Data Protection Law and Technology

SHOULD COMPLIANCE OFFICERS ACT AS DATA PROTECTION OFFICERS? – VICTORIA ADARAMOLA & ADEYEMI OWOADE

The General Data Protection Regulation provides that organizations should protect and secure the personal data collected in their company’s course of business. The GDPR, CCPA, NDPR and other Data protection regulations in other jurisdictions take the enforcement of the regulations serious and with utmost regard. In the past few years, since the introduction of EU GDPR, certain companies have been fined for non-compliance with the regulation. Those companies would definitely have compliance officers who are responsible for ensuring that their companies’ keep to date with the regulations and laws affecting their business. Since the introduction of the different data protection regulations, many have debated whether the regulations are forcing companies to have a separate in-house officer called the “Data Protection Officer” (DPO). Others opine that the company compliance officer can fit into the role of data protection officer without recruiting another employee.

This article sets to look at the functions of the compliance officer in the 21st century reconciling it with the work of the data protection officer as provided under the different data protection regulations. The article shall also look into the different schools of thoughts on the need to separate the roles of the data protection officer from that of compliance officer. The other school of thought that claim a compliance officer can also take the additional hat of data protection officer shall also be examined. At the end of the whole scrutiny, this article will look into the international best standards and make recommendations as regards the proper way to comply with the regulations without breaking the bank as regards employment of additional employees.

Let’s get started

1. The Compliance Officer

(i) Who are compliance officers?

According to Adam Hayes , the compliance officer “is an employee of a company that ensures the firm is in compliance with its outside regulatory and legal requirements as well as internal policies and bylaws. The chief compliance officer is usually the head of a firm’s compliance department.

Compliance officers have a duty to their employer to work with management and staff to identify and manage regulatory risk. Their objective is to ensure that an organization has internal controls that adequately measure and manage the risks it faces. Compliance officers provide an in-house service that effectively supports business areas in their duty to comply with relevant laws and regulations and internal procedures. The compliance officer is usually the company’s general counsel, but not always.”[1]

(ii) What are the roles of the compliance officer?

The definition of the roles of the compliance officer differs from company to another. The roles of compliance officers may be dependent on the industry the company belongs. However there are common roles that compliance officers have everywhere in the world. Robert Half  summarised the duties of a compliance officer vis-à-vis:

  • Developing, implementing and managing an organization’s compliance program
  • Coordinating with federal and state regulators
  • Planning, implementing and overseeing risk-related programs
  • Creating and coordinating proper reporting channels for compliance issues
  • Developing company compliance communications
  • Coordinating and scheduling required compliance training for employees[2]

2. THE DATA PROTECTION OFFICER

i. WHO IS A DATA PROTECTION OFFICER?

A data protection officer is a person or an entity tasked with the responsibility of monitoring the compliance of an institution with the dictates of the NDPR[3]. Chapter 3.1.2 of the NDPR mandates all data controllers to have a data protection officer for the purpose of adhering to the regulation[4]. The NDPR in the same chapter provides that the role of a data protection officer can be outsourced to a competent person or firm. Hence, a data controller is a person or a firm that ensure that a data controller is in compliance with the provisions of the NDPR.

The role of the data protection officer is one of the mandatory roles specified by the NDPR and the NITDA Guidelines for the Management of Personal Data by Public Institutions in Nigeria 2020[5].  The data protection officer is expected to be a senior officer who is expected to report directly and independently to the management[6].

ii. WHAT ARE THE DUTIES OF THE DATA PROTECTION OFFICER

Chapter 3.1.2 spells out the duties of a data protection officer. According to that chapter, a data protection officer is expected to ensure that the practices of the data controller are in adherence to the provisions of the regulation, relevant data privacy instruments and data protection directives of the data controller. The Guidelines for the Management of Personal Data by Public Institutions in Nigeria, 2020 under Part 2.6.b lucidly outlines the duties expected of data protection officers. They are[7]:

  1. Getting the board members to buy-in into data protection implementation for the institution.
  2. Developing and constantly review business cases for data protection implementation.
  3. Inculcating data protection as a culture in the institution.
  4. Understanding the data processing activities of the each of the operational unit of the institution.
  5. Constantly organizing trainings and capacity development for staff, licensees, contractors and stakeholders on data protection and management.
  6. Advising the management on practices that could trigger breaches; and
  7. Interpreting the roles of different units in the light of data privacy protection.

Under the GDPR, the DPO is equally expected to[8]:

  • Provide advise where requested as regards the data protection impact assessment and monitor its performance
  • Cooperate with supervisory authorities
  • To act as a contact point for the supervisory authority on issues relating to processing, including consultation with regards to any other matter
  • Identify the data protection risks associated with processing operations, taking into account the nature, scope, context and purpose of processing[9].

Other functions of the data protection officer include:

  • Overseeing the process of remediating data protection breaches and ensure that data subjects are informed of such breaches[10].
  • Subject the data privacy practices of the firm to constant review and ensure that they meet data protection standards per time.

3. The Big Question

Should Compliance Officers be Data Protection Officer?

(i)  The First School of Thought

The way the data protection regulations are written, it appears it made it obligatory for the public institutions/companies to have a person who is an expert in the field of data protection as a data protection officer. This has made several scholars to opine that this sacred role cannot be handled by a regular compliance officer except the compliance officer is well trained to meet up with the standards of training required by the data protection regulations. To find a compliance officer that will tick this box may not be easy so they advised that such companies have a separate officer for the role of Data protection officer.

Can we assign other tasks to the DPO?

The UK GDPR says that you can assign further tasks and duties, so long as they don’t result in a conflict of interests with the DPO’s primary tasks.

Basically this means the DPO cannot hold a position within your organisation that leads him or her to determine the purposes and the means of the processing of personal data. At the same time, the DPO shouldn’t be expected to manage competing objectives that could result in data protection taking a secondary role to business interests.” [11]

(ii) The Second School of Thought

Another school of thought hold the view that a compliance officer because of his training and experience in dealing with regulators and regulations can actually step in the shoes of the DPO of a company and wear the hat of both roles. However, they believe to comply with the law, such compliance officer may take the required courses and get the requisite training.

In their own opinion, the InfoSecInstitute believes that data protection officer can work together with other compliance officers and can be in the general compliance team.

GDPR isn’t the only governance rule that organizations must follow regarding data privacy. There are additional regulations like Financial Industry Regulatory Authority Act (FINRA), Federal Trade Commission Act (FTC) and Health Insurance Portability and Accountability Act (HIPAA). Thus, all compliance team members must work together to have a full view of all compliance requirements on both the business level and the individual level. Many of these laws overlap in what’s required, so this should be reviewed as well to ensure there is no duplication of efforts.”[12]

(iii) The provisions of the popular regulations

(a.) GENERAL DATA PROTECTION REGULATION (GDPR):  Article 37 of the GDPR makes provision for the role of the Data Protection officer. Article 37.6 of the GDPR[13] provides that the DPO may be a staff member of the data controller or processor or the role may be fulfilled by a person who is chosen on the basis of a service contract. Article 37.5 of the GDPR however provides that a crucial requirement of the DPO is that such must possess expert knowledge in the field of data protection. With respect to this, it can be deduced that under the GDPR, a compliance officer may also function as the DPO of a data controller as long as such person has expert knowledge in the field of data protection and by the provision of Article 39[14], have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purpose of processing.

(b.)THE NIGERIA DATA PROTECTION REGULATION: The NDPR is not explicit about creating a distinction between the DPO and a Compliance officer. By its provision, a data controller only has the option of outsourcing the role of the DPO either to a competent firm or person. However, the Guidelines for the Management of Personal Data by Public Institutions in Nigeria, 2020 has provisions from which inferences can be made to clear the air on the stance of the NDPR on this subject. Part 2.6 of the guidelines provides that the DPO should be a senior level officer who reports directly to the management and must not be involved with any other activity that can prejudice his judgment in advising the firm on data protection and management. Also, the DPO is expected to be trained in general principles of management of personal data within 90 days of appointment[15].  From the provision, it can be inferred that the intent of the NDPR is such that the DPO of a firm is not expected to be the compliance officer of the same firm as the two positions are distinct in their roles. Likewise, being the compliance officer of firm might prejudice function of the individual in their role as the DPO of the same firm.

(c.) CHINA

There is no single exhaustive data protection law in China. However, the Personal Information Security Specification operational in China provides that an organization is required to appoint a DPO[16], if:

  1. The organization’s main business involves data protection and has more than 200 employees
  2. Processes the personal information of one million or more people or a figure estimated to be of that figure.

However, despite the provision for the role of a DPO, there are no stated criteria for the appointment of an individual or firm to suit the role.

(d.) BRAZIL

Article 5 of the Brazil General Data Protection Law (LPGD)[17] defines a DPO as a person named by the controller and processor to act as a channel of communication between the controller, the subject of such data and the National Data Protection Authority of Brazil. Article 41 of the LPGD spells out the duties of the DPO and even makes exception for the waiver of the position of the DPO based on the nature and size of the institution and the volume of the data it processes. However, the law is not explicit on the requirements for the appointment of the DPO. Hence, the position of the LPGD is unclear with regards to the question on whether a compliance officer can also function as a DPO.  

4. International Best Practice

It does not matter whether you have a DPO or not, the most important thing is that the company complies with the regulations and deal with data appropriately. According to Ascentor ,

Even  where a DPO is not required (as directed by the GDPR) you may wish to consider appointing an individual within your company to carry out that role on a voluntary basis. This will help to ensure that you are proactive in monitoring GDPR compliance. They don’t need to be called a DPO – you could use the term ‘Privacy Officer’ .

However, please note that Article 29 states that, when an organisation designates a DPO on a voluntary basis, the same requirements under Articles 37 to 39 will apply to the designation, roles and tasks as if the designation had been mandatory. In other words being part-time or voluntary is no excuse to perform the role to any lesser degree. Not having a DPO isn’t an excuse for non-compliance.” Ascentor goes further by recommending the possibility of having a shared DPO or an external DPO to save money. [18]

It cannot be overstressed that the data processor or controller must have a person who will ensure that the personal data are processed and used according to the laws. Most data protection laws provide that privacy notice should contain the contact details of the data protection officer. It therefore follows that someone must be saddled with the duties of the data protection inside the company.

5. Conclusion and Recommendations

The way the world is moving fast with innovation and companies’ collection of data increases per day it will be unsafe for a company to relax in the way they handle personal data. It is important to comply with the laws of data protection but much more securing and ensuring proper processing of personal data. It is not just to tick the box of compliance. It will be bad to assume that because you have a data protection officer you are estopped from any liability. No, the data protection officer is an officer of the company. The company is liable for any breach of data protection. In an article on data protection officer on Information Commissioner’s Office’s   website, the writer affirmed this by saying this:

“Is the DPO responsible for compliance?

The DPO isn’t personally liable for data protection compliance. As the controller or processor it remains your responsibility to comply with the UK GDPR. Nevertheless, the DPO clearly plays a crucial role in helping you to fulfill your organization’s data protection obligations.”[19]

We must recommend that data controllers and processors should have a specially trained person dedicated to the role of data protection. It is possible to train a compliance officer to become a data protection officer. The most important is to get someone responsible for checkmating the company’s proper processing of data.

About the Authors

Victoria Adaramola & Adeyemi Owoade

Victoria Adaramola is a 500 level law student at Obafemi Awolowo University with keen interest in Data Protection law. She is a debater and currently serves as the Vice-Chair for the debate committee, faculty of law, Obafemi Awolowo University. She is also an associate at Law Axis 360.

Contact: Victoria Adaramola (LinkedIn)
Email: victoriaadaramola@gmail.com

Adeyemi Owoade is a Legal Researcher at ESQ Trainings Limited. He has keen interest in cybersecurity, data protection and emerging technologies. He is a Partner and Co-founder of Law Axis 360. Email address : adeyemi_o_owoade@yahoo.com


[1]https://www.investopedia.com/terms/c/compliance-officer.asp

[2]Robert Half, Compliance Officers: What they do and why they are in high demand, October 10, 2019 https://www.roberthalf.com/blog/salaries-and-skills/compliance-officers-what-they-do-and-why-theyre-in-demand Accessed March 15, 2021.

[3]“All You Need to Know About A Data Protection Officer” (NDPR Academy,9th January,2021) <https://blog.ndpracademy.ng/all-you-need-to-know-about-a-data-protection-offiicer/> last accessed on 27th of March,2021

[4]  Nigeria Data protection Regulation, 2019, Chapter 3.1.2

[5]  Guidelines for the Management of Personal Data by Public institutions in Nigeria, 2020, Section 2.6.a

[6] “NDPR and the Requirements to Employ Data Protection Officers” (D.A.P.T, 25th of May,2020)<https://dapt.com.ng/ndpr-and-the-reuirement-to-employ-dat-protection-officer/> last accessed 27th March,20201

[7]Guidelines for the Management of Personal Data by Public institutions in Nigeria, 2020, Section 2.6.b

[8] General Data Protection Regulation, Chapter 4, Article 39.1

[9] General Data Protection Regulation, Chapter 4, Article 39.2

[10] ibid

[11] Guide to the General Data Protection Regulation: Data Protection Officers

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-officers/#ib1

[12]https://resources.infosecinstitute.com/topic/the-difference-between-a-compliance-officer-and-a-data-protection-officer

[13] General Data Protection Regulation, Chapter 4

[14] ibid

[15] Guidelines for the Management of Personal Data by Public Institutions in Nigeria, 2020, Part2.6.a.

[16] Data protection Laws of the World (DLA PIPER, last updated on 25th of January, 2021) <https://dlapiperdataprotection.com/index.html?t=law&c=CN> last accessed on 27th of March, 2021

[17] Brazilian General Data Protection Law (LPGD, English translation)(IAPP Resource Center, August 14, 2018) <https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/> last accessed 27th of March, 2021

[18]https://www.ascentor.co.uk/2017/06/gdpr-data-protection-officer-dpo/

[19]https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-officers/#ib1


1 comment

  1. We believe that data controllers and processors should appoint a professionally trained individual to oversee data protection. A compliance officer can be trained to become a data protection officer. The first and most critical step is to appoint someone to oversee the company’s data processing. Thank you for the reminder!

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: