Data has emerged and has grown popular with its description as the NEW OIL, with particular efforts made to safeguard its use and protection in society. However, Nigeria is not behind in this trend with the release of the Nigeria Data Protection Regulation (NDPR) on January 25, 2019, by the National Information Technology Development Agency (NITDA) under its powers under sections 6 (a) and (c) of its enabling Act to safeguard, protect and guarantee the personal data rights of natural persons in Nigeria.

One of the commendable innovations of the NDPR is the power given to NITDA to license organizations known as Data Protection Compliance Organizations (DPCO) to monitor, audit, conduct training, and provide data protection compliance consulting to all Data Controllers in Nigeria.

This piece examines the roles of DPCOs in Nigeria, their creation, importance, and risks associated with the non-appointment of one by data controllers.

WHAT IS A DATA PROTECTION COMPLIANCE ORGANIZATION?

A Data Protection Compliance Organization (DPCO) is an entity duly licensed by the Nigeria Data Protection Bureau (NDPB)1 for training, auditing, consulting, and rendering services and products for compliance with the NDPR or any foreign Data Protection Law or Regulation having an effect in Nigeria.2

The NDPR provides thus:

“The Agency shall by this Regulation register and license Data Protection Compliance Organisations (DPCOs) who shall on behalf of the Agency monitor, audit, conduct training and data protection compliance consulting to all Data Controllers under this Regulation. The DPCOs shall be subject to Regulations and Directives of NITDA issued from time to time”3

WHO IS QUALIFIED TO BE LICENSED AS DPCOs?

To be qualified for registration as a Data Protection Compliance Organization (DPCO), only the following organizations are allowed:

  1. Law Firms
  2. Audit Firms
  3. IT Service Providers
  4. Professional Service Consultancy Firms

ROLES OF A DATA PROTECTION COMPLIANCE ORGANIZATION

Upon being licensed as a DPCO, the organization is saddled with the provision of one or more of the following services:

  1. Data protection compliance and breach services for data controllers and data administrators
  2. Data protection training and awareness
  3. Data regulation contract drafting and advisory
  4. Data privacy and protection advisory
  5. Data privacy and protection due diligence investigation
  6. Data privacy and protection breach remediation planning and support
  7. Data privacy breach impact assessment
  8. Outsourcing data protection officers
  9. Information privacy audit, etc.

In a step towards furthering the importance of compliance with the NDPR by organizations, the NDPB issued a compliance notice compelling data controllers to:

  1. Read and understand the NDPR;
  2. Develop and implement a privacy policy that is consistent with the NDPR;
  3. Notify their employees, customers, and online visitors of its privacy policies; and
  4. Designate at least one or two members of staff as data protection contacts

The above compliance metrics are expected to be met by data controllers on or before November 25, 2022. Otherwise, they may risk fines by the regulatory authorities in line with the provisions of the NDPR and non-inclusion in the National Data Protection Adequacy Programme (NaDPAP) Whitelist.

It is imperative to point out, however, that the above compliance obligations, as spelled out above, could be carried out by a DPCO who could carry out these compliance obligations on behalf of the data controller.

CONCLUSION

The importance of Data Protection Compliance Organizations in ensuring data compliance obligations cannot be over-emphasized. Therefore, it is humbly submitted that when organizations cannot appoint a Data Protection Officer (DPO) or comply with the NDPR provisions, engaging the services of a DPCO should be prioritized.

Footnotes

1. The National Information Technology Development Agency (NITDA) used to be saddled with this responsibility. However, this duty is now being carried out by the NDPB following its establishment in February 2022.

2. See Regulation 1.3 (xii) of the NDPR

3. See Regulation 4.1 (4) of the NDPR

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.