HOW TO APPOINT A DATA PROTECTION OFFICER IN NIGERIA

HOW TO APPOINT A DATA PROTECTION OFFICER IN NIGERIA

The National Information Technology Development Agency Regulation aims to protect the rights of natural persons to data privacy, promote the secure handling of transactions involving the exchange of personal data, prevent acts of data manipulation, and ensure that Nigerian businesses remain competitive in the global market by adopting legal and regulatory frameworks that protect personal data and adhere to standards of best practices around the world.

The Nigerian Data Protection Regulations 2019 ("NDPR"), Regulation 4.1(2), mandates that every organisation hire a Data Protection Officer, whose main duty is to make sure that your organisation complies with the NDPR and any applicable privacy or other policies of the organisation.

Where an organisation falls within the below conditions, appointment of a Data Protection Officer is required:

if it is a government body, organ, ministry, department, institution or agency;if the core activities of the organisation involve processing the Personal Data ofover 10,000 Data Subjects per annum;if the organisation processes Sensitive Personal Data in the regular course ofits business; orif the organisation possesses critical national information infrastructure.

According to the Nigerian Data Protection Bureau's ("NDPB") Compliance Notice from 2022, if your organisation doesn't already have a DPO, it must designate at least one person as a Data Protection Contact ("DPC") who may later become a DPO after completing a free induction training made possible by the NDPB. The NDPB must be given the contact information for your organization's DPC or DPO, as appropriate.

The penalty imposed on Data Controllers for any breach of the provisions of the National Data Protection Regulation is the payment a fine of a sum that represents 2% of the Annual Gross Revenue of the preceding year or N10,000,000, whichever is greater, with respect to a Data Controller that processes the Personal Data of more than 10,000 Data Subjects or the payment of the fine of 1% of the Annual Gross Revenue of the preceding year or the payment of the sum of N2,000,000, whichever is greater, for a Data Controller that processes the Personal Data of less than 10,000 Data Subjects.

Additionally, a violation of the National Data Protection Regulation is also seen as a violation of the terms of the National Information Technology Development Agency Act, 2007, or "NITDA Act," therefore the penalties outlined under the NITDA Act may also be applicable when the NDPR has been violated.

NB: This article is not a legal advice, and under no circumstance should you take it as such. All information provided are for general purpose only. For information, please contact chamanlawfirm@gmail.com

WRITTEN BY CHAMAN LAW FIRM TEAM

EMAIL: chamanlawfirm@gmail.com

TEL: 08065553671, 08024230080