Following the expiration of a six-month grace period put in place for companies to become registered under the Data Protection Act (DPA), the Office of the Information Commission (OIC) said it has started its processing of applications for data controllers.

The registration deadline was initially set to start on December 31, 2023 but was pushed back to June 1.

Data controllers include companies and individuals charged with the storage and processing of personal data for individuals and other data subjects. Under the DPA legislation approved by Parliament in 2020, they have the crucial role of safeguarding the privacy rights of all subjects while ensuring compliance with the legal requirements. This, as they also build a culture of trust and transparency in the local digital landscape.

In a recent notice, the OIC, which serves as the country’s chief regulator for data protection, said it will begin to process the registration applications for data controllers from certain categories based on an order of priority.

During a first phase which is set to run from June 1 to August 31, the regulator said it will begin to process applications for data controllers from all public authorities, followed by all others processing personal data, inclusive of sensitive personal data or data related to criminal convictions. These data controllers usually have control over those high risk entities that process 10,000 or more data subjects, including those largely operating in the education, finance, health, information and communications technology, tourism and hospitality sectors.

“Notwithstanding the above, any data controller, including sole proprietors/practitioners or operators of micro, small and medium-sized enterprises (MSMEs) across all sectors or industries can also submit their application for registration,” the OIC notice said.

The OIC set up to monitor compliance and to safeguard data privacy and security rights of all subjects is also mandated to ensure that organisations and entities adhere to the provisions outlined in the DPA and its accompanying regulations. The office is now led by Information Commissioner Celia Barclay, an attorney.

After creating a valid account, data controllers can begin to access the registration form on the ‘My OIC Portal’ on the OIC’s website. Those who have not yet created an account are now urged to do so and to complete the registration process within a 30-day time frame.

After completing the registration form, data controllers are then expected to pay the prescribed fees. Information for those that have successfully registered, the OIC said, will also be published on the online Register of Data Controllers, pursuant to Section 17 of the Act, retaining their status for the remainder of this current registration year.

The OIC said no paper applications or in-office payments will be accepted by the commissioner.

“Data controllers are required to renew their registration and pay the prescribed fees on or before December 1 every year after the first registration,” the OIC notice further said.