The Nigeria Data Protection Commission (NDPC) has issued a code of conduct for data protection compliance organisations (DPCOs) in Nigeria, to foster professionalism among firms licensed to provide compliance services.
During a meeting between the commission and DPCOs, the National Commissioner, Dr. Vincent Olatunji emphasised the significance of the DPCOs’ role in implementing the Nigeria Data Protection Act (NDPA) 2023. Olatunji urged DPCOs to consider their responsibilities as a public trust, requiring the highest level of responsibility. He highlighted the opportunities presented by the NDPA, such as the lawful use of data and job creation in the data processing value chain.
Under section 33 of the NDPA 2023, the commission has the authority to license individuals with the necessary expertise to monitor, audit and report on compliance by data controllers and data processors. This unique public-private-partnership model aims to enhance trust and confidence in Nigeria’s digital economy, which heavily relies on data processing.
The newly issued code of conduct outlines various compliance services that DPCOs may offer, including awareness and capacity building, registration of data controllers or processors with the Commission, development and implementation of compliance schedules, NDPA compliance audits, data privacy impact assessments and vetting data privacy agreements.
To operate as a DPCO and provide compliance services, firms must obtain a license from the commission and have a certified data protection officer. As of November 2023, the commission has licensed 163 DPCOs. Presenting the code of conduct to the DPCOs, the commission’s head of legal, enforcement and regulations, Babatunde Bamigboye, Esq highlighted the target objectives and principles, focusing on privacy consciousness, capacity-building, accountability, data ethics and corporate social responsibility. DPCOs are expected to adhere to the NDPA, the code of conduct and any future regulatory instruments issued by the commission. The move signals the commission’s commitment to promoting responsible data protection practices and ensuring compliance among organisations entrusted with handling sensitive data.