Monday, 4th December 2023

NDPC orders organisations to appoint data protection officer in six months

By Adeyemi Adepetun
28 June 2023   |   4:51 am
The Nigeria Data Protection Commission (NDPC) has called on organisations, both private and public in the country, to ensure they appoint in-house data protection officers within the next six months.

National Commissioner of NDPC, Dr. Vincent Olatunji

•To engage CBN on new social media handle directive

The Nigeria Data Protection Commission (NDPC) has called on organisations, both private and public in the country, to ensure they appoint in-house data protection officers within the next six months.

The National Commissioner and Chief Executive Officer, NDPC, Dr. Vincent Olatunji, stated this recently, while featuring on Politics Today on Channels TV, to discuss the new data protection law. Olatunji said this has become imperative due to the enormous data generated in the country almost daily and ensures adequate compliance.

“Every organisation must have a data protection officer. Section 32 of the law establishing us said there should be a data controller of major importance in organisations. That is, you must have a Data Protection Officer. If that did not happen, it is against the law and a breach!

“The first thing is to give them six months to comply with this after the law has taken effect. They need to register with the NDPC. This affects every organisations in Nigeria as long as you collect and process data in the country, whether public or private institutions (telcos, insurance, hotels, hospitals, phamaceuticals and manufacturing firms are not left out).”

Speaking on the possibility of the data protection law creating 500,000 jobs, Olatunji said part of the campaign promises of President Bola Tinubu was that he would create one million jobs from the digital economy sector.

He said there was a survey carried out, “where we discovered that we have over 500,000 Data Processors and Controllers in the country and the law says each must have a DPO. The question now is do you have qualified DPO? The answer is no. Those of us that are certified DPOs in Nigeria are not up to 10,000, whereas we have jobs of 500,000 people. How do you want to do that? That is why the number two agenda for us is capacity building to be able to service this market.”

According to him, the good thing about the sector is that one need not necessarily be a technology expert to be a data officer, “that is you can be a legal practitioner, a doctor or others to be a DPO.

“All you need to do is to attend your training, write your exams and then continue to learning on the job, acquire the necessary skills to become a DPO. So, it is mandatory to have a DPO in organisations.

“The other part is that Data Protection Compliance Organisation (DCPOs) that we licensed to carry out compliance on our behalf, on average DCPOs will employ five people. As of today, we have licensed 160 and this can increase up to 1000. That is another means of creating jobs.”

He stressed that compliance for organisations to get a DPO is six months, after which, the filling of all data activities by any organisation in the country should come in between January 1 to 31, 2024 to the commission.

Speaking on the readiness of the digital economy, Olatunji said the data protection law is not about the sophistication of the country’s digital economy, but about the legal issues around the collection, storage, sharing and everything that has to do with data.

On the ability of NDPC to monitor for compliance, the CEO urged Nigerians to report either through the social media handles or visit the commission’s portal to lodge whatever complaints they have. He disclosed that even without a law (that is before the data protection law) the commission investigated about seven banks, of which three have paid fines.

Speaking on the creation of the commission on the back of a dwindling economy, Olatunji explained that the global economy has gone digital now and data protection is a major arm, which the world is tilting.

According to him, Nigeria is ready for a data revolution because of the global economy, stressing that a country of over 200 million people, where over 100 million go online daily to exchange data and do other things, “so, it is on us as a country to have a law on the ground to protect us in data dissemination. Data privacy is now a human right across the globe. For us to implement these laws, there must be a supervising agency.”

He revealed that because of the model that Nigeria adopted, running the commission would be at no cost to the government, stressing that it is a self-funding organisation.

“We have adopted a PPP model because of the level of technology development and our population. For our size as a country, it may even be difficult for a small government agency to effectively implement the regulation that we started with. That was why we started with a PPP model, where we licensed DPCOs. They go from organisations to offer compliance as a service for them to comply with the provisions of the law. Through this, organisations engaged would file their yearly report, which is not free. They have to pay their licensing fees. We equally get grants and fines.

“Between when we started and now, without a law, which is less than one year, we were able to bring in over N200 million. Now, consider when we now have a law, an instrument to operate with. Issues around data privacy and protection are very huge that any breach can lead to a huge fine.”

On a new Central Bank of Nigeria (CBN) directive mandating customers to submit their social media handles to their respective banks, Olatunji said: “There are provisions of the law to move against any data controller, governments office, private sector, NGOs, hotels, among others.”

According to him, the commission is pro-citizens, stressing that the whole idea of the law is to protect the citizens and the interest of Nigerians.

He said the Commission has already sent a letter to the CBN on the need to follow some basic points in information collection, “we shall be engaging them adequately and ensure what the law says because you don’t collect data more than what is needed.”

In this article