The National Information Technology Development Agency (NITDA) has issued operational licences to a new list of Data protection Compliance Organizations (DPCOs) to deepen competition in Nigeria’s fast growing data industry.
NITDA to delist non-performing DPCOs
There are also indications the IT regulatory agency will delist non-performing DPCOs even as it increases its dragnet to sanction public and private entities in breach of the Nigeria Data Protection Regulation (NDPR).
Before now, 70 DCPOs were licensed under the NDPR, Nigeria’s principal data protection legislation.
A DPCO is defined by Section 1.3 of the NDPR to mean “any entity duly licensed by NITDA for the purpose of training, auditing, consulting and rendering services and products for the purpose of compliance with this Regulation or any foreign Data Protection law or regulation having effect in Nigeria.”
The regulation provides that a DPCO may be a professional services consultancy firm; IT services provider; audit firm, or a Law firm. All licensed DPCOs are expected to renew renew their licensing or registration fee annually in order to continue to practice.
Also, all DPCOs must have data protection certification or experience in fields that include Data Science; Data Protection and Privacy; Data Analytics; Data Governance; Information Privacy; Information Audit; Data Management; Cybersecurity/Cybersecurity Law; Information Security; Data Protection Legal Services; Information Technology Due Diligence; EU GDPR Implementation and Compliance; among other competencies.
The NDPR was first issued by the NITDA on 25 January 2019 pursuant to Section 32 of the NITDA Act 2007 as subsidiary legislation to the NITDA Act 2007.
Since it came into effect, it has become the legal with technical framework for practitioners in Nigeria’s nascent but steadily growing data protection industry expected to provide over 300,000 new jobs within the decade.
Private and public entities, MDAs must comply with NDPR
By law, private and public entities including government ministries, agencies and departments (MDAs) in Nigeria that control data of natural persons are expected to comply with the NDPR guidelines in respect of data protection and privacy of data subjects.
Because they are data controllers: private or public enterprises and government MDAs are expected to use the services of DCPOs to ensure compliance to the NDPR and also make their mandatory annual filing of data audit.
Part of the NDPR requires data controllers whether in the private or public sector to submit annual audit reports on collected data.