By Mercy King’ori
Data protection officers (DPOs) are key to ensuring compliance with data protection regulations including respect for the data protection principle of accountability. They act as intermediaries between data controllers, data subjects and data protection authorities. So fundamental is the role of DPOs in that the focus for this year’s European Data Protection Board’s (EPDB) Coordinated Enforcement Framework is on DPOs. In Africa, the designation of a DPO can be found in numerous data protection laws. While not always mandatory, 26 out of 36 laws include the designation of a data protection officer. The conditions for appointing a DPO vary among countries. For example, in Kenya, Uganda and Rwanda, an entity is required to appoint a DPO:
- where processing is by a public or private body except for courts acting in their judicial capacity;
- where the processing involves regular and systematic monitoring of data subjects; and
- where the processing involves sensitive personal data
Both Rwanda and Uganda require that the processing of sensitive personal data is “large scale” to necessitate the appointment of a DPO. Rwanda’s law does not define “large scale” but it is defined under Regulation 47(5) of Uganda’s Data Protection Regulations, 2019. In other countries like Nigeria, only “data controllers and processors of major importance” are mandated by law to appoint a DPO.
The question of who can be a DPO remains a crucial one due to potential conflicts of interest. Section 24 of Kenya’s DPA provides that an “existing staff member of the data controller or data processor who fulfils other tasks and duties may be appointed as a DPO provided that such tasks and duties do not result in a conflict of interest”. Other laws permit controllers and processors to outsource the services of a DPO.
With regard, to the qualifications of a DPO, the baseline requirement in most laws is that the DPO must be knowledgeable in matters of data protection. In countries such as Ghana, the commission is tasked with providing the criteria for qualification to be appointed as a data protection supervisor (Section 58(6)). Once an entity has appointed a DPO, data protection laws of South Africa, Gabon, Egypt and Cote d’Ivoire require that the Data Protection Authority is notified through registration of the DPO. Common DPO duties include:
- Advising on processing requirements under the law;
- Facilitate capacity building of staff involved in data processing activities;
- Cooperate with the data protection authority on matters relating to data protection and;
- Ensure compliance with the data protection laws.
Despite appointing a DPO not being mandatory, having a DPO may exempt an entity from certain obligations under the laws of Madagascar, Niger, Cote d’Ivoire, and Gabon. Different exemptions exist upon the appointment of a DPO. For example, appointing a DPO under Cote d’Ivoire law exempts an entity from providing prior notification to the DPA for the processing of personal data.
Lastly, some laws include provisions on the manner of dismissing a DPO from their duty. In Madagascar, Togo and Botswana, a data controller or processor may only dismiss a DPO for serious reasons and must notify the DPA of such termination. This ensures DPOs enjoy protection in performing their data protection tasks
