The mandatory registration requirement is a new addition to the data protection landscape in Nigeria. The requirement did not exist under the Nigeria Data Protection Regulation (NDPR) and its Implementation Framework. Although registration of data controllers and processors is a novel concept in Nigeria, it is not novel under African data protection laws, as this trend is found in ten other countries, which include, Egypt, Ghana, Kenya, Mauritius, Rwanda, Sao Tome and Principe, the Seychelles, Tanzania, Uganda, and Zambia.
The requirement is mandatory for data controllers and processors of major importance. While the classification and definition currently remain unclear, the Nigeria Data Protection Commission (NDPC), through its Commissioner, recently directed every organisation that processes personal data to register with the Commission before December 2023. According to the Commissioner, registration affects every organisation that collects and processes personal data. However, the Commission has yet to publish guidelines or launch an official portal for registration to make the process efficient, as seen in other African countries like Ghana, Kenya, Mauritius, and Uganda. Nonetheless, in a recent event hosted by the Commission, it disclosed that it is working on the guidelines and launching the registration portal. The proposed guideline is expected to provide the needed clarity on how to define the threshold of data controllers and processors of major importance, the requirements and steps for registration, and those that may be subject to registration exemptions, among other criteria.
Based on the scope of the Act, organisations that may be affected by this requirement may include those with establishments in Nigeria and those without but processing the personal data of data subjects in Nigeria. As a result, it has become crucial for controllers and processors to brace up for the imminent registration process.
The Act requires data controllers and processors of major importance to register with the Commission within six months after the commencement of the Act or upon becoming a data controller or processor of major importance. The Commissioner has recently re-echoed this provision when he said that all banks in Nigeria, telecommunication operators, and other organisations processing personal data must register with the Commission before December 2023. However, without a registration portal and clear guidelines, it is unclear when the Commission will begin the registration process. Also, the practice in other African countries is that the registration guidelines are released ahead of the commencement of the registration exercise to give organisations enough time to prepare for the process. For example, Rwanda published the first version of its registration guide over a year ahead of the commencement of its law in October 2023. In the absence of such a guideline, organisations may not be able to prepare for the process and register in time.
Despite the uncertainty, it is preferable to plan ahead rather than risk the potential consequences of not doing so.
This is probably the most important part for organisations. As you prepare to align your data protection program with the new data protection law, we have looked at the requirements under the Act and in other African countries that may provide some guidance on what to expect. Below are some of the considerations for complying with the registration requirement.
Potential Registration Checklist
The first step is to know your processing activities to identify whether you are a controller or processor and determine how to register. Often than not, many may be both and will need to be registered as a controller and processor. To prepare ahead of the registration process, controllers and processors of “major importance” processing personal data should anticipate the following steps:
We have registered, so what next?
Upon submission of the required document, the Commission should provide a response within a reasonable time. It may accept, reject, or request further responses or documentation. It is expected that the guidelines being developed will provide precision on this timeline. In Kenya, it is fourteen days and in Rwanda, thirty days. After completing the registration process, the data controller or processor will be issued a certificate of registration by the Commission that will be valid for a certain period of time and renewable. The guideline is expected to provide details of the time frame. For example, in Kenya, the certificate is valid for two years, while in Mauritius, it is valid for three years. Additionally, the Commission reserves the discretion to exempt some controllers and processors from the registration process. The Commission is also expected to maintain a register of all registered controllers and processors, which could be through a portal accessible by the public and similar to the existing list of organisations that filed their audit report.
Furthermore, when there is a change in the status of a controller or processor, the Commission may be required to be notified. In Nigeria, it is sixty days, while in Rwanda, the Data Protection Office is expected to be notified of the change within fifteen days. The Commission may also allow for the modification, renewal, and cancellation of registration. Finally, failure to register with the Commission will be considered a violation of the Act and attract sanctions.
Registration is just one of the many obligations under the Act, and while it indicates compliance with a particular requirement, it should not be seen as a holistic compliance mechanism. Organisations must also fulfil other requirements stipulated by the law. Furthermore, considering a postponement of the December deadline for registration could be prudent, allowing a reasonable timeframe after the guidelines are published, and the portal is launched, ensuring ample awareness and time for the registration process.