The Nigeria Data Protection Commission has issued a Code of Conduct for its 163 licensed Data Protection Organisations (DPCOs) in Nigeria.
The release of the Code comes ahead of its data protection enforcement plans in 2024. The Commission said this is also to ensure professionalism among firms that are licensed to carry out compliance as a service.
While addressing the meeting of the Commission with the DPCOs, the National Commissioner, Dr Vincent Olatunji, urged DPCOs to see their role in the implementation of the Nigeria Data Protection Act (NDPA) 2023 as a public trust which must be guarded with the utmost sense of responsibility.
Olatunji noted the opportunities presented by the Act particularly the lawful use of data and job creation in the data processing value chain.
Section 33 of the NDPA 2023 vests the Commission with the power to license persons having a requisite level of expertise, about data protection and the Act, to monitor, audit, and report on compliance by data controllers and data processors.
This is a unique Public Private Partnership model which is designed to promote trust and confidence in Nigeria’s digital economy which – like other economies around the world – thrives on data processing.
The Code
Announcing the issuance of the Code via a statement released, NDPC noted that in line with the Code of Conduct, the compliance services that may be offered by DPCOs include but are not limited to:
- Awareness and capacity-building Registration of the data controller or a data processor with the Commission;
- Development of compliance schedules;
- Implementation of compliance schedules;
- NDPA Compliance Audit and filing of Compliance Audit Returns with the Commission;
- Data Privacy Impact Assessment; and
- Facilitating and Vetting Data Privacy Agreements
- “For a firm to operate as a DPCO and carry out compliance services, it must, among others, be duly licensed by the Commission and it must have a verifiably certified Data Protection Officer,” the NDPC stated.
While presenting the Code of Conduct to the DPCOs, the Commission’s Head of Legal, Enforcement and Regulations, Babatunde Bamigboye, Esq X-rayed the target objectives and the principles, particularly: Privacy Consciousness, Capacity Building, Accountability, Data Ethics, and Corporate Social Responsibility.
All DPCOs will be held accountable in line with the provisions of the NDPA, the Code of Conduct, and other regulatory instruments that be issued by the Commission going forward.
Earlier, the NDPC had issued a guidance notice to all data controllers and processors in the country, urging them to file compliance audit returns or risk being excluded from the National Data Protection Adequacy Programme (NaDPAP) Whitelist.
The data controllers and processors comprise banks, telcos, hospitals, schools, ICT companies, and data centres among others.