Data privacy has become of utmost importance in this age and time. With the coming effect of the Nigeria Data Protection Regulation (NDPR), data privacy has been prioritized and has helped regulate how organizations collect, store, and use consumer information.
In a bid to ensure compliance with the regulation, the NDPR provides for the registration of qualified persons or organizations as Data Protection Compliance Organizations (DPCOs). In our previous article, we have exhaustively discussed on the roles of DPCOs.
It is important that every organization that is a data controller appoint a duly licensed DPCO to ensure compliance with data privacy regulations. Although the Regulation permits data controllers to appoint a Data Protection Officer within the organization, outsourcing the duties to a DPCO ensures professionalism in the execution of the compliance with the regulation[1]
RISKS OF NON-APPOINTMENT OF DPCOs
As stated earlier, DPCOs are essential in ensuring data privacy regulations compliance. It is, therefore, important that organizations that deal with data control appoint one. Failure to appoint a DPCO can lead to a number of problems for the organization.
DPCOs are licensed organizations with the needed professional capacity to ensure compliance. When their roles are assigned to non-professionals, it defeats the very essence of data privacy. Like in most business sectors, the good business practice requires that qualified and experienced professionals are employed to carry out specific professional functions. Organizations or companies that fail to appoint DPCOs to run the risk of having the duties of data privacy compliance performed by a non-professional, with the consequence that the role will not be played satisfactorily, thereby leading to a violation of the regulation and possible legal action.
Furthermore, an organization that fails to appoint a DPCO risks being in breach of data privacy rights, which can lead to being penalized by the NDPB. Article 2.10 of the regulation provides that any person who is found to be in breach of the data privacy rights shall be liable to a fine. A data controller which processes the data of more than 10,000 data subjects shall be liable to a fine of 2% of the Annual Gross Revenue of the preceding year or payment of the sum of 10 million naira whichever is greater, while a Data Controller which processes the data of less than 10,000 data subjects, shall pay a fine of 1% of the Annual Gross Revenue of the preceding year or payment of the sum of 2 million naira whichever is greater for breach of data privacy rights of data subjects. The imposition of a fine for the breach of privacy rights is a financial loss for the organization that is in breach.[2]
Asides from being fined, such organizations may bear criminal liability. The non-appointment of a DPCO may lead to the exposure of data misuse by third parties for criminal or illegal activities, and where this occurs, the organization will share some culpability for the act even though they may not have intended for the data to be used for criminal activities. Where the breach of data privacy rights has given rise to criminal liability, such organizations must face legal consequences.[3]
Additionally, data privacy compliance is important for an organization to preserve its reputation. Mismanagement of people’s data can lead to damage to the reputation built over the years. Data Protection Compliance helps to maintain the public and other stakeholders’ trust. Organizations use data privacy to demonstrate to their customers that they can be trusted with their personal data. An organization that does not properly implement data and privacy protections by appointing DPCOs will eventually experience breaches and consequently lose trust, which may, in turn, result in a decline in sales.
CONCLUSION
Appointing a DPCO is essential to every organization that is a data controller. Compliance with the regulation requires the appointment of experts. An organization that intends to thrive in business and complies with the law should ensure the appointment of one.
[1] See Regulation 4 of the Nigeria Data Protection Regulation (NDPR) accessed on https://nitda.gov.ng/wp-content/uploads/2021/01/NDPR-Implementation-Framework.pdf
[2] Regulation 2.10 of the NDPR
[3] Ibid
Written by Ogbonnaya Daniella and Adejumo Pelumi for The Trusted Advisors
Email us: [email protected]