As data protection regulation continues to mature in Nigeria, conversations around privacy, accountability, and regulatory compliance are gaining renewed momentum. This week, Data Privacy Week is being marked across the country, with increased attention from business regulators, and the media on how persona data is collected, used, and protected.
Against this backdrop, one question continues to arise across sectors and organisations sizes: does my organisation need a Data Protection Officer (DPO)?
This article explains what a DPO is under Nigerian law and outlines the categories of organisations that are required to appoint one under the Nigeria Data Protection Act 2023 (NDPA).
Who Is A Data Protection Officer?
A Data Protection Officer (DPO) is a designated, independent individual who may be an internal employee or external data privacy professional responsible for overseeing an organisation’s compliance with applicable data protection laws.
A defining feature of the DPO role under the NDPA is independence. While a DPO advises on compliance obligations, privacy risks, and best practices, they do not determine the means or purpose of procession personal data. In other words, they do not make business decisions about how personal data is used as this is the responsibility of the organisation’s management.
This separation is intentional. It ensures that data protection oversight remains objective and that compliance considerations are not subordinated to internal commercial or operational pressures.
Under the NDPA, the core responsibilities of a DPO includes:
- Advising data controllers and processors on their obligations under the data protection laws
- Monitoring compliance with applicable laws, regulations and internal policies
- Raising awareness and supporting internal accountability for data protection practices
- Serving as the organisation’s primary contact point for data subjects and the Nigerian Data Protection Commission (Commission).
In practice, DPOs are also expected to support Data Protection Impact Assessments, risk or gap assessments, and regulatory filings where required.
Which Organisations Are Required To Appoint A DPO?
The NDPA does not impose a blanket obligation on all organisations to appoint a DPO. Instead, it adopts a risk-based approach, recognising that certain processing activities pose higher risks to data subject rights.
In general, an organisation is required to appoint a DPO where its core activities involve large-scale or high-risk processing of personal data, particularly where sensitive data is involved or where processing activities are central to public services or critical infrastructure.
Data Controllers And Processors Of Major Importance
Organisations classified as Data Controllers or Data Processors of Major Importance are required to appoint a DPO. These typically include entities operating in sectors such as financial services, aviation, oil and gas, healthcare, and large-scale e-commerce and digital platforms.
To ensure proportionality or regulatory obligations, there Commission classifies major data processing activities into three (3) categories:
- Ultra-High Level (UHL)
- Extra High Level (EHL)
- Ordinary High Level (OHL)
Organisations falling within any of these categories are subjects to enhanced complicane obligations, including the appointment of a DPO and filing of thr prescribed compliance submissions (such as Compliance Audit Returns) with the Commission].
Public Authorities And High-Risk Organisations
Public Sector bodies are almost universally required to appoint a DPO. Government ministries, departments, and agencies routinely process personal data on a significant scale, often involving sensitive citizen information and systems that from part of Nigeria’s critical national information infrastructure.
In the private sector, the obligation to appoint a DPO commonly arises where an organisation’s core activities involve systematic monitoring of individuals or the processing of sensitive personal data such as health records, biometric data, financial information, religious beliefs or political opinions.
How To Tell If Your Organisation Needs A DPO
In Practice, the requirement to appoint a DPO mar arise either because the law expressly requires it or because an organisation’s data processing profile makes it necessary to do so,
From a legal perspective, a DPO is required where an organisation’s is designated as a Data Controller Data Processor of Major Importance. The Guidelines (GAID) to the NDPA prescribes certain submissions to the Nigerian Data Protection Commission that must be made through a qualified Data Protection Officer and filed by a registered Data Protection Company (DPCO). These include: Data Protection Impact Assessments, risk or gap assessments, and annual Compliance Audit Returns (CAR).
In practical terms, an organisation is more likely to require a DPO is it:
- Routinely collects, stores or processes personal data
- Handles sensitive categories or personal data
- Processes personal data at scale or across multiple systems
- Is a public authority or government agency
- Has been designated under the NDPA as a Data Controller or Processor of Major Importance.
Failure to appoint a DPO where required, or appointing a DPO without sufficient independence may expose an organisation to regulatory scrutiny and possible fines/penalties under the NDPA.
Beyond Legal Obligation: Business Risk Considerations
Even where an organisation is not strictly required by law to appoint a DPO, doing so may still be advisable. This is particularly true where data processing activities increase in volume or complexity, third party vendors or cloud platforms are used or cross border data transfers apply.
In today’s regulatory environment, the appointment of a DPO is increasingly viewed not only as a compliance requirement, but as a governance and risk management function that supports trust, resilience, and long-term business sustainability.
AUTHORS
Hanoba Etomi
Head Data Privacy and Digital Infrastructure
Iwinosa Aibangbee
Associate