– Abraham Omoufoma Aigba
With advancement in technology came a manual-to-digital shift in the collation and processing of personal data by data controllers. Whilst this may have eased the burden on data controllers, it has made data subjects more susceptible to abuse and breach of privacy by unauthorized persons.It therefore became necessary that appropriate mechanism be put in place to regulate the handling of data subjects’ personal information.
Following global trend, the National Information Technology Development Agency (the NITDA), pursuant to the powers conferred on it by the National Information Technology Development Agency Act (the NITDA Act) issued the NigeriaData Protection Regulation, 2019 (the Regulation) to safeguard the rights of natural persons to data privacy, foster safe conduct of transactions involving the exchange of personal data, prevent manipulation of personal data as well as ensure that Nigerian businesses remain competitive in international trade through the safeguards afforded by a just and equitable legal regulatory framework.
Personal data means “any information relating to an identified or identifiable natural person….such as a name, an identification number, location data, an online identifier…address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as, but not limited to MAC address, IP address, IMEI number, IMSI number, SIM, Personal Identification Information (PII) and others” See Section 1.3 of the Regulation.
The Regulation applies, in the main, to data subjects, data controllers and data administrators. It also applies to any transaction in which the personal data of natural persons residing in Nigeria, or residing outside Nigeria but of Nigerian descent is intended to be processed by whatever means.
Section 1.3of the Regulation defines a “data subject” as “any person, who can be identified, directly, or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”.
“Data Controller” is defined as “a person who either alone, jointly with other persons or in common with other persons or a statutory body determines the purposes for and the manner in which personal data is processed or is to be processed”. See Section 1.3 of the Regulation.
“Data Administrator” on the other hand is defined as “a person or organization that processes data” See Section 1.3 of the Regulation.
Data Protection Compliance Organizations
As one of the mechanisms for the implementation of the Regulation, provisions were made for the registration and licensing of Data Protection Compliance Organizations (DPCOs) by NITDA to perform certain duties.
Who is a DPCO?
A DPCO is defined by Section 1.3 of the Regulation to mean “any entity duly licensed by NITDA for the purpose of training, auditing, consulting and rendering services and products for the purpose of compliance with this Regulation or any foreign Data Protection law or regulation having effect in Nigeria”
Who needs a DPCO?
The Regulation requires Data Controllers to designate Data Protection Officers(DPO) to ensure adherence to the Regulation.Under the Regulation and the Data Protection Implementation Framework (issued pursuant to the Regulation by the NITDA), Data Controllers may outsource the role of the DPO to a verifiably competent DPCO. Organizations whomust designate a DPO are Government organs, ministries, departments, institutions or agencies, organizations whose core activities involve the processing of large sets of personal and sensitive personal data and organizations processing critical national databases consisting of personal data. Rather than appoint a DPO, these organizations may outsource data protection to a verifiably competent firm or person (DPCO).
The list of organizations that must designate a DPCO is not exhaustive. Any organization that is required to comply with the provisions of the Regulation requires a DPCO. This can be deciphered from the provisions of Section 3(1)(5) of the Regulation which require an organization to conduct and submit to the NITDA a detailed audit of its privacy and data protection practices within 6 months of the issuance of the Regulation; Section 3 (1) (6)&(7), which require data controllers processing the personal data of more than 1000 and 2000 data subjects within a period of six months and twelve months respectively to audit itself and submit to the NITDA a summary of its data protection audit.
There is no doubt that the expertise needed in data auditing which most data controllers may not be familiar with or accustomed to,informed the inclusion of DPCOs under the Regulation. A DPCO may be any of: professional service consultancy firm, IT service provider, audit firm or law firm with requisite data processing certification or experience in data protection services.
Given the broad definition of personal data and the requirement of auditing the number of personal data processed within a specific period, Data Controllers such asfinancial institutions, telecommunication companies, hospitals, airlines, airport authorities, transport companies, many private/public companies/firms,crowd funding platforms, churches, schools, websites/blogs, etc. will most certainly require the services ofDPCOs, depending on the amount of data processed within the specified period.
The Roles of DPCOs
By Section 3(1)&(4) of the Regulation, a DPCO shall on behalf of the NITDA monitor compliance with the Regulation byData Controllers so as to ensure that Data Controllers do not breach the provisions of the Regulation.
The Data Protection Implementation Framework sets out clearly the role of a DPCO as follows:
a) Data protection regulations compliance and breach services for Data Controllers and Data Administrators;
b) Data protection and privacy advisory services;
c) Data protection training and awareness services;
d) Data Regulations Contracts drafting and advisory;
e) Data protection and privacy breach remediation planning and support services;
f) Information privacy audit;
g) Data privacy breach impact assessment;
h) Data Protection and Privacy Due Diligence Investigation;
i) Outsourced Data Protection Officer etc.
Risk Associated with Non-appointment of DPCOs
As it is with every system, international best practice dictates that qualified and experienced professionals (preferably independent of the engaging entity) are engaged to provide specific professional services and not look in-house for such role. This will save the organization needless financial and negative exposure in the long run.
Organizations who attempt to undertake the functions of DPCOs run the risk of breach of the Regulation and where this happens, such organizationsstand the risk of being prosecuted.
Also, a Data Controller which processes the data of more than 10,000 data subjects, shall be liable to a fine of 2% of the Annual Gross Revenue of the preceding year or payment of the sum of 10 million naira whichever is greater, while a Data Controller which processes the data of less than 10,000 data subjects, shall pay a fine of 1% of the Annual Gross Revenue of the preceding year or payment of the sum of 2 million naira whichever is greater for breach of data privacy rights of data subjects.
There have been instances where the NITDA threatened to issue noncompliance notices to organizations in breach of the Regulation. This does not only put such organizations in bad light to the general public and investors (both local and foreign), but also makes them susceptible to enforcement actions by NITDA.
The role of DPCOs cannot be overemphasized. From personal data auditing, to filing, to training of personnel, consultancy services, to general compliance with applicable legislation and ultimately attracting investors, the DPCO is a necessary companion in this business of protecting personal information.