The What 

The mandatory registration requirement is a new addition to the data protection landscape in Nigeria. The requirement did not exist under the Nigeria Data Protection Regulation (NDPR) and its Implementation Framework. Although registration of data controllers and processors is a novel concept in Nigeria, it is not novel under African data protection laws, as this trend is found in ten other countries, which include, Egypt, Ghana, Kenya, Mauritius, Rwanda, Sao Tome and Principe, the Seychelles, Tanzania, Uganda, and Zambia. 

The Who

The requirement is mandatory for data controllers and processors of major importance. While the classification and definition currently remain unclear, the Nigeria Data Protection Commission (NDPC), through its Commissioner, recently directed every organisation that processes personal data to register with the Commission before December 2023. According to the Commissioner, registration affects every organisation that collects and processes personal data. However, the Commission has yet to publish guidelines or launch an official portal for registration to make the process efficient, as seen in other African countries like Ghana, Kenya, Mauritius, and Uganda. Nonetheless, in a recent event hosted by the Commission, it disclosed that it is working on the guidelines and launching the registration portal. The proposed guideline is expected to provide the needed clarity on how to define the threshold of data controllers and processors of major importance, the requirements and steps for registration, and those that may be subject to registration exemptions, among other criteria.

Based on the scope of the Act, organisations that may be affected by this requirement may include those with establishments in Nigeria and those without but processing the personal data of data subjects in Nigeria. As a result, it has become crucial for controllers and processors to brace up for the imminent registration process. 

The When

The Act requires data controllers and processors of major importance to register with the Commission within six months after the commencement of the Act or upon becoming a data controller or processor of major importance. The  Commissioner has recently re-echoed this provision when he said that all banks in Nigeria, telecommunication operators, and other organisations processing personal data must register with the Commission before December 2023. However, without a registration portal and clear guidelines, it is unclear when the Commission will begin the registration process. Also, the practice in other African countries is that the registration guidelines are released ahead of the commencement of the registration exercise to give organisations enough time to prepare for the process. For example, Rwanda published the first version of its registration guide over a year ahead of the commencement of its law in October 2023. In the absence of such a guideline, organisations may not be able to prepare for the process and register in time.

Despite the uncertainty, it is preferable to plan ahead rather than risk the potential consequences of not doing so. 

The How

This is probably the most important part for organisations. As you prepare to align your data protection program with the new data protection law, we have looked at the requirements under the Act and in other African countries that may provide some guidance on what to expect. Below are some of the considerations for complying with the registration requirement.

Potential Registration Checklist

The first step is to know your processing activities to identify whether you are a controller or processor and determine how to register. Often than not, many may be both and will need to be registered as a controller and processor. To prepare ahead of the registration process, controllers and processors of “major importance” processing personal data should anticipate the following steps:

• The name and address of the organisation:  The application to be sent to the NDPC will contain the name and address of the organisation. This may include company registration numbers, which are applicable in Rwanda and Ghana. In addition, organisations without a physical address will need to find one ahead of time.

• The name and address of the organisation’s data protection officer:  Under the Act, data controllers and processors of major importance are required to appoint a data protection officer. Consequently, the details may be required to be submitted to the Commission. This is important because, besides ensuring compliance with the NDPA, the DPO acts as a contact point for the Commission on issues relating to data processing. 

• Description of the personal data processed, the categories, purpose of processing, international data transfer, list of processors, and  number of data subjects: To comply with this requirement, organisations are advised to maintain a record of processing activities (RoPA). The registration process requires a detailed description of processing activities, which may include details about the category of data processed  and data subjects, lawful bases for processing, the list of countries data is transferred to, the number of data subjects, the purpose of processing, and data recipients. It may also include information about the existence of a data processing agreement when engaging data processors and a list of the processors.

• The description of security measures adopted to protect personal data: This includes the technical and organisational measures employed to safeguard personal data, such as the use of pseudonymisation, encryption, periodic assessments of risks, and regular updates of the measures, among others. These procedures and measures would be adequately documented and described to the regulator during registration. 

• Submission of documents: The Commission may request copies of incorporation documents, licenses and permits from regulators, policies and procedures, contracts with data processors/controllers, privacy notice, and a data retention schedule, among others.

• Payment of registration fee: The Act has specified that the Commission may determine the fee to be charged. Data controllers and processors are expected to pay a fee to complete the registration process. The fee may be tiered based on sector, number of data subjects, number of employees, or revenue threshold, among other criteria. It is advisable to allocate a budget for this expense.

We have registered, so what next?

Upon submission of the required document, the Commission should provide a response within a reasonable time. It may accept, reject, or request further responses or documentation. It is expected that the guidelines being developed will provide precision on this timeline. In Kenya, it is fourteen days and in Rwanda, thirty days. After completing the registration process, the data controller or processor will be issued a certificate of registration by the Commission that will be valid for a certain period of time and renewable. The guideline is expected to provide details of the time frame. For example, in Kenya, the certificate is valid for two years, while in Mauritius, it is valid for three years. Additionally, the Commission reserves the discretion to exempt some controllers and processors from the registration process. The Commission is also expected to maintain a register of all registered controllers and processors, which could be through a portal accessible by the public and similar to the existing list of organisations that filed their audit report.

Furthermore, when there is a change in the status of a controller or processor, the Commission may be required to be notified. In Nigeria, it is sixty days, while in Rwanda, the Data Protection Office is expected to be notified of the change within fifteen days. The Commission may also allow for the modification, renewal, and cancellation of registration. Finally, failure to register with the Commission will be considered a violation of the Act and attract sanctions.

Conclusion

Registration is just one of the many obligations under the Act, and while it indicates compliance with a particular requirement, it should not be seen as a holistic compliance mechanism. Organisations must also fulfil other requirements stipulated by the law. Furthermore, considering a postponement of the December deadline for registration could be prudent, allowing a reasonable timeframe after the guidelines are published, and the portal is launched, ensuring ample awareness and time for the registration process.

‍