As Nigeria keeps stepping up its data protection game, companies looking to do business there must stay on top of what’s required under the Nigeria Data Protection Act (NDPA) 2023. One key thing to know is that under the NDPA, controller and processor registration is important, and the NPC has dropped guidance on that. So, let me break it down for you so your organisation can stay compliant and ready to operate in Nigeria without hiccups.

Getting to Know the NDPA

Let’s start with a bit of history. So, we all know that the NDPA has been signed and is currently the main data protection law in Nigeria. The NDPA sets up a solid framework for handling and protecting personal data in Nigeria. It takes over from the older Nigeria Data Protection Regulations (NDPR) 2019, bringing stronger rules to protect people’s privacy and keep data processing in check. A big change with the NDPA is the launching of the Nigeria Data Protection Commission (NDPC), which is now in charge of ensuring everyone plays by the rules, enforcing them, and spreading awareness nationwide. The NDPC recently released guidance on NDPA controller and processor registration. The guidance notice aims to regulate the registration process and set clear definitions and criteria to help organisations determine their obligations, aligning with international data protection standards and fostering trust in Nigeria’s digital economy.

Who must register and why?

The NDPC has issued guidance specifying that controllers and processors of major importance are required to register with the Commission. You fall into this category if you;

  • process personal data of Over 200 data subjects. So, organisations handling the personal data of more than 200 individuals within six months are deemed significant and must register accordingly;
  • operate in designated sectors critical to Nigeria’s economy and security. So if you are providing commercial Information Communication Technology (ICT) services or processing personal data in key sectors such as aviation, communication, education, electric power, financial services, health, hospitality, insurance, oil and gas, tourism, e-commerce, export and import, and public service.

Registration is important because it ensures accountability and transparency in handling personal data. It demonstrates you are commitment to protecting individual privacy and adhering to data security standards mandated by Nigerian law. It also builds trust with clients, customers, and the broader public.

NDPA controller and processor registration categories and fees

The NDPC classifies registrants into three tiers based on the volume of data processed and the organisation’s impact:​

  1. Ultra-High Level (UHL): Entities processing personal data of over 5,000 data subjects within six months. Examples include Commercial banks, telecommunication companies, insurance firms, multinational corporations, electricity distribution companies, oil and gas companies, fintech companies, and developers of public social media or email applications.​ Registration Fee: ₦250,000​.
  2. Extra-High Level (EHL): Organisations processing personal data of over 1,000 but less than 5,000 data subjects within six months.​ Examples include Government Ministries, Departments, and Agencies (MDAs), microfinance banks, higher educational institutions, secondary and tertiary hospitals, and mortgage banks.​ Registration Fee: ₦100,000​.
  3. Ordinary-High Level (OHL): Entities processing personal data of over 200 but less than 1,000 data subjects within six months.​ Examples include Primary and secondary schools, corporate training service providers, primary health centres, independent medical laboratories, small hotels and guest houses (with fewer than 50 suites), and processors handling sensitive personal data for commercial purposes. ​Registration Fee: ₦10,000.

Additional fees for data processing activities

Beyond registration fees, organisations must account for additional costs:

  • A data processing activity fee of ₦5,000 is payable by controllers for each processor engaged within a 12-month period.
  • Controllers transferring activities between processors within the same 12-month period are exempt from additional fees.
  • Controllers renewing processors categorised as OHL are exempt from paying the activity fee again for the same processor.

These provisions aim to balance cost efficiency with compliance, particularly for organisations with multiple processors. This is an important consideration if you are budgeting for operations in Nigeria.

Who is exempt from registration

The NDPC exempts specific organisations, including:

  • Community-based associations
  • Faith-based organisations
  • Foreign embassies and high commissions
  • Judicial bodies performing adjudicatory functions
  • Multi-Governmental organisations

Effective date of the NDPA controller and processor registration

The guidance notice was issued and became effective on 19 December 2024, reflecting the NDPC’s commitment to enforcing data protection standards. Key takeaways include:

  • Organisations processing personal data on a large scale or in sensitive sectors must register and comply with strict standards.
  • Classification and fees depend on the sensitivity, volume, and nature of data processed, with clear definitions to guide compliance.
  • Certain categories, such as community groups and foreign embassies, are explicitly exempt, reducing the regulatory burden on non-commercial entities.

What does this mean for you

If you planning to operate in Nigeria, assessing their data processing activities is the first step. You should:

  • Determine if you meet the criteria for major importance, considering the volume of data subjects, sector, and ICT services provided.
  • Classify your organisation into UHL, EHL, or OHL based on the outlined criteria, ensuring alignment with fee structures.
  • Review exemptions to confirm eligibility, particularly if operating as a community or faith-based entity.
  • Ensure compliance by monitoring processors and adhering to data protection principles, leveraging resources from the NDPC website.
  • Plan for additional fees, noting exemptions for transfers and renewals to optimise costs.

This  approach can help you navigate Nigeria’s data protection landscape effectively, maintaining compliance while building trust with stakeholders.

How we can help

  • Assess your obligations. We check if you process data for over 200 people, provide ICT services, or operate in key sectors like finance or health, ensuring you know if registration applies.
  • Conduct a Record of Processing Activities (ROPA). We perform a detailed ROPA to map your data flows, identify risks, and ensure you meet NDPC standards.
  • Classify your organisation. We can help you determine if you’re Ultra-High Level, Extra-High Level, or Ordinary-High Level based on your data processing activities.
  • Secure exemptions. We can help you confirm if you’re exempt, like small traders, community groups, or embassies, so you avoid unnecessary costs.
  • Handle registration. We can help you prepare and submit your registration via the NDPC portal (NDPC).
  • Ensure processor compliance. We audit your processors and set up monitoring to keep them aligned with the Act.
  • Provide ongoing support. We offer training and updates to keep you compliant long-term.