By 
By Olusegun Oruame
Nigeria’s nascent data protection compliance industry appears to be in top gear despite the relative unawareness of the Nigeria Data Protection Regulation (NDPR) 2019 and its implications across sectors – most importantly, its benefits and even the penalty to err against the NDPR as issued by the National Information Technology Development Agency (NITDA) last year.
By IT Edge News findings, most organisations that fall under the NDPR whether public or private are still uninformed of their obligations and the penalties they risk as defaulters.
A data controller (that is an organisation controlling data of citizens) dealing with more than 10,000 data subjects that breached the NDPR could be fined 2% of its Annual Gross Revenue of the preceding year or payment of the sum of N10 million.
DCPOs gaining grounds
However, some licensed Data Protection Compliance Organisations (DCPOs) have been making steady inroads in the provision of NDPR professional services to many organisations already aware of the statutory requirement for NDPR compliance.
For DCPOs mostly preoccupied all through the lockdown with servicing clients remotely, the data protection industry is the manifest picture of Nigeria’s steady transition into the digital economy.
“Article 1(3j) of the Nigerian Data Protection Regulation provides that a Data Protection Compliance Organisation (DPCO) is any entity duly licensed by NITDA for the purpose of training, auditing, consulting and rendering services aimed at ensuring compliance with this Regulation or any foreign Data Protection law or regulation having effect in Nigeria.”
The NDPR provides framework for data controllers and processors on the rights of data subjects, basis of processing personal data and transfer of data outside Nigeria among others. Part of the NDPR requires data controllers whether in the private or public sector to submit annual audit reports on collected data.
A data controller is one who determines the purpose and manner in which personal data is to be processed while a data administrator simply processes data.
By law, public and private organisations in Nigeria that control data of natural persons are expected to comply with the NDPR guidelines in respected of data protection and privacy of data subjects.
Also, to quote KPMG, they are expected to “publicise their respective Data Protection Policies. This means that irrespective of the quantity of data controlled by any organization, it is expected that each organization puts in place a Data Protection Policy where none exists.
“All Data Controllers and Processors must conduct an independent Data Protection Audit and file the Audit report with the Agency within a defined timeline. The initial timeline given by NITDA to conduct the Audit was 25 October 2019, and all 2019 reports were due to be filed with the Agency by 15 March 2020.” That has been further extended under request from DCPOs on behalf of data controllers.
According to the statute, “every filing by Data Controllers pursuant to this Regulation shall be accompanied by a DPCO Verification Statement.”
Data protection compliance strengthening digital economy
Despite the pangs of COVID-19 across all sectors, many DCPOs were working for their clients remotely to clearly demonstrate that the data protection industry is one of the definers of a digital economy, according to CEO of DSPL, Tunde Balogun.
“The data protection industry is built around the digital economy and for many of our clients, work continued intensely and remotely. You could use the happenings within this industry to gauge how the public sector is embracing the digital economy,” added Balogun whose DCPO has public and private sector clients outside of its Lagos headquarters.
There are about 70 licensed DPCOs all expected to provide data audit and compliance services in a way that will help drive Nigeria’s data privacy regulation in order to foster the required trust in the country’s evolving digital infrastructure.
President of the Association of Telecommunications Companies of Nigeria (ATCON), Mr. Olusola Teniola, describes trends in the data protection industry as progressive steps towards full digitization of the economy. While commending the NITDA for instituting the NDPR, he said the industry requires a multi-stakeholder approach for proper implementation of data protection. For him, the industry is cardinal in the push towards digital economy and a whole of willpower is required to ensure the budding industry blossom.
