Recognised certifications include:
      • Certified Information Systems Auditor (CISA)
      • Certified Information Privacy Professional (CIPP)
      • Data Protection Officer (DPO) certifications
    • Estimated Cost: ₦500,000+ for certifications.
  3. Prepare Required Documentation
    • Evidence of CAC registration.
    • Tax Clearance Certificate (cost varies based on financial records).
    • Professional certifications of staff.
    • Valid IDs of two directors.
    • Proof of website registration under a .ng domain (₦50,000–₦150,000).
    • Licensing fee payment of ₦2,000,000.
  4. Submit Application to NDPB
    • Complete the application online or at the NDPB office.
    • Attach all required documents and proof of payment.
  5. Receive Approval
    • The NDPB reviews your application. Upon approval, a license is issued.

For Data Controllers and Data Processors of Major Importance

  1. Determine Your Category
    • Refer to the table above to confirm if your organisation is MDP-UHL, MDP-EHL, or MDP-OHL.
  2. Prepare Documentation
    • Proof of CAC registration.
    • A detailed description of your data processing activities.
    • Contact details of your Data Protection Officer.
    • Evidence of registration fee payment.
  3. Register on NDPC Portal
    • Visit the official NDPC website.
    • Fill out the registration form and upload required documents.
    • Pay the applicable registration fee.
  4. Submit and Await Approval
    • Applications are reviewed, and successful applicants receive a registration certificate.

Costs Involved

For DPCO Registration

Requirement Details Estimated Cost (₦)
CAC Registration Based on share capital ₦100,000+
Professional Certifications Minimum of two staff certifications ₦500,000+
Tax Clearance Certificate Depends on financial records Varies
Valid IDs of Two Directors Passport, Driver’s License, National ID Free
Website Registration (.ng Domain) Local domain registration ₦50,000 – ₦150,000
Licensing Fee to NDPB Required fee for licensing ₦2,000,000

Data Protection Registration Fees:

Category Registration Fee (₦)
MDP-UHL (Ultra High Level) ₦250,000
MDP-EHL (Extra High Level) ₦100,000
MDP-OHL (Ordinary High Level) ₦10,000

Common Misconceptions

  1. “Only large companies need to register.”
    • Fact: Small businesses handling data from more than 200 individuals must register.
  2. “Registration is optional.”
    • Fact: Registration is mandatory under the NDPA 2023 for qualifying entities.
  3. “The process is too complex.”
    • Fact: The process is straightforward with proper guidance and documentation.

Frequently Asked Questions

What is the difference between a Data Controller and a Data Processor?

A Data Controller determines how and why data is processed, while a Data Processor handles data on behalf of the controller.

Is the DPCO licensing fee a one-time payment?

Yes, the ₦2,000,000 licensing fee is a one-time payment for the initial registration.

Can a foreign company register as a DPCO in Nigeria?

Yes, provided the company meets all requirements, including CAC registration and a .ng domain for their website.

What happens if I fail to register by the deadline?

Non-compliance may lead to penalties, fines, or restrictions on operations as stipulated under the NDPA 2023.

How often is the DPCO license renewed?

Renewal timelines depend on the NDPB’s policies, but continuous compliance is mandatory.


Conclusion

Registering as a DPCO or a Data Controller/Data Processor of Major Importance is essential for organisations handling personal data in Nigeria.

By following the steps outlined above, you can ensure compliance with the NDPA 2023 and avoid penalties.

The process may seem complex, but with the right guidance and documentation, it is achievable. Take the necessary steps today to align your organisation with global data protection standards.

Want to Speak with a Consultant?

Start a One-on-One Conversation With One of Our Senior Corporate/Litigation Law Experts.
Share this article

Related Posts

How to Change Your Data on Your Nigerian International Passport

How to Become a Member of a Company in Nigeria: A Comprehensive Guide

Importance of Feasibility Studies for Foreign Companies Entering the Nigerian Market

Before you Leave!

Do You Want to Speak with a Senior Corporate Law or Litigation Expert?

OR