The issuance of the Nigeria Data Protection Regulation (NDPR) 2019 changed the landscape of data protection in Nigeria with a lot of innovations, one of which is the introduction of the concept of the Data Protection Officer (DPO). Understandably, a lot of controversies trailed the issuance of the NDPR because of numerous gaps in the provisions of the Regulation. One of such controversies borders on the provision of the NDPR and the NDPR Implementation Framework (Framework) on the appointment of DPO by organisations. There seems to be a question of whether 'every' organisation in Nigeria is expected to appoint a DPO or there is a landscape. The issue particularly arose from the different wordings of the NDPR and the Framework1. This paper is aimed towards clarifying this controversy by looking at the various provisions of the NDPR and the Framework and coming up with a robust interpretation of the law.
1. Defining the concept of data protection officer
Neither the Regulation nor the Framework defined DPO. Notwithstanding, a DPO is a person or outsourced competent firm2 that works with an organisation internally to achieve compliance with data protection regulation. The DPO plays a quasi-regulatory role in the organisation thus elevating him above mere employee.3 Normally, a DPO is usually an independent and essential part of an organisation that ought to perform his/her role in an organisation without interference or conflict of interest. Belgian Data Protection Authority (DPA) fined a bank EUR75000 for appointing a DPO who also heads the operational risk management, information risk management and special investigation unit department. DPA held it a material conflict of interest because it placed the DPO in a position to determine the means and purpose of data processing4. Unfortunately, both NDPR and Framework did not provide for the independence of the DPO. It is important that DPO can participate in senior and middle management meetings of the organisation and should always be carried along in all issues relating to the processing of personal data at the earliest time.5
There is no special requirement for the appointment of a DPO under the NDPR however, Paragraph 3.7 of the Framework requires that a person to be appointed a DPO shall have professional expertise and in-depth understanding of the Nigeria data protection laws and practices, having due regard to the nature of the processing activities and data protection issues that arise within the organisation.
2. Role of data protection officer
According to Article 4.1(2) NDPR, a DPO in an organisation should ensure adherence to the NDPR, relevant data privacy instruments and data protection directives of the data controller. The Framework provides further that the DPO must possess the requisite knowledge to do the following6:
- Inform and advise the organisation, management, employees and third parties' processors of their obligations under the NDPR
- Monitor compliance with the NDPR and with the organisation's own data protection objectives
- Assign responsibilities, raise awareness, and train members of staff involved in processing operations
- Advice on data protection impact assessment and monitor its performance
- Liaise with the National Information Technology Development Agency (NITDA) and the Data Protection Compliance Organisation (DPCO) on data protection matters
3. Liability of a DPO
NDPR did not state anything on the liability of a DPO. However, Article 3.6 of the Framework provides that "notwithstanding any contractual, civil or criminal liability, a DPO shall not be personally liable for the organisation's non-compliance with applicable data protection laws". In other words, the DPO should not bear the punishment where an organisation fails to comply with data protection laws.
4. Clarifying the confusion
There is a conflict between the provision of the NDPR and the Framework on whether every company in Nigeria processing personal data must appoint a DPO. Precisely, Article 4.1(2) NDPR provides that "Every Data Controller shall designate a Data Protection Officer for ensuring adherence to this Regulation, relevant data privacy instruments and data protection directives of the Data Controller..." However, the Framework has a different and contradictory provision. Article 3.4 and 3.4.1(a-d) of the Framework provide that "A Data Controller is required to appoint a dedicated Data Protection Officer within 6 months of commencing business or within 6 months of the issuance of this Framework, where one or more of the following are present: (a) the entity is a government organ, Ministry, Department, institution or Agency; (b) the core activities of the organisation involve the processing of the Personal Data of over 10,000 (ten thousand) Data Subjects per annum; (c) the organisation processes Sensitive Personal Data in the regular course of its business; or (d) the organisation possesses critical national information infrastructure (as defined under the Cybercrimes (Prohibition, Prevention, Etc.) Act 2015 or any amendment thereto) consisting of Personal Data".
The Framework introduced a sort of limitation, which I believe was not intended by the provision of Article 4.1(2) of the NDPR. The provision in the Framework may have been introduced to imitate a similar provision in the General Data Protection Regulation (GDPR) which limited the appointment of a DPO to organisations that meet certain criteria. Unfortunately, the provision of the Framework may not have a legal effect, interpreted side by side with Article 4.1(2) of the NDPR. For instance, the starting word of Article 4.1(2) of the NDPR is 'Every'. The word 'Every' according to Black's Law Dictionary 6th edition, means "Each one of all; all the separate individuals who constitute the whole, regarded one by one. The term is sometimes equivalent to "all" and sometimes to "each". In other words, it means all the individual members of a set without exception. The second word of the clause is 'Data Controller', which according to Article X of the NDPR "means a person who either alone, jointly with other persons or in common with other persons or a statutory body determines the purposes for and how Personal Data is processed or is to be processed". This means that every organisation, who are controllers must appoint a DPO. The verb 'shall' used in Article 4.1(2) of the NDPR bears compulsion.
Furthermore, Article 3.1.7 (b) of the NDPR provides that "prior to collecting personal data from a data subject, the controller shall provide the data subject with...the contact details of the data protection officer. Assuming some organisations are intended to be exempted, how will it be possible for such organisations to compulsorily publish contact details of DPOs in their privacy notice since they are presumed exempted from having any. The GDPR, which has a similar provision, qualified it with "where necessary" to align with the exemption created in its provision. Also, Article 2 of the Framework states that the Framework only clarifies provisions of the NDPR and does not supersede it. In essence, where any conflict is occasioned by the provision of the Framework, the provision of the NDPR will prevail.
The NDPR is very clear in its wording that every data controller in Nigeria must appoint a DPO or outsource it to a competent firm and not otherwise. Even though this is not a good provision considering the financial implications of appointing a DPO especially to small companies and startups, it still does not remove the fact that is the law and an attempt to truncate it with a contrary provision in the Framework will amount to subverting the provision of the regulation.
1. Nigeria Data Protection Regulation Implementation Framework 2020
2. Article 4.1(2) Nigeria Data Protection Regulation 2019
3. IAPP, 'European Data Protection Law and Practice', IAPP Publication, 2019 2nd ed; chapter 13
5. Working Party 29, 'Guidelines on Data Protection Officers', Revised April 5th, 2017: https://ec.europa.eu/newsroom/just/document.cfm?doc_id=44100 (accessed 20.12.2021)
6.Articles 3.7 (c) (i-v) and 13.3 Implementation Framework 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.