Data Protection Officers in Nigeria: Who Needs One and What the Role Involves
Most Nigerian businesses approach the DPO question the wrong way. They ask “do we need one?” hoping the answer is no. The more useful question is: who in your organisation is currently accountable for data protection, and does that arrangement meet the standard the NDPC expects?
Under GAID, the answer to the first question is determined by your classification. The answer to the second requires a more honest assessment than most organisations have done.
This article covers who is required to appoint a DPO, what the independence requirement means in practice, and what the options are for organisations that cannot resource it internally.
This article is part of PlanetWeb’s GAID compliance series. For the registration and classification framework, see our GAID registration guide. For the broader compliance programme context, see our data protection compliance strategies guide.
Who Is Required to Appoint a DPO
The mandatory DPO requirement applies to organisations classified as Data Controllers or Processors of Major Importance (DCPMIs) under GAID. The classification criteria are the same ones that determine your NDPC registration tier, and are worth restating here because the DPO obligation flows directly from them. The full statutory basis is set out in the Nigeria Data Protection Act 2023, which GAID operationalises.
Your organisation is required to appoint a DPO if it meets any of the following:
- Processes personal data for more than 200 individuals within any six-month period
- Has an annual turnover of β¦50 million or above
- Handles sensitive data categories at scale: health records, biometric data, or financial data
- Processes children’s data at scale
- Processes data on behalf of any organisation that meets the above criteria
The 200-individual threshold is lower than most business owners expect. A mid-size e-commerce platform, a marketing agency with an active client database, a healthcare provider managing patient records, or an HR software firm handling staff data for multiple clients can all cross it without realising they have done so.
The classification assessment should be based on your actual processing activities, not on turnover alone. An organisation below the β¦50 million threshold but processing sensitive health data at volume is still within scope.
When there is genuine uncertainty about whether the criteria apply, the conservative position is to treat the requirement as mandatory and seek a formal assessment.
For the full classification framework and what Major status commits your organisation to beyond the DPO requirement, see our GAID registration guide.
What the Independence Requirement Means in Practice
The NDPC does not simply require that someone be named as DPO. It requires that the DPO be demonstrably independent: capable of performing their function without being directed, constrained, or penalised by other interests within the organisation.
This is where most Nigerian organisations go wrong. The independence requirement is the mechanism through which the NDPC ensures the DPO can flag non-compliance to leadership when it occurs, without fear of being overruled or dismissed for doing so. The ICO’s guidance on DPO appointment sets out the same principle clearly, and is a useful reference given that Nigeria’s framework draws directly on GDPR principles in this area.
Why the Head of IT Is Usually the Wrong Choice
The most common appointment mistake is putting the Head of IT in the DPO role because data protection sounds like a technical problem. It is not primarily a technical problem. It is a governance and accountability problem that has technical dimensions.
The Head of IT makes decisions about systems, infrastructure, and data flows that the DPO is supposed to independently scrutinise. When the same person is responsible for both the decisions and their oversight, the independence requirement is structurally compromised from the start.
An NDPC auditor will quickly identify this. Technical competence is useful for a DPO. It is not a substitute for independence, and it does not resolve the conflict of interest.
Why Senior Executives Rarely Qualify
CFOs, COOs, legal directors, and, in most cases, the CEO are poor DPO candidates. These roles carry commercial and operational interests that can conflict with data protection obligations.
A DPO must be able to advise against a data processing activity that carries compliance risk, even when that activity has commercial appeal. They must be able to report concerns to the board or to the NDPC without fear that doing so will affect their position.
A senior executive whose remuneration is tied to the same commercial outcomes the DPO is supposed to scrutinise cannot credibly hold that position.
Who Typically Does Qualify
A dedicated compliance officer with no line management responsibility over data-handling teams is a strong internal candidate. A legal counsel whose brief is narrowly defined around compliance and who has no conflicting commercial responsibilities can also work.
In regulated industries such as financial services or healthcare, a compliance manager who already operates with independence from commercial functions and reports directly to the board is often well-positioned to assume the DPO role formally.
The key test in every case is whether the individual can say no to a data processing decision and have that refusal respected, without risking their role.
What a DPO Does in Practice
Most descriptions of the DPO role list legal responsibilities. They say the DPO must “advise on data protection obligations,” “monitor compliance,” and “act as a contact point for the NDPC.” That is accurate but not particularly useful for a business owner trying to understand what they are resourcing.
In practice, the role sits across operations, risk, and compliance. Here is what it looks like on the ground for a Nigerian SME.
Data Subject Request Handling
Under the NDPA, data subjects have the right to access their personal data, request corrections, ask for erasure, object to processing, and request data portability. Every such request must be acknowledged and resolved within 30 days.
The DPO is responsible for receiving these requests, logging them, routing them to the relevant department, and ensuring the response is accurate and timely. They also keep records that demonstrate each request was handled correctly.
In a business processing significant volumes of customer data, this can be a frequent obligation. In a smaller organisation, it may be occasional, but the process must exist regardless of frequency.
For a full breakdown of each right and the operational steps for handling them correctly, see our data subject rights guide.
Breach Response
The DPO is typically the first point of escalation when a potential data incident is identified. Their role is to assess whether the incident meets the threshold for formal notification to the NDPC, which, under GAID, is 72 hours from the point at which the organisation becomes aware of a qualifying breach.
That 72-hour window is short. An organisation without a functioning DPO and a documented breach response process will almost certainly miss it, or make notification decisions without the framework to do so correctly.
The DPO does not manage the technical response to a breach. They manage the compliance response: assessment, notification, documentation, and communication with affected data subjects where required.
Our data breach response guide covers what the notification process involves in detail.
Staff Training and Awareness
The DPO is responsible for ensuring that staff who handle personal data understand their obligations. This means designing training that is relevant to each role, not just running a generic annual session and recording attendance.
A customer service team handling data subject requests needs different training from a finance team processing payroll. A sales team with access to a CRM database has different obligations from a technical team managing server infrastructure.
The DPO is responsible for both the content and the documentation: records that demonstrate training happened, who attended, what was covered, and when it was last updated.
NDPC Correspondence and Registration
The DPO serves as the organisation’s named contact point with the NDPC. This includes managing the initial registration, annual renewal, change notifications within the mandatory 30-day window, and any correspondence arising from complaints, audits, or investigations.
When the NDPC receives a complaint about an organisation, their first point of contact is the registered DPO. An organisation whose DPO has left, and whose replacement has not been notified to the NDPC, is in a poor position to respond effectively.
Vendor and Contract Review
Under the NDPA, a data controller remains responsible for what its vendors do with personal data processed on its behalf. The DPO’s role includes reviewing data processing agreements before contracts are signed and flagging gaps.
Vendor contracts must cover breach notification timelines, audit rights, clear processing instructions, and termination provisions for non-compliance. This is often the most neglected dimension of the DPO function. Many Nigerian businesses sign vendor contracts without data protection provisions and only discover the gap when something goes wrong.
At that point, the liability remains with the data controller, regardless of who is at fault. A vendor breach involving your customers’ data is your regulatory problem, not your vendor’s.
The Outsourced DPO Option
Organisations that qualify as Major but cannot resource a full-time internal DPO can engage an outsourced DPO service. This is a legitimate option under GAID, and for many Nigerian SMEs, it is the most practical one, particularly for organisations in the β¦50 million to β¦500 million turnover range where the compliance obligation is real but the volume of DPO activity does not justify a full-time hire.
Internal vs Outsourced: What to Weigh
| Internal DPO | Outsourced DPO | |
|---|---|---|
| NDPC licensing required | No | Yes |
| Independence obligation | Yes | Yes |
| Cost | Salary + training | Monthly retainer |
| Availability during incidents | Immediate | Depends on contract |
| Organisational knowledge | High | Builds over time |
| Best suited for | Larger DCPMIs with high data volumes | Mid-size organisations, first-time compliance |
Licensing Is Not Optional
The outsourced DPO must hold a current NDPC licence. Engaging a general compliance consultant or a legal firm with data protection experience does not satisfy the requirement. The NDPC’s register of licensed DPCOs is the reference point. Verify the provider’s status there before entering any engagement.
Independence Applies Equally
The engagement contract should specify the DPO’s authority, their right to report directly to the organisation’s board or governing body, and provisions that protect them from being directed to act against their professional judgement. An outsourced DPO who can be overruled by the client on compliance matters is not, in substance, an independent DPO.
Shared Arrangements Carry Risk
Shared DPO arrangements, where one practitioner serves multiple organisations simultaneously, are permissible but carry a practical risk: if the caseload is too heavy, the DPO may not be able to give each organisation adequate attention.
Before entering a shared arrangement, understand how many clients the practitioner currently serves and what their availability commitment looks like for each. A DPO managing 30 clients simultaneously is unlikely to respond within 72 hours when a breach occurs at midnight.
The Designated Compliance Owner for Non-Major Organisations
Organisations below the DCPMI threshold do not face a mandatory DPO requirement, but they are not exempt from accountability. Every organisation processing personal data needs a named person responsible for data protection compliance, handling data subject requests, breach response, and NDPC correspondence.
This role is less formally defined than a statutory DPO. It does not require NDPC licensing or the same independence obligations. But it does require someone who understands the NDPA’s requirements, has the authority to act on compliance matters, and is checking the privacy inbox regularly.
In a small organisation, this might be an office manager, a legal or compliance professional, or a founder who has invested time in understanding the obligations. What matters is that it is a specific, named person who knows what they are responsible for.
The designation is also a stepping stone. As the organisation grows and crosses the classification thresholds, the informal compliance owner role transitions into a mandatory DPO requirement.
The practical risk is the gap period: the point at which the classification criteria are met, but the formal DPO appointment has not yet been made. This is where enforcement exposure tends to accumulate for growing organisations, particularly fintechs and e-commerce businesses scaling quickly. Monitoring your classification status as the business grows, rather than waiting for a formal trigger, is the better approach.
Frequently Asked Questions
The DPO question is one area where half-measures compound over time. An organisation that appoints the wrong person, or appoints no one at all, does not just carry registration risk. It carries risk across every data subject request it mishandles, every breach it is slow to notify, and every audit where the absence of a functioning compliance structure is visible.
The organisations that get this right are the ones that can demonstrate, when the NDPC asks, that a qualified and independent person has been actively managing compliance, not just holding a title. They can produce a data subject request log, show that staff training records exist, and point to vendor contracts with data processing provisions. When a breach occurs, they know within hours whether the 72-hour notification threshold applies and who is responsible for filing it.
The ones that get it wrong discover the gap at the worst possible moment: during an audit, after a breach, or when a data subject complaint triggers an NDPC investigation. By then, the absence of a functioning DPO is not just a missing box on a form. It is evidence that the organisation’s compliance programme was never real.
If you are uncertain whether your current arrangement meets the standard, get in touch, and we can help you assess it.
