Call anytime+234 810 159 9159
Data has emerged and has grown popular with its description as the NEW OIL, with particular efforts made to safeguard its use and protection in society. However, Nigeria is not behind in this trend with the release of the Nigeria Data Protection Regulation (NDPR) on January 25, 2019, by the National Information Technology Development Agency (NITDA) under its powers under sections 6 (a) and (c) of its enabling Act to safeguard, protect and guarantee the personal data rights of natural persons in Nigeria.
One of the commendable innovations of the NDPR is the power given to NITDA to license organizations known as Data Protection Compliance Organizations (DPCO) to monitor, audit, conduct training, and provide data protection compliance consulting to all Data Controllers in Nigeria.
This piece examines the roles of DPCOs in Nigeria, their creation, importance, and risks associated with the non-appointment of one by data controllers.
WHAT IS A DATA PROTECTION COMPLIANCE ORGANIZATION?
A Data Protection Compliance Organization (DPCO) is an entity duly licensed by the Nigeria Data Protection Bureau (NDPB)[i] for training, auditing, consulting, and rendering services and products for compliance with the NDPR or any foreign Data Protection Law or Regulation having an effect in Nigeria.[ii]
The NDPR provides thus:
“The Agency shall by this Regulation register and license Data Protection Compliance Organisations (DPCOs) who shall on behalf of the Agency monitor, audit, conduct training and data protection compliance consulting to all Data Controllers under this Regulation. The DPCOs shall be subject to Regulations and Directives of NITDA issued from time to time”[iii]
WHO IS QUALIFIED TO BE LICENSED AS DPCOs?
To be qualified for registration as a Data Protection Compliance Organization (DPCO), only the following organizations are allowed:
ROLES OF A DATA PROTECTION COMPLIANCE ORGANIZATION
Upon being licensed as a DPCO, the organization is saddled with the provision of one or more of the following services:
In a step towards furthering the importance of compliance with the NDPR by organizations, the NDPB issued a compliance notice compelling data controllers to:
The above compliance metrics are expected to be met by data controllers on or before November 25, 2022. Otherwise, they may risk fines by the regulatory authorities in line with the provisions of the NDPR and non-inclusion in the National Data Protection Adequacy Programme (NaDPAP) Whitelist.
It is imperative to point out, however, that the above compliance obligations, as spelled out above, could be carried out by a DPCO who could carry out these compliance obligations on behalf of the data controller.
CONCLUSION
The importance of Data Protection Compliance Organizations in ensuring data compliance obligations cannot be over-emphasized. Therefore, it is humbly submitted that when organizations cannot appoint a Data Protection Officer (DPO) or comply with the NDPR provisions, engaging the services of a DPCO should be prioritized.
[i] The National Information Technology Development Agency (NITDA) used to be saddled with this responsibility. However, this duty is now being carried out by the NDPB following its establishment in February 2022.
[ii] See Regulation 1.3 (xii) of the NDPR
[iii] See Regulation 4.1 (4) of the NDPR
Written by Muhiz Babatunde Adisa for The Trusted Advisors
Email us: info@cms.trustedadvisorslaw.com