Nigerian Data Protection Commission Issues Code of Conduct for Data Protection Compliance Organizations

The Nigerian Data Protection Commission (NDPC) recently issued a Code of Conduct for Data Protection Compliance Organizations (DPCOs) in Nigeria to boost professionalism among firms already licensed to carry out compliance as a service.

Dr. Vincent Olatunji, NDPC national commissioner, in a meeting while addressing the Commission with the DPCOs in Abuja, emphasized the members to see their role in the implementation of the Nigeria Data Protection Act (NDPA) 2023 as they are already licensed to carry out compliance as a service.

In the statement, Dr. Olatunji noted the opportunities presented by the Act, particularly the lawful use of data and job creation in the data processing value chain. 

“This is a unique Public Private Partnership model designed to promote trust and confidence in Nigeria’s digital economy, which – like other economies around the world – thrives on data processing,” the statement said.

In line with the Code of Conduct, the compliance services that may be offered by DPCOs include but are not limited to the following: Awareness and capacity building; Registration of the data controller or a data processor with the Commission; Development of compliance schedules; and Implementation of compliance schedules. Others are the NDPA Compliance Audit and filing Compliance Audit Returns with the Commission, Data Privacy Impact Assessment and Facilitating and Vetting Data Privacy Agreement, and the LEADERSHIP report. 

For any company to operate as a DPCO and carry out compliance services in Nigeria, the firm must be licensed by the Commission and possess a verifiable certified Data Protection Officer. In November 2023, a total of 163 DPCOs were approved by the Commission.

In the presentation of the Code of Conduct to the DPCOs, Babatunde Bamigboye, the Commission’s Head of Legal, Enforcement, and Regulations, we projected the target objectives and the principles, which were mainly on Capacity Building, Privacy Consciousness, Accountability, Corporate Social Responsibility, and Data Ethics.

The statement also clarified that all DPCOs will be held accountable in line with the provisions of the NDPA, the Code of Conduct, and other regulatory instruments issued by the Commission going forward.