23rd August, 2019
DATA PROTECTION COMPLIANCE ORGANISATIONS (DPCO) LICENSING CRITERIA
Definition and Duties of DPCO
Article 1(3j) of the Nigerian Data Protection Regulation provides that a Data Protection Compliance Organisation (DPCO) is any entity duly licensed by NITDA for the purpose of training, auditing, consulting and rendering services aimed at ensuring compliance with this Regulation or any foreign Data Protection law or regulation having effect in Nigeria.
A DPCO may be one or more of the following;
- Professional Service Consultancy firm
- IT Service Provider
- Audit firm
- Law firm
with evidence of professional, academic certification or experiences in one or more of the following areas:
- Data Science
- Data Protection and privacy
- Information Privacy
- Information Audit
- Data Management
- Information security
- Data protection legal services
- Information Technology Due Diligence
- EU GDPR implementation and compliance
- Cyber Security/Cyber Security law
- Data Analytics
- Data Governance
DPCOs are licensed to provide one or more of these services;
- Data protection regulations compliance and breach services for Data Controllers and Data Administrators
- Data protection and privacy advisory services
- Data protection training and awareness services
- Data Regulations Contracts drafting and advisory
- Data protection and privacy breach remediation planning and support services
- Information privacy audit
- Data privacy breach impact assessment
- Data Protection and Privacy Due Diligence Investigation
- Outsourced Data Protection Officer etc.
Documents Required for Licensing
- CAC Registration
- Evidence of Tax Clearance
- Relevant professional or academic qualification of at least 2 listed staff (these need not be Directors)
- Valid means of identification of two Directors i.e International Passport; Drivers’ License; NIN Registration etc.
- Website registration on .ng domain
- Evidence of payment of prescribed licensing fees by NITDA
The License obtainable shall be DATA PROTECTION COMPLIANCE LICENSE
DPCO Relationship with NITDA
Article 3.1.4 of the Regulation provides; The Agency shall by this Regulation register and license Data Protection Compliance Organisations (DPCOs) who shall on behalf of the Agency monitor, audit, conduct training and provide data protection compliance consulting to all Data Controllers under this Regulation. The DPCOs shall be subject to Regulations and Directives of NITDA issued from time to time.
Every filing by Data Controllers pursuant to this Regulation shall be accompanied by a DPCO Verification Statement. NITDA may appoint other DPCOs or by itself conduct investigation into a suspected breach of the Regulation.
Liabilities of a DPCO
A DPCO, found to be guilty of concealing or abetting a data breach by a Data Controller or Processor shall immediately lose its license and prior reports may be subject of investigation. This is without prejudice to right to legal redress by complainants, statutory investigation and prosecutorial functions of other organs of government.
|FINANCIAL OBLIGATIONS OF DPCO|
|2.||Annual License Fee||N50,000|
|3.||Filing of Report of less than 10,000 Data Subjects||N5,000|
|4||Filing of Report between 10,000-50,000 Data Subjects||N10,000|
|4||Filing of Report of more than 50,000 Data Subjects||N20,000|
Treasury Single Account (TSA) Payment should be made into:
NITDA Revenue e-Collection Account
- A firm (including its subsidiary or agent) engaged to provide financial audit for a Data Controller, is precluded from acting as its Data Protection Compliance Organisation (DPCO).
- Payments made in respect of this application is non-refundable and NITDA shall not be obliged to grant a license to every applicant