Definition and Duties of DPCO

Article 1(3j) of the Nigerian Data Protection Regulation provides that a Data Protection Compliance Organisation (DPCO) is any entity duly licensed by NITDA for the purpose of training, auditing, consulting and rendering services aimed at ensuring compliance with this Regulation or any foreign Data Protection law or regulation having effect in Nigeria.

A DPCO may be one or more of the following;

  • Professional Service Consultancy firm
  • IT Service Provider
  • Audit firm
  • Law firm

With evidence of professional, academic certification or experiences in one or more of the following areas:

  • Data Science
  • Data Protection and privacy
  • Information Privacy
  • Information Audit
  • Data Management
  • Information security
  • Data protection legal services
  • Information Technology Due Diligence
  • EU GDPR implementation and compliance
  • Cyber Security/Cyber Security law
  • Data Analytics
  • Data Governance

DPCOs are licensed to provide one or more of these services;

  • Data protection regulations compliance and breach services for Data Controllers and Data Administrators
  • Data protection and privacy advisory services
  • Data protection training and awareness services
  • Data Regulations Contracts drafting and advisory
  • Data protection and privacy breach remediation planning and support services
  • Information privacy audit
  • Data privacy breach impact assessment
  • Data Protection and Privacy Due Diligence Investigation
  • Outsourced Data Protection Officer etc.

Documents Required for Licensing

  • CAC Registration
  • Evidence of Tax Clearance
  • Relevant professional or academic qualification of at least 2 listed staff (these need not be Directors)
  • Valid means of identification of two Directors i.e International Passport; Drivers’ License; NIN Registration etc.
  • Website registration on .ng domain
  • Evidence of payment of prescribed licensing fees by NITDA

Article 3.1.4 of the Regulation provides; The Agency shall by this Regulation register and license Data Protection Compliance Organisations (DPCOs) who shall on behalf of the Agency monitor, audit, conduct training and provide data protection compliance consulting to all Data Controllers under this Regulation. The DPCOs shall be subject to Regulations and Directives of NITDA issued from time to time. Every filing by Data Controllers pursuant to this Regulation shall be accompanied by a DPCO Verification Statement. NITDA may appoint other DPCOs or by itself conduct investigation into a suspected breach of the Regulation.

A DPCO, found to be guilty of concealing or abetting a data breach by a Data Controller or Processor shall immediately lose its license and prior reports may be subject of investigation. This is without prejudice to right to legal redress by complainants, statutory investigation and prosecutorial functions of other organs of government.