High-risk data controllers must register with the Information Commissioner

The Office of the Information Commissioner (OIC) will continue to register data controllers in different categories on a priority basis from 1 June 2024.

These include ministries, departments and government agencies; data controllers in high-risk sectors such as finance, healthcare, education, tourism and ICT services; data controllers who are required to appoint a data protection officer (DPO); and other controllers who process personal data for more than 10,000 data subjects.

They are required to register under the Personal Data Protection Act (DPA). The law is critical for protecting personal privacy, promoting economic growth, aligning with international standards and promoting innovation.

Minister without Portfolio in the Prime Minister’s Office with direct oversight of skills and digital transformation, Senator Dr Dana Morris Dixon recently provided an update during a ministerial statement in the Senate.

She said the data controllers identified for prioritization represent major stakeholder groups important to consumer protection, who transact locally, regionally and internationally.

“For these consumers, data protection and privacy practices are critical as they go about their daily business.

“Our small businesses will no longer need to register from June 1… unless you are a small business that handles a lot of data,” she said.

Dr. Morris Dixon said that since December 1, 2023, data controllers can start the registration process by creating their unique data controller accounts on the website

She said that as of May 8, 2024, a total of 760 data controllers have created their accounts with the OIC.

“The law applies to every company, no matter how small… and so the obligation of a large-scale data processor should never be the same responsibility as that of a smaller processor…. My cobbler should not be held to the same standards as a telecom provider and we are currently investigating that,” said Dr Morris Dixon.

“We have listened in particular to the MSME sector (medium, small and micro enterprises)… The MSME sector has said that these are difficult rules for us to follow, to have a data protection officer, and to having those systems in place and So by listening, the government has taken their recommendation in terms of a difference between a small-scale processor and a large-scale processor,” she added.

Senator Morris Dixon said the OIC will soon conduct a media campaign to further raise public awareness of the end of the grace period on June 1 and the groups’ priority for registration.

The Personal Data Protection Act, which was passed in 2020, provides guidance on how personal data in physical and electronic form should be handled. The law came into effect on December 1, 2023; however, companies were given a six-month grace period to comply with the law’s requirements.
For more information, individuals can contact [email protected] or 876-920-4390.