Nigeria: Essential Obligations/Responsibilities Of A Data Protection Officer In Nigeria

Introduction

The appointment of a Data Protection Officer (DPO) symbolizes an organisation's positive approach towards data protection compliance. A DPO is the steward of data protection implementation and compliance within an organisation. Under the Nigerian Data Protection Regulation (NDPR),² the primary responsibility of a DPO is to ensure an organization's compliance with the relevant data protection laws, regulations, directives, and guidelines in Nigeria.³ Upon the appointment of a DPO, he/she should be given sufficient access, support and budget to effectively perform the roles and responsibilities associated with the office.⁴ A DPO can be appointed from existing staff members within an organisation, recruited primarily for the performance of the role or outsourced to a Data Protection Compliance Organisation (DPCO).⁵ However, if a DPO also has other job functions within an organisation, an evaluation should be conducted to ensure that there is no conflict of interest.⁶

Furthermore, owing to the vital nature of the role of a DPO, every data controller is expected to ensure the continuous capacity building of its DPO, and other personnel involved in data processing within the organisation.⁷ The responsibilities of the DPO should be included in the job description of the appointed personnel for better clarity of the obligations and tasks associated with the office of the DPO. This article attempts to identify some vital responsibilities of a DPO in Nigeria, to assist organisations understand the necessity and rationale for appointing a DPO within their organisation.

Appointment of a Data Protection Officer

The NDPR requires every Data Controller to appoint a Data Protection Officer for the purpose of ensuring adherence to the NDPR, its Implementation Framework, relevant data privacy instruments and data protection directives of a Data Controller.⁸ Similarly, the Implementation Framework of the NDPR requires every data controller to appoint a dedicated DPO within 6 months of commencing business or within 6 months of the issuance of the NDPR Implementation Framework, where one or more of the following are present:⁹

1. the entity is a government organ, ministry, department, institution or agency;¹⁰
2. the core activities of the organisation involve the processing of the Personal Data of over 10,000 Data Subjects per annum;¹¹
3. the organisation processes sensitive personal data¹² in the regular course of its business;¹³ or
4. the organisation possesses critical national information infrastructure¹⁴ consisting of Personal Data.¹⁵

Further to item (a) above, the appointed DPO of every Ministry, Department and Government Agency (MDA) is required to possess proven knowledge of data protection to oversee the functions of the data protection unit within the MDA.¹⁶ In the same vein, the Nigerian subsidiary of a multinational company to which any of the above stated criteria applies, is required to appoint a DPO who will be based in Nigeria and given full access to the multinational's management in Nigeria.¹⁷ The DPO of the Nigerian subsidiary may report to the global or regional DPO where such exists.¹⁸

It should be noted that a DPO is required to be chosen with due regard to the nature of an organisation's data processing activities and the data protection issues that arises within the organisation.¹⁹ In this regard, a DPO is expected to possess the following:²⁰

1. Professional expertise in Nigerian data protection laws and practices;²¹
2. An in-depth understanding of applicable data protection laws;²² and
3. Requisite knowledge to undertake the responsibilities identified below.²³

Obligations and responsibilities of a Data Protection Officer in Nigeria

In addition to any other responsibility of a DPO under the NDPR, its Implementation Framework and relevant instruments on data privacy and protection, DPOs are expected to undertake the following roles and responsibilities within an organisation:

1. Ensuring an organisation's adherence to data protection compliance requirements

DPOs are responsible for ensuring that their organisation adheres to the data protection compliance requirements under the NDPR, relevant data privacy instruments and data protection policy directives within an organisation.²⁴ They are expected to assist an organisation in adopting relevant technical and organizational measures/practices to ensure effective compliance with the relevant data protection laws, regulation and instruments.²⁵ DPOs are expected to have due regard for the risks associated with data processing operations within their organisation, considering the nature, scope, context and purposes of personal data processing of their organisation.²⁶

2. Conducting trainings on data protection compliances

DPOs are expected to assign responsibilities, raise awareness, and train members of staff, vendors, contractors, and partners involved in data processing operations on the data compliance requirements under the relevant data protection law(s) and regulation.²⁷ Similar kinds of trainings should also be conducted when new employees are recruited, new vendors or third-party processors are contracted.

3. Providing regular advisories to top management, members of staff and relevant third parties within an organisation

DPOs are expected to inform and advise an organisation, its employees, vendors, contractors, partners, and third-party data processors of its obligations under the NDPR and on all matters related to data protection.²⁸ They are also expected to provide advisories on data breach management procedures, data protection impact assessment and monitor their performance.²⁹

4. Monitoring data protection compliance

DPOs are expected to monitor their organisation's compliance with the NDPR, other relevant instruments on data protection, including the organisation's own data protection objectives and policies.³⁰ They are expected to modify the relevant data protection policies of their organisation when new data protection laws or regulations are passed, developed, or updated.

5. Serving as the contact person for data subjects and the regulatory body

DPOs are expected to serve as contact points for data subjects and the relevant regulatory or supervisory authority, such as National Information Technology Development Agency (NITDA), on issues relating to data processing within the organisation.³¹ Prior to collecting personal data from a data subject, a Data Controller is expected to provide the data subject with the contact details of its DPO.³² In the same vein, the website of every data controller is expected to contain the contact details of its DPO with details on how data subjects can contact them to pursue issues relating to personal data.³³

Conclusion

The role of a DPO within an organisation is essential to the effective data protection compliances adopted by an organisation. Therefore, adequate care and attention should be given to the kind of individual that is appointed as the DPO for an organisation. It is vital for the DPO to possess sufficient expertise and knowledge of the relevant data protection law(s) and regulation(s) to effectively carry out the roles and responsibilities associated with the office of a DPO. In the event of a data breach, a knowledgeable DPO in collaboration with a DPCO, would be able to efficiently manage the situation and provide the affected organisation with effective remedial actions to prevent the future occurrence of such data breaches.³⁴ In this regard, it is essential for an organisation to engage a DPCO or an individual with adequate knowledge and expertise of the data protection law(s) and regulation(s) in Nigeria, to conduct continuous specialized trainings for its DPO and carryout a comprehensive audit of the organisation's data protection practices to help the organisation become compliant with the relevant data protection instruments.³⁵

Footnotes

1. Sandra Eke, Associate Intellectual Property & Technology Department, SPA Ajibade & Co., Lagos, Nigeria.

2. See Nigeria Data Protection Regulation (NDPR), 2019. Available at: https://ndpr.nitda.gov.ng/ Content/ Doc/NigeriaDataProtectionRegulation.pdf, accessed 17^th December 2021.

3. See Reg. 4.1(2) NDPR. See also Francis Ololuo, "Understanding Nigerian Data Protection Compliance Requirements and Managing Breach" available at: http://www.spaajibade.com/resources/understanding-nigerian-data-protection-compliance-requirements-and-managing-breach-francis-ololuo/ accessed 20^th December 2021.

4. Ibid.

5. Ibid.

6. For instance, a DPO should not be appointed as the DPCO for the same organisation.

7. See Art. 4.1(3) NDPR.

8. See Art. 4.1(2) NDPR.

9. See Art. 3.4.1 NDPR Implementation Framework.

10. Ibid.

11. Ibid.

12. "Sensitive Personal Data" means data relating to religious or other beliefs, sexual orientation, health, race,

ethnicity, political views, trades union membership, criminal records or any other sensitive personal information. See Reg. 1.3(xxv) NDPR.

13. Ibid.

14. As defined under the Cybercrimes (Prohibition, Prevention, Etc.) Act 2015 or any amendment thereto.

15. Ibid.

16. See Art. 13.3 Implementation Framework.

17. See Art. 3.5 NDPR Implementation Framework.

18. Ibid.

19. See Art. 3.7 NDPR Implementation Framework.

20. Ibid.

21. Ibid.

22. Ibid.

23. Ibid.

24. See Art. 4.1(2) NDPR.

25. See Art. 4.1(5) NDPR.

26. See Para. 3.7 NDPR Implementation Framework.

27. Ibid.

28. Ibid.

29. See Para. 4.2 NDPR Implementation Framework.

30. See 3.7 NDPR Implementation Framework.

31. Ibid.

32. See Art 3.1(7)(b) NDPR.

33. Ibid.

34. See Para. 9.0 NDPR Implementation Framework.

35. See Para. 3.3.2 NDPR Implementation Framework.

Originally published 21 December, 2021

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.