WHEN AND WHY DOES A DATA CONTROLLER REQUIRE A DATA PROTECTION OFFICER?

Hey there!

Friday is here again, and we are back with another edition of Privacy Notes.

To ensure compliance, the NDPR provides for two classes of compliance professionals known as the Data Protection Officer (DPO) and the Data Protection Compliance Organizations (DPCO). The DPO is an inhouse personnel who assists the Data Controller to remain compliant with the provisions of the NDPR, providing relevant data privacy instruments as well as protocols in ensuring adherence to the data protection directives of the Data Controller. A DPO is typically required to be appointed within 6 months of the Data Controller’s commencement of business or within 6 months of the issuance of the NDPR Implementation Framework. Essentially, a DPO would be responsible for overseeing the company’s compliance with relevant data protection laws as well as the company’s internal procedures and processes as it relates to the collection, processing and movement of Personal Data and information generally within the company.

The DPCO on the other hand is an organization licensed by NITDA to monitor on behalf of NITDA, audit, conduct trainings, assess and provide data protection compliance consulting to all Data Controllers under the NDPR as well as any foreign Data Protection law or regulation having effect in Nigeria. Please note that it is compulsory for all Data Controllers to appoint a DPCO while it may not be mandatory for a DPO to be appointed.

In line with the above paragraph, the NDPR sets certain criteria which, of which if any is met by a Data Controller, mandates such Data Controller to appoint a dedicated Data Protection Officer. The conditions for appointment of a dedicated DPO are set out as follows:

  1. Where such Data Controller is a government organ, Ministry, Department, Institution or Agency;
    1. Where the core activities of such Data Controller relate to usual processing of large sets of Personal Data. Large sets in this instance refers to the Personal Data of over 10,000 (Ten Thousand) Data Subjects per annum;
    1. Where the Data Controller processes Sensitive Personal Data in the regular course of its business;
    1. Where the Data Controller possesses critical national databases consisting of Personal Data in essence, systems and assets which are so vital to the country that the destruction of such systems and assets would have an impact on the security, national economic security, national public health and safety of the country.

Thus, if an organization satisfies any of the above conditions, in compliance to the NDPR, they are expected to appoint a Data Protection Officer. I hope you learnt something new today? until we see you

Leave a Reply

Your email address will not be published. Required fields are marked *