In this era of digitalization, data drives service delivery in the public and private sectors. Being aware that leaving the management of personal data of Nigerian citizens and residents (data subjects) unregulated would perpetrate the invasion of their privacy rights, consequently discourage the adoption of digital technologies and compromise digital inclusion in the country, the National Information and Technology Development Agency (NITDA) enacted the Nigeria Data Protection Regulation, 2019 (NDPR) to regulate the collation, processing, storage and international transfer of personal data.


To protect data subjects, the NDPR stipulated certain rights in the management of personal data and also places certain obligations on “all private and public organizations that collate, process, store and exchange personal data.” The scope of this phrase is so wide as to cover every government institution, non-governmental and commercial organization, that handles data subjects’ information, irrespective of size, structure and management.  In this context, these organizations (also described as Data Controllers) are required to:

  1. Comply with the provisions of the NDPR and other relevant laws and regulations on data protection.
  2. Develop and make available to the general public their respective Data Protection Policies.
  3. Designate a Data Protection Officer (DPO) or engage a NITDA-licenced Data Protection Compliance Organization (DPCO) for the purpose of ensuring adherence to the NDPR and relevant data privacy instruments and data protection directives of the organization.
  4. Ensure continuous capacity building for DPO and its personnel involved in any form of data processing.

These obligations which are further amplified below demand that these organizations have a structured approach to the introduction and sustenance of data protection practices in their operations which would require focused deployment of resources.  Organizations are urged to see these obligations as an integral part of their operations that supports productivity and not as a source of wastage.


As noted above organizations are expected to designate a Data Protection Officer (DPO) for the purpose of ensuring adherence to the NDPR, relevant data privacy instruments and data protection directives of the Data Controller. Alternatively, it can outsource data protection management to a licenced DPCO. The DPOs and DPCOs are agents of the organizations which functions primarily to develop and shape each organization’s data protection policies, practices and processes as well as:

  1. Ensure that all obligations on the organization as imposed by the NDPR and other relevant regulations are complied with.
  2. Draft and publish the organization’s Data Protection Policy.
  3. Carry out the development of a clear process to protect the rights of the Data Subject by ensuring that:
    • Data subjects are informed as to the purpose of collecting and processing their personal data.
    • Consent of data subjects is obtained before collection of data.
    • Collected personal data is processed in line with the disclosure and consent of the data subject.
    • Data subject can withdraw consent to collection and processing of personal data.
    • Data subject has access to their personal data.
    • Data subject can correct inaccurate or incomplete personal data.
    • Data subject’s demand for deletion or erasure of personal data is complied with.
    • Data subject is notified of a data breach.
  4. Conduct a detailed audit of its privacy and data protection practices at relevant intervals with each audit stating, amongst others,
    • personally identifiable information collected on employees of the organization and members of the public.
    • any purpose for which the information is collected. any notice given to individuals regarding the collection and use of personal information relating to that individual.
    • any access given to individuals to review, amend, correct, supplement, or delete personal information relating to that individual, et cetera.
    • The evaluation of the status of compliance of and the identification of current or potential non-compliance within the organization.
  5. The assessment of the level of awareness of, inform and advise the top management, members of staff, its contractors, vendors, partners and third-party data processors of their obligations under the NDPR.
  6. The drawing up a remedial plan to remediate identified instances of breach.

The DPOs and DPCOs are also expected to advise on data breach management procedures, data protection impact assessment and monitor their performance as well as serve as a point of contact to data subjects in case issues relating to personal data arises.


From the above, it can be seen that it is imperative for public and private organizations to engage DPOs and DPCOs as they are critical for the protection of data subjects’ interests and rights under the NDPR and equally as public demonstration of assurance in this regard for the sustenance and continued enhancement of digital inclusion in Nigeria.

Leave a reply