By Michael Irene, PhD
The Nigerian Data Protection Regulation states, under Implementation Mechanism, that every data controller shall:
• Designate a Data Protection Officer to ensure adherence to this [NDPR] Regulation, relevant data privacy instruments and data protection directives of the data controller;
• [and] may outsource data protection to a verifiably competent firm or person.
This is new. The role is made up of new requirements but the regulation does not go into lengthy details of what a DPO does or what companies should look out for when hiring one. Should a company get an in-house individual or should the role be outsourced?
The Data Protection Officer function overlooks data protection compliance in an organisation. She maintains records of processing of personal data, takes lead in developing data protection and related policy and procedures. The DPO becomes a bridge between related disciplines, such as data protection, IT, audit, compliance, legal and security, analysing how the results of data protection schemes may impact the organisation.
The role is made up of requirements that are not part of most Nigerian current company’s practice. Most Nigerian companies do not necessarily have individuals vested with the functionality to manage data protection mechanisms and frameworks. This synthesized function is one that may require re-evaluating how the role is staffed and carried out and needs a fresh perspective on the duties involved and skills required.
It is noteworthy that the DPO role is not mandatory. The first step for any organisation is to analyse whether a DPO is required. A DPO can be engaged because they are required or can be brought on voluntarily, but, in either case, there is a series of tasks the DPO must perform.
Knowing those tasks, the next step is to determine the type of job skills that someone in the DPO role should have to be able to succeed in this position. A Data Protection Officer must have significant experience in privacy and security risk assessment and best practice mitigation, including significant hands-on experience in privacy assessments, privacy certifications/seals and information security standards certification. There are wide-ranging experiences that a company’s DPO can have.
• Legal expertise: any person with expert knowledge of data protection and law practices is good as it will assist the controller in achieving, from a strictly legal perspective to meet data protection requirements both locally and internationally. However, companies are made up of various technicalities and the legal expert may not have IT, business analysis, and managerial skills to complement the DPO function. That said, the expert must have these various skills in his/her repetoire. DPOs must know data protection law to a level of expertise based upon the type of processing carried out by the controller.
• Leadership/Broad exposure: the DPO will need to have leadership and project management experience, to be able to request, marshal, and lead the resources needed to carry out their roles. They also must be able to critically assess themselves for knowledge gaps and request training in those areas. DPO should have broad business experience to know the industries of the data controller well enough to understand how privacy should be implemented to integrate smoothly with the way each company designs and markets its products and services and earns its revenues.
• Self-Starter/Board-Level: DPOs should be self-starters, with the competence and skills to carry out the role without guidance and to know where to find necessary information. The DPO must also have the board-level presence and be able to deal with experienced business people who will not know the intricacies of DPO functions.
• Teaching: DPOs must be able to speak in the language of the average Nigerian citizen, not in technical or legal jargon, to handle requests and complaints from data subjects.
• Credibility: it is best if DPOs are full time in their role or the role outsourced to an independent external DPO to overcome the possibility of conflicts.
Functions of the data protection required job skills include:
• Significant experience in global privacy laws, including drafting of privacy policies, technology provisions, and outsourcing agreements;
• Significant experience in IT operations and programming including attainment of information security standards certifications and privacy seal/marks;
• Demonstrated leadership skills achieving stated objectives involving a diverse set of stakeholders and managing varied projects;
• Have excellent negotiation skills to interface with NDPR on behalf of the company represented.
• Demonstrated client relationship skills to continuously coordinate with controllers
• Communication skills to speak with a wide-ranging audience, from the board of directors to data subjects, from managers to IT staff and lawyers
• Experience in dealing successfully with different business cultures and industries
The decision lies with each organisation to find these required DPO skills in either a single person or several people, to locate them internally or outsource the role, and to manage this function under the Chief Privacy Officer or let it operate independently. It would be optimal to have many skills as possible in a single individual, for obvious reasons of cost, communication, productivity, and responsibility. While, of course, a DPO may rely upon technical skills of others, they must be sufficiently capable in all these areas to provide an independent assessment. It is up to each organisation to implement its own DPO role keeping in mind its obligation and how a DPO will facilitate the likelihood of full compliance with NDPR.