By Mercy King’ori
Data protection officers (DPOs) are key to ensuring compliance with data protection regulations, including respect for the data protection principle of accountability. They act as intermediaries between data controllers, data subjects and data protection authorities. So fundamental is the role of DPOs that the focus for this year’s European Data Protection Board’s (EPDB) Coordinated Enforcement Framework is on DPOs.[1] In Africa, the designation of a DPO can be found in numerous data protection laws. While not always mandatory, 29 out of 39 laws include a data protection officer designation. The conditions for appointing a DPO vary among countries. For example, in Kenya, Uganda and Rwanda, an entity is required to appoint a DPO:
- where processing is by a public or private body except for courts acting in their judicial capacity;
- where the processing involves regular and systematic monitoring of data subjects; and
- where the processing involves sensitive personal data
Both Rwanda and Uganda require that the processing of sensitive personal data is “large scale” to necessitate the appointment of a DPO. Rwanda’s law does not define “large scale”, but it is defined under Regulation 47(5) of Uganda’s Data Protection Regulations, 2019. In other countries like Nigeria, only “data controllers and processors of major importance” are legally mandated to appoint a DPO.
The question of who can be a DPO remains crucial due to potential conflicts of interest. Section 24 of Kenya’s DPA provides that an “existing staff member of the data controller or data processor who fulfils other tasks and duties may be appointed as a DPO provided that such tasks and duties do not result in a conflict of interest”. Other laws permit controllers and processors to outsource the services of a DPO.
With regard to the of a DPO, the baseline requirement in most laws is that the DPO must be knowledgeable in matters of data protection. In countries such as Ghana, the commission provides the criteria for qualification to be appointed as a data protection supervisor (Section 58(6)). Similarly, Benin’s data protection authority published a decision on the certification of DPOs by the authority, specifying the qualifications and required documentation for appointment. Countries are also developing their own national data protection training programs to acquaint DPOs with the local requirements such as Nigeria.[2] Once an entity has appointed a DPO, data protection laws of South Africa, Gabon, Egypt and Cote d’Ivoire require that the Data Protection Authority is notified through registration of the DPO. Common DPO duties include:
- Advising on processing requirements under the law;
- Facilitate capacity building of staff involved in data processing activities;
- Cooperate with the data protection authority on matters relating to data protection; and
- Ensure compliance with the data protection laws.
Despite appointing a DPO not being mandatory, having a DPO may exempt an entity from certain obligations under the laws of Madagascar, Niger, Côte d’Ivoire, and Gabon. Different exemptions exist upon the appointment of a DPO. For example, appointing a DPO under Cote d’Ivoire law exempts an entity from providing prior notification to the DPA for the processing of personal data.
Lastly, some laws include provisions on dismissing a DPO from their duty. In Madagascar, Togo and Botswana, a data controller or processor may only dismiss a DPO for serious reasons and must notify the DPA of such termination. This ensures DPOs enjoy protection in performing their data protection tasks
[1] ‘Launch of Coordinated Enforcement on Role of Data Protection Officers | European Data Protection Board’ <https://edpb.europa.eu/news/news/2023/launch-coordinated-enforcement-role-data-protection-officers_en> accessed 8 August 2023.
[2] Nigeria has over 500,000 Verified Data Protection Officers – NDPC
https://von.gov.ng/nigeria-has-over-500000-verified-data-protection-officers-ndpc/ accessed 11 September 2024.
