Data Protection – Did You Know You Need to Appoint a Data Protection Officer

Nigeria Legislation ICT
1/12/2022

Did you know that:

 

Every organisation is required to have a Data Protection Officer ("DPO”) if it processes the Personal Data of Nigerian citizens and residents.

 

Regulation 4.1(2) of the Nigeria Data Protection Regulations 2019 (“NDPR”) requires your organisation to appoint a DPO whose primary responsibility is to ensure that your organisation complies with the NDPR and applicable privacy or other policies of the organisation. The organisation may appoint a dedicated officer to be its DPO, or, where appropriate, it may have an existing employee, such as the head of Legal or Human Resources also act as its DPO where they have the required experience to act in such capacity, or it may choose to outsource the DPO function to a verifiably competent firm.

 

Your organisation is required to appoint a dedicated DPO where it falls within any of the below circumstances:

  • (i) if it is a government body, organ, ministry, department, institution or agency;
  • (ii) if the core activities of the organisation involve processing the Personal Data of over 10,000 Data Subjects per annum;
  • (iii) if the organisation processes Sensitive Personal Data in the regular course of its business; or
  • (iv) if the organisation possesses critical national information infrastructure.

 

The Nigerian Data Protection Bureau ("NDPB") Compliance Notice issued in 2022 requires that if your organisation does not already have DPO, it must appoint at least one person as a Data Protection Contact ("DPC") who may, after undergoing a free induction training facilitated by the NDPB, become a DPO. Your organisation is required to provide the contact details of its DPO or DPC, as applicable, to the NDPB.

 

The penalty imposed on Data Controllers for any breach of the provisions of the NDPR is the payment of a fine of a sum that represents 2% of the Annual Gross Revenue of the preceding year or N10,000,000, whichever is greater, with respect to a Data Controller that processes the Personal Data of more than 10,000 Data Subjects or the payment of the fine of 1% of the Annual Gross Revenue of the preceding year or the payment of the sum of N2,000,000, whichever is greater, for a Data Controller that processes the Personal Data of less than 10,000 Data Subjects.

 

In addition, a breach of the NDPR is also construed to be a breach of the provisions of the National Information Technology Development Agency Act, 2007, ("NITDA Act"), and consequently, the penalties stipulated under the NITDA Act could also be applicable where there has been a breach of any provision of the NDPR.

 

 

--

Read the original publication at Udo Udoma & Belo-Osagie.

 

 

Related posts

Competition/Antitrust Legislation Lesotho

Lesotho's Competition Act, 2022: On the Verge of Implementation

The publication of the Competition Act, 2022 marked a significant milestone in Lesotho's economic landscape. Previously, the Kingdom of Lesotho relied on common law principles to address instances of unfair competition, resulting in inadequate enforcement against anti-com..

Read More
Mozambique Legislation Foreign investment and international trade

Unlocking opportunities: Mozambique’s new Investment Law and Regulations

As one of Africa's emerging economies, Mozambique offers abundant opportunities for domestic and foreign investors alike. In a bid to enhance a conducive environment for investment to continue fostering economic growth and development, Mozambique recently has updated its ..

Read More
South Africa Legislation Energy and natural resources Energy market

South Africa: A new era for electricity supply – a Hybrid Market

On Thursday, 14 March, the Electricity Regulation Amendment Bill was passed by the National Assembly and has been sent to the National Council of the Provinces for consideration. This is a significant step towards the Bill being passed into law and therefore amending the ..

Read More
Subscribe to our newsletter