BY ADERONKE ALEX-ADEDIPE AND OLAWALE ATANDA


Introduction


In an era where data breaches and privacy concerns are on the rise, organizations processing Personal Data must prioritize compliance. In Nigeria, data protection laws have evolved to ensure businesses and public institutions uphold data privacy standards.


The Nigeria Data Protection Act, 2023 (NDPA) and the Nigeria Data Protection Regulation, 2019 (NDPR) set out the legal obligations for entities that collect, process, and store personal data. To assist organizations in meeting these obligations, the Nigeria Data Protection Commission (NDPC) issues licenses to qualified Data Protection Compliance Organisations (DPCOs). These specialized firms provide guidance, conduct statutory data audits, and help businesses implement robust compliance frameworks.


This newsletter addresses the key responsibilities of DPCOs vis-à-vis the regulatory framework governing data protection in Nigeria.


Regulatory Framework for Data Protection Compliance Organizations


Section 33 of the NDPA empowers the NDPC to license DPCOs to monitor, audit, and report on data protection compliance. According to the NDPC, DPCOs may be Law Firms, Professional Service Consultants, IT Service Providers, or Audit Firms.


Only licensed DPCOs are authorized to conduct data protection audits.. Furthermore, Part 4.1(4) of the NDPR mandates DPCOs to provide training and compliance consulting to Data Controllers (and Processors).*


The NDPR mandates all organizations that process Personal Data to conduct audits of their privacy and data protection practices. These audits must detail the nature of Personal Data collected, purpose of collection, notice provided to Data Subjects*, policies and procedures for data protection, security measures, and other key compliance factors.


In addition, organizations that process up to 2,000 Data Subjects’ data within 12 months or up to 1,000 within 6 months must submit a Compliance Audit Report (CAR) to the NDPC by March 15 each year. Failure to meet this deadline will attract a penalty of 50% of the filing fee.


Core Functions of DPCOs


DPCOs provide a swathe of services in relation to data privacy and protection. For the purpose of this newsletter, we shall put these services into three main buckets – Data Audit Services, Data Compliance Implementation Services, and Data Protection Officer (DPO) Services.


1.Data Audit Services


A core function of a DPCO is conducting data audits to assess an organization’s compliance with the NDPA and NDPR. This process involves reviewing an organization’s data protection policies, assessing how personal data is collected, processed, stored, and shared, and identifying potential risks. The audit typically begins with an evaluation of the organization’s data protection framework, including privacy policies, data retention practices, security measures, and contracts with third-party processors. A DPCO will also interview key personnel who process data as part of their functions—such as compliance officers, IT teams, and HR representatives—to gauge awareness and ascertain if policies are effectively implemented in daily operations.


Beyond policy review, a data mapping exercise is done to trace the flow of personal data within the organization. Security measures, including encryption, access controls, and breach response plans, are also examined to identify vulnerabilities.


At the end of the audit, the DPCO issues a detailed report, highlighting compliance gaps, risks, and recommended corrective actions.


2. Data Compliance Implementation Services


Beyond audits, DPCOs also support organizations in implementing corrective actions to address compliance gaps. These include:


  • Developing internal policies that align with data protection laws, including privacy policies, terms of use, cookie policies, data protection policies, subject access request procedures, amongst others.
  • Providing data protection and privacy advisory services to help organizations understand and comply with their legal obligations to Data Subjects* and other third parties.
  • Conducting training and awareness programs to ensure employees are aware of data privacy risks and best practices.
  • Drafting and reviewing data protection contracts, including Data Processing Agreements (DPAs), Data Sharing Agreements (DSAs), and Binding Corporate Rules (BCRs) to establish legally compliant relationships with related and third parties.
  • Assisting in breach remediation by helping organizations develop response strategies for handling data breaches effectively.
  • Conducting due diligence investigations in cases of mergers, acquisitions, or partnerships to assess the data privacy risks associated with third-party engagements.
  • Representing organisations as a liaison with the NDPC for regulatory filings and compliance matters.


3. Outsourced Data Protection Officer Services


Part 4.1. (3) of the NDPR requires every Data Controller and Processor to have a Data Protection Officer (DPO). However, some organizations may not have the resources to appoint an internal DPO. DPCOs fill this gap by offering outsourced DPO services to ensure that organizations meet this requirement without needing to hire a full-time in-house expert.


An outsourced DPO performs various functions, including:


  • Overseeing data protection impact assessments (DPIAs) for high-risk processing activities.
  • Ensuring that the organization maintains records of data processing activities as required by law.
  • Providing ongoing advisory support to senior management on data protection risks and obligations.
  • Conducting data protection awareness training to equip staff with the necessary knowledge to handle personal data responsibly.
  • Acting as the primary liaison between the organization and the DPCO as it delivers data protection services to the organization.


Outsourced DPO services are especially valuable to startups, SMEs, and multinational companies operating in Nigeria, as they provide expert compliance oversight without the burden of a full-time hire.


Conclusion


DPCOs play a vital role in helping businesses navigate regulatory requirements through data audits, compliance implementation, and outsourced DPO services. Engaging a DPCO strengthens data governance, mitigates risks, and fosters trust. This ensures organizations stay compliant while maintaining a secure posture in an evolving data landscape.


Endnotes


Data Controller – An organization that decides why and how personal data is collected and used. For example: A bank collecting customer details for account creation.

Data Processor – A third party that processes personal data on behalf of the Data Controller based on their instructions. For example: A cloud storage provider storing customer data for a bank.

Data Subject – The individual whose personal data is being collected or processed. For example: A customer whose name, email, and phone number are stored by the bank.