Introduction
You have been appointed Data Protection Officer. Your organisation operates in six countries across the continent. It has subsidiaries in financial services, logistics, and retail. Each entity has its own management structure, its own workforce, its own customer base, and, as you will quickly discover, its own interpretation of what data protection compliance looks like.
Welcome to one of the most structurally complex roles in modern organisational governance.
The DPO of a group of companies does not simply multiply a single-entity compliance programme by the number of subsidiaries and call it a day. The challenge is qualitatively different. It involves navigating legal fragmentation, jurisdictional conflict, competing corporate interests, and the ever-present tension between group-level standardisation and local-level autonomy. It requires diplomatic skill as much as technical expertise.
This article is written for the DPO or aspiring DPO of a multi-subsidiary organisation operating across Africa. It sets out a practical framework for managing data privacy obligations at scale, without losing sight of what data protection is ultimately about: the rights and dignity of the individuals whose data the group holds.
First, Understand the Legal Landscape
Africa’s data protection legal environment is maturing rapidly, but it is not uniform. As a group DPO, your first obligation is to map the regulatory terrain across every jurisdiction in which the group operates.
Several African countries now have comprehensive data protection legislation in force. Nigeria has the Nigeria Data Protection Act 2023 and its predecessor framework, administered by the Nigeria Data Protection Commission (NDPC). Kenya has the Data Protection Act 2019, overseen by the Office of the Data Protection Commissioner (ODPC). South Africa has the Protection of Personal Information Act (POPIA), enforced by the Information Regulator. Ghana has the Data Protection Act 2012 and its Data Protection Commission. Rwanda, Uganda, Tanzania, Senegal, Côte d’Ivoire, and a growing number of others have enacted or are in the process of enacting their own frameworks.
These laws share common DNA. Many draw from the GDPR’s architecture, but they differ in important ways: the definition of personal data, the lawful bases for processing, the rights afforded to data subjects, the rules on cross-border transfers, breach notification timelines, and the penalties for non-compliance. Some jurisdictions require mandatory DPO appointments; others do not. Some require local data processing registrations; others operate on a notification model.
The group DPO must maintain a living, up-to-date matrix of the applicable law in each jurisdiction, not as an academic exercise, but as the operational foundation of the compliance programme. This matrix should be reviewed at least annually and whenever a new jurisdiction comes into scope.
Do not assume that compliance with the strictest framework often POPIA or the NDPA, automatically satisfies obligations in all other jurisdictions. It may reduce the gap, but it does not close it.
Resolve the Structural Question: One DPO or Many?
Before you can manage anything, you must be clear about what you are responsible for and to whom you report. In a multi-subsidiary group, this question has both legal and practical dimensions.
Some data protection laws require each legal entity to appoint its own DPO. Where this is the case, the group cannot simply designate one person and consider the matter settled. The legally appointed DPO for each subsidiary must be identifiable, accessible to data subjects and regulators in that jurisdiction, and genuinely empowered to carry out the role.
In practice, many groups operate a group DPO model supported by a network of local data protection coordinators or privacy champions embedded within each subsidiary. The group DPO provides strategic direction, sets policy, and ensures consistency across the enterprise. The local coordinators handle day-to-day compliance, serve as the first point of contact for data subjects and local regulators, and escalate issues to the group level.
This model works but only if the roles and responsibilities at each level are clearly defined, documented, and understood by all parties. Ambiguity about who is responsible for a particular obligation is, in practice, a guarantee that no one takes responsibility for it.
Where the group DPO also serves as the formally designated DPO for individual subsidiaries, they must be capable of discharging that role independently for each entity. A regulator in Nairobi is not interested in the group DPO’s competing obligations in Lagos or Johannesburg when investigating a complaint in Kenya.
Build a Group Privacy Governance Framework
The foundation of multi-subsidiary privacy management is a coherent governance framework that applies across the group while accommodating local variation. This framework should comprise several interlocking components.
Group-Level Privacy Policy
The group should have a master data privacy policy that articulates its overarching commitment to data protection, the principles that govern all processing activities across the enterprise, and the accountability structures in place. This policy sits at the top of the hierarchy. It does not need to contain every jurisdictional detail that is the function of local policies, but it must be consistent with them and must take precedence where there is no local requirement to deviate.
Subsidiary-Level Privacy Policies
Each subsidiary should have its own privacy policy, localised to the applicable legal framework. This is not merely a translation exercise. A subsidiary operating in South Africa must comply with POPIA’s specific requirements; one in Nigeria must align with the NDPA and any sector-specific regulations. Local policies must be reviewed by someone with genuine competence in the applicable local law, ideally local legal counsel working in collaboration with the group DPO function.
Group Privacy Standards
Between the high-level policy and the operational procedures, the group should develop a suite of privacy standards that set minimum requirements for specific processing activities across all subsidiaries. These might cover, for example, data retention, subject access requests, data breach management, privacy impact assessments, and vendor due diligence. Standards of this kind create consistency without requiring every subsidiary to reinvent the wheel.
Records of Processing Activities
Each subsidiary must maintain its own Record of Processing Activities (ROPA), tailored to its actual processing operations. The group DPO should establish a common template and methodology to ensure that records are complete, consistent, and maintained in a form that can be consolidated at the group level if required. A group-level consolidated ROPA is an invaluable tool for identifying data flows, managing cross-border transfer risks, and responding to regulatory enquiries.
Navigate Cross-Border Data Transfers
In a multi-subsidiary group, personal data moves. Customer records flow between entities for shared service delivery. Employee data is processed centrally by an HR function. Financial data is consolidated at the parent company level. Every one of these flows is a cross-border data transfer, and in most African jurisdictions, such transfers are regulated.
The majority of African data protection laws restrict the transfer of personal data to countries that do not provide an adequate level of protection, subject to specified exceptions. Common exceptions include the consent of the data subject, the performance of a contract, and the use of approved transfer mechanisms such as standard contractual clauses or binding corporate rules.
The group DPO must map all intra-group data flows and assess their legality under each applicable law. Where transfers occur without an adequate legal basis, they must be regularised, and this cannot wait until a regulator comes asking.
Binding Corporate Rules (BCRs) represent the most comprehensive solution for intra-group transfers. BCRs are a set of binding data protection rules adopted by the group and approved by the relevant regulatory authority, which allow personal data to flow freely between group entities. They require significant upfront investment to develop and obtain approval for, but they provide a durable, defensible basis for intra-group transfers that is far more robust than relying on consent or contractual clauses for every flow.
For organisations that do not yet have BCRs in place, intra-group data transfer agreements based on standard contractual clauses are the next best option. These agreements must reflect the specific transfer in question and must comply with the requirements of the applicable law in the sending jurisdiction.
Manage Third-Party Vendors Across the Group
A multi-subsidiary group typically maintains a large and diverse vendor ecosystem, cloud providers, payment processors, HR systems, marketing platforms, and logistics partners. Many of these vendors process personal data on behalf of one or more group entities. Managing this ecosystem from a data protection perspective is one of the most operationally demanding aspects of the group DPO role.
The group DPO should establish a vendor due diligence and onboarding process that applies consistently across all subsidiaries. This process should include privacy risk assessment, review of the vendor’s security practices and certifications, and execution of a data processing agreement before any personal data is shared.
Where a vendor is engaged by multiple subsidiaries, the group DPO has an opportunity to negotiate group-level data processing agreements that cover all relevant entities under a single framework. This reduces duplication, ensures consistency, and strengthens the group’s negotiating position. It also simplifies the audit and oversight process; a single review of the vendor’s practices covers the group rather than requiring each subsidiary to conduct its own independent assessment.
The vendor management process must also address sub-processor chains. A cloud service provider engaged by the group may itself rely on sub-processors in multiple jurisdictions. The group DPO must ensure that the DPA with the primary vendor imposes appropriate obligations on sub-processors and that the group retains visibility of and control over the full processing chain.
Harmonise Data Breach Response
A data breach in a multi-subsidiary group can rapidly become a multi-jurisdictional crisis. A security incident affecting shared infrastructure may simultaneously trigger breach notification obligations in four or five countries, each with different timelines, different notification thresholds, and different regulatory recipients.
The group DPO must have a group-wide incident response plan that is capable of being activated quickly and scaled to the scope of the incident. The plan should:
- Define what constitutes a reportable breach in each jurisdiction where the group operates, including the applicable notification timelines (which range from 24 hours under some frameworks to 72 hours under others, to “without undue delay” under others still)
- Identify the data protection authority with jurisdiction in each country and the applicable notification procedure
- Assign clear roles for incident detection, escalation, investigation, notification, and remediation
- Require each subsidiary to report potential breaches to the group DPO function immediately upon detection, without waiting to assess severity
- Provide for parallel notification to multiple regulators where required
Time is always the enemy in breach response. The group DPO should conduct tabletop exercises with subsidiary data protection coordinators at least annually to test the plan and identify gaps before a real incident exposes them.
Conduct Privacy Impact Assessments at Scale
Data Protection Impact Assessments (DPIAs) or their equivalents under various African frameworks are required where processing is likely to result in a high risk to data subjects. In a multi-subsidiary group, the challenge is ensuring that DPIAs are conducted consistently, at the right time, and with appropriate group-level oversight.
The group DPO should develop a DPIA methodology and threshold criteria that apply across all subsidiaries. Local teams should be trained to identify processing activities that trigger the DPIA requirement and to escalate accordingly. The group DPO should review DPIAs conducted by subsidiaries for quality and consistency, and should be directly involved in any DPIA that has implications for the group as a whole, for example, the deployment of a new group-wide technology platform or a shared customer data analytics programme.
DPIAs conducted in one subsidiary can serve as a template and starting point for assessments of similar processing in other subsidiaries, provided they are properly localised. The group DPO should build a library of completed DPIAs that can be reused and adapted, rather than allowing each subsidiary to start from scratch.
Invest in Training and Culture
No governance framework, however well designed, will deliver compliance without people who understand it and are committed to implementing it. In a multi-subsidiary group, building a culture of data protection awareness is a sustained and deliberate undertaking.
The group DPO should develop a tiered training programme that provides baseline awareness training for all staff across the group, supplemented by role-specific training for those who handle personal data in significant volumes or in sensitive contexts. Training must be available in the relevant local languages and must be refreshed regularly to reflect changes in the law and in the group’s processing activities.
Beyond training, the group DPO should cultivate a network of engaged, empowered local privacy champions within each subsidiary who understand the importance of data protection, can identify risks in their day-to-day work, and know how to escalate concerns. These individuals are the group DPOs’ eyes and ears on the ground. Invest in them.
Report to the Board and Senior Management
The group DPO must have a direct line to the board or the most senior decision-making body of the group. This is not merely good practice it is, under most data protection frameworks, a structural requirement of the DPO role, which must be performed with independence and without instruction as to the conclusions to be reached.
The group DPO should report to the board at regular intervals at least annually, and more frequently where significant risks or incidents warrant it. Reports should be clear, concise, and focused on matters of strategic significance: the group’s overall compliance posture, material risks identified, incidents and their outcomes, regulatory developments, and the resources required to maintain and improve the compliance programme.
The group DPO should resist the temptation to measure success primarily by the volume of policies drafted or training sessions delivered. What matters is the quality of data protection in practice, whether personal data is being processed lawfully, fairly, and securely, and whether the organisation is capable of responding effectively when things go wrong.
Stay Ahead of Regulatory Change
The African data protection regulatory environment is not static. New laws are being enacted. Existing laws are being amended. Regulatory authorities are becoming more assertive. Regional frameworks, including instruments under the African Union and ECOWAS, are evolving.
The group DPO must maintain an active regulatory monitoring function, tracking legislative and enforcement developments across all relevant jurisdictions and assessing their implications for the group. This requires building relationships with local legal counsel in each country, engaging with data protection authorities where possible, and participating in industry and professional bodies that provide early visibility of regulatory change.
Regulatory change should be factored into the group’s compliance planning cycle. A new data protection law does not become the group’s problem on the day it enters into force; by that point, the group should already have completed its gap analysis and be well advanced in implementing any necessary changes.
Conclusion
Managing data privacy as a group DPO across a multi-subsidiary African organisation is a role of genuine complexity and genuine consequence. It demands legal literacy across multiple jurisdictions, the ability to build and sustain governance structures that work in practice rather than merely on paper, and the interpersonal skills to operate effectively across different corporate cultures and management hierarchies.
But it is also a role of genuine importance. The organisations that get this right, that build privacy into the fabric of how they operate, that treat data protection not as a compliance burden but as an expression of their values, are the organisations that will earn and retain the trust of their customers, their employees, and the regulators who oversee them.
The DPO who navigates this landscape well does not do so by working harder than everyone else. They do so by building systems that make compliance the path of least resistance, by developing people who understand and own their privacy responsibilities, and by maintaining the independence and the courage to say the difficult thing when the organisation needs to hear it.
That is, ultimately, what the role demands. And what good data protection requires.
