How to Register as a Data Controller or Data Processor of Major Importance in Nigeria

Did you know that over 70% of Nigerians trust businesses with their personal data, yet data breaches cost organisations millions annually? With the growing importance of privacy laws, the Nigeria Data Protection Act 2023 mandates that all major data handlers register with the Nigeria Data Protection Commission (NDPC) by June 30, 2024. Failure to comply could lead to hefty fines or even operational bans. Whether you are a small business or a multinational corporation, understanding these new rules is not just smart—it is critical for staying in business. Read on to learn the exact steps to secure your compliance and protect your operations.

Industry Insights

On February 14, 2024, the Nigeria Data Protection Commission (NDPC) introduced clear rules on how organisations in Nigeria must register as Data Controllers or Data Processors of Major Importance.

These rules are outlined in the Guidance Notice on the Registration of Data Controllers and Data Processors of Major Importance, issued under the Nigeria Data Protection Act (NDPA) 2023.

This guide breaks down the process in simple terms, making it easy for anyone to understand.

Who Needs to Register?

A Data Controller or Data Processor of Major Importance is any individual or organisation that handles significant amounts of personal data. According to the NDPC, this includes:

Organisations processing data from over 200 individuals in six months.
Businesses offering digital services, like cloud storage or communication tools, using other people’s devices.
Companies in critical sectors, such as finance, communication, health, education, insurance, tourism, oil and gas, and aviation.
Entities with fiduciary relationships, such as guardianship over people’s private data.
Organisations handling sensitive personal data that is important to Nigeria’s economy or security.

Categories of Data Controllers and Data Processors

The NDPC classifies organisations into three categories, based on their role and data handling capacity.

Category	Who Fits Here?	Registration Fee
Major Data Processing – Ultra High Level (MDP-UHL)	Banks, telecoms, insurance companies, multinational corporations, social media developers, etc.	₦250,000
Major Data Processing – Extra High Level (MDP-EHL)	Government agencies, hospitals, universities, microfinance banks, and mortgage banks.	₦100,000
Major Data Processing – Ordinary High Level (MDP-OHL)	Small businesses, schools, clinics, and vendors working with bigger organizations.	₦10,000

What Do These Categories Mean?

MDP-UHL: Large organisations handling highly sensitive data from over 5,000 individuals. These businesses often deal with cross-border data, rely on cloud services, and have major economic importance.
MDP-EHL: Medium-sized organisations processing over 1,000 individuals’ data, such as universities, hospitals, and government agencies.
MDP-OHL: Smaller businesses processing data from at least 200 individuals. Examples include schools, clinics, and small vendors.

How to Register

Step 1: Confirm Your Category

Use the descriptions above to determine whether your organisation falls under MDP-UHL, MDP-EHL, or MDP-OHL.

Step 2: Gather Required Documents

The NDPC requires specific documents for registration:

Proof of Business Registration (CAC certificate).
Details of Data Processing Activities (like the type of data you handle and how it is stored).
Contact Information for your data protection officer.
Evidence of Payment of the registration fee.

Step 3: Register on the NDPC Portal

Visit the NDPC’s official website.
Fill out the online registration form.
Upload all required documents.
Pay the registration fee using the portal.

Step 4: Submit and Wait for Approval

After submitting your application, the NDPC will review it. If everything checks out, you will receive a registration certificate.

Penalties for Non-Compliance

Organisations that fail to register by June 30, 2024 will face penalties under the NDPA. This could include fines or restrictions on their operations.

Why Does This Matter?

The NDPC’s rules ensure that organisations handling personal data:

Protect individuals’ privacy.
Meet global data protection standards.
Prevent data breaches that could harm people or the economy.

Frequently Asked Questions

1. What is personal data?

Personal data is any information that can identify someone, such as names, phone numbers, email addresses, or health records.

2. Do small businesses need to register?

Yes, if your business processes data from more than 200 individuals in six months, you must register.

3. What happens if I miss the registration deadline?

You may face fines or penalties for non-compliance under the NDPA 2023.

4. Is the registration fee a one-time payment?

Yes, the fee is a one-time payment for the registration process.

5. How can I confirm my category?

Check the criteria listed in this guide or contact the NDPC for clarification.

Common Misconceptions

Misconception 1: Only large companies need to register.

Truth: Even small businesses, like schools and clinics, need to register if they handle personal data.

Misconception 2: The registration process is complicated.

Truth: The process is straightforward, especially with the NDPC’s online portal.

Misconception 3: Registration is optional.

Truth: Registration is mandatory for organisations that meet the criteria.

Key Takeaways

Registration is mandatory for data controllers and processors handling significant amounts of personal data.
The registration deadline is June 30, 2024.
Fees depend on your organisation’s category: ₦250,000, ₦100,000, or ₦10,000.
Non-compliance will result in penalties.

By following these steps and guidelines, your organisation can stay compliant and protect the privacy of the data you handle.

Want to Speak with a Consultant?

Start a One-on-One Conversation With One of Our Senior Corporate/Litigation Law Experts.