Data Protection – Did You Know You Need to Appoint a Data Protection Officer

Did you know that:

 

Every organisation is required to have a Data Protection Officer ("DPO”) if it processes the Personal Data of Nigerian citizens and residents.

 

Regulation 4.1(2) of the Nigeria Data Protection Regulations 2019 (“NDPR”) requires your organisation to appoint a DPO whose primary responsibility is to ensure that your organisation complies with the NDPR and applicable privacy or other policies of the organisation. The organisation may appoint a dedicated officer to be its DPO, or, where appropriate, it may have an existing employee, such as the head of Legal or Human Resources also act as its DPO where they have the required experience to act in such capacity, or it may choose to outsource the DPO function to a verifiably competent firm.

 

Your organisation is required to appoint a dedicated DPO where it falls within any of the below circumstances:

  • (i) if it is a government body, organ, ministry, department, institution or agency;
  • (ii) if the core activities of the organisation involve processing the Personal Data of over 10,000 Data Subjects per annum;
  • (iii) if the organisation processes Sensitive Personal Data in the regular course of its business; or
  • (iv) if the organisation possesses critical national information infrastructure.

 

The Nigerian Data Protection Bureau ("NDPB") Compliance Notice issued in 2022 requires that if your organisation does not already have DPO, it must appoint at least one person as a Data Protection Contact ("DPC") who may, after undergoing a free induction training facilitated by the NDPB, become a DPO. Your organisation is required to provide the contact details of its DPO or DPC, as applicable, to the NDPB.

 

The penalty imposed on Data Controllers for any breach of the provisions of the NDPR is the payment of a fine of a sum that represents 2% of the Annual Gross Revenue of the preceding year or N10,000,000, whichever is greater, with respect to a Data Controller that processes the Personal Data of more than 10,000 Data Subjects or the payment of the fine of 1% of the Annual Gross Revenue of the preceding year or the payment of the sum of N2,000,000, whichever is greater, for a Data Controller that processes the Personal Data of less than 10,000 Data Subjects.

 

In addition, a breach of the NDPR is also construed to be a breach of the provisions of the National Information Technology Development Agency Act, 2007, ("NITDA Act"), and consequently, the penalties stipulated under the NITDA Act could also be applicable where there has been a breach of any provision of the NDPR.

 

 

--

Read the original publication at Udo Udoma & Belo-Osagie.

 

 

Subscribe to our newsletter