Under the Nigerian Data Protection Regulations 2019 (NDPR), a Data Protection Compliance Organisation (DPCO) is ‘any entity duly licensed by [the Nigerian Data Protection Bureau] for the purpose of training, auditing, consulting and rendering services and products for the purpose of compliance with this Regulation or any foreign Data Protection Law or Regulation having effect in Nigeria‘. The NDPR goes further in authorizing a DPCO to monitor, audit, conduct training and data protection compliance consulting to data controllers on behalf of National Information Technology Development Agency (NITDA) and/or the Nigerian Data Protection Bureau (NDPB).

As such DPCOs play a vital role in assisting organisations to comply with their obligations under the NDPR. One important role played by a DPCO is filing a data protection audit report with NDPB on behalf of data controllers and processors. The data protection audit report is a systematic investigation or examination of the records, processes and procedures of data controllers and processors to ensure that they are in compliance with the requirements of the NDPR and their data protection policies and is required to be filed annually no later than 15 March every year.

The Draft Code of Conduct
Until recently, there has been no regulatory standard to guide the services provided by DPCOs. To fill this lacuna, NDPB issued a Draft Code of Conduct for DPCOs (the Draft Code). The Draft Code seeks to promote professionalism, ensure uniformity and, encourage the adoption of data ethics as a guiding principle in compliance service delivery. The Draft Code also seeks to foster discipline and accountability amongst DPCOs, prescribe fundamental standards in continuous capacity building and awareness creation services that may be carried by DPCOs, encourage corporate social responsibility for data protection and privacy in Nigeria and foster trust in the data governance process in Nigeria.

Provisions of the Draft Code of Conduct
The Draft Code provides that at the point of registration and at all times, the NDPB may demand, a DPCO to provide accurate and honest information in respect of all questions and requirements pertaining to its registration. Further, an organisation that desires to be registered as a DPCO shall have at least one person who is verifiably competent in certain fields of data protection practice. Under the Draft Code, a DPCO owes a duty of care to data subjects to take appropriate technical and organisational measures to uphold the data subject rights and where such DPCO engages directly with data subjects for the purpose of providing expert advice or information on behalf of a data controller or processor to the data subjects. A tripartite relationship is formed here as a DPCO has the responsibility to notify a data controller or a data processor of any complaint or request it received from a data subject and shall notify a data subject of any relevant action taken in response to his complaint or request.

A DPCO also has responsibilities to the NDPB to conduct its transactions with the NDPB in a transparent and efficient manner informing the NDPB of any matter or development that in the opinion of the DPCO is beneficial to the work of the NDPB and notifying the NDPB of any corporate restructuring and major judicial proceedings that may lead to changes in the record of the DPCO which had been submitted to the NDPB.

Lastly a DPCO owes a duty of care to the data controller or processor that engages it to provide adequate information by notifying its client of any relevant regulatory notice or process, providing advice on data ethics and providing compliance services through verifiably competent personnel. In the event of negligence, failure or refusal on the part of a DPCO to comply with the provision of the Draft Code, the NDPB after investigation may revoke or suspend the license of the said DPCO.

The Draft Code is a welcome attempt by the NDPB to prescribe a standard of services for organisations that act as DPCOs. It is important that these organisations possess the ability and competence to carry out their work as DPCOs and adhere to the standards prescribed in the Draft Code to ensure the highest level of professionalism expected of such practice. This will ensure that the rights of data subjects are well protected and foster a trustworthy ecosystem for data protection and governance in Nigeria.

Interestingly, the DPCO model adopted in Nigeria is the first of its kind in any part of the world and is likely to be replicated in other jurisdictions to ease the compliance burdens of data controllers and processors and also to complement the work of a data protection officer. A stakeholder engagement on the Draft Code was organised by the NDPB on 20 January 2023 with quite a number of DPCOs attending thus indicating a positive response to the Draft Code. We expect that the Draft Code would come into force in the next couple of weeks.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Source: mondaq