In this post, we shall focus on two questions; who is required to employ the services of a data protection officer? And why?
The establishment of the data protection framework of many countries and regions changed the landscape of data protection and brought with it a lot of innovations, one of which is the introduction of the office of the Data Protection Officer (DPO).
A data protection officer (DPO) is a person knowledgeable enough to ensure that an organization complies with the laws protecting personal data. The DPO plays a quasi-regulatory role in the organisation thus placing him above other employees The General Data Protection Regulation (GDPR), in Article 37 stipulates the requirement of controllers and processors to designate a data protection officer. The Nigerian Data Protection Regulation (NDPR), in Article 4.1 provided that one of the data protection implementation mechanisms is the designation of a data protection officer by the controller.
A controller is a person or organization who either alone or jointly with another determines the means (how) and purpose (why) of processing personal data. A processor on the other hand is a person or organization who processes personal data on behalf of a controller. In other words, every person who processes personal data is required by law to appoint a data protection officer. However, the GDPR in Article 37(1)(a)-(c), provides particular instances where the designation of a DPO will be required for an organization,
a) Where the controller is a public authority or body;
b) Where the core activities of the controller or the processor consist of processing
operations which would require regular and systematic monitoring of data subjects on a large scale; or
c) Where the core activities of the controller or the processor consist of processing on a large scale of special categories of data.
Under the Nigerian Data Protection Implementation framework, (DPIF), Article 3.4, an organization needs a DPO if one of the following is present,
a) the entity is a government organ, Ministry, Department, institution or Agency;
b) the core activities of the organisation involve the processing of the Personal Data of over 10,000 (ten thousand) Data Subjects per annum;
c) the organisation processes Sensitive Personal Data in the regular course of its business; or,
d) the organisation possesses critical national information infrastructure consisting of Personal Data.
Although the provision of the NDPR and DPIF seem to contradict as the former states that every controller shall designate a data protection officer, while the latter gives a list of instances where an organization will need to appoint a DPO. In resolving this quagmire, it has been argued that since the DPIF was enacted to only clarify provisions of the NDPR and not supersede it. It follows that where there is any conflict between both provisions, the provision of the NDPR will prevail.
Why is the appointment of a DPO so important?
- It is a Legal Requirement. Once the law requires a controller to do act, in this case appoint a DPO, and it doesn’t, it becomes a violation. For instance, in 2020, Data supervision authorities in Spain and Belgium issued fines to companies for failing to appoint an independent Data Protection Officer (DPO).
- The DPO Ensures Compliance With Data Protection Requirement. Aside the fact that a pointing a DPO is in itself a compliance requirement, the DPO helps the controller comply with other obligation it needs to fulfil.
- DPOs Help Organizations Respond to Data Breaches. Among the requirements that DPOs will help organisations comply with is data breach notification. Under the GDPR, any breach that results in a risk to the rights and freedoms of individuals needs to be reported within 72 hours of discovery.
In conclusion, the first way a controller keeps himself accountable and compliant is to designate
a DPO, failure of which may result in fines and loss of goodwill.