SAC Training Academy · CDPO Certification Programme
Practical Data Protection Officer Training for Professionals Who Must Deliver Compliance in the Real World.
SAC delivers NDPC/IIM-aligned CDPO training with practical DPIA exercises, breach simulations, audit evidence walkthroughs, and regulator-aware compliance implementation. Certification is the credential. Operational capability is the outcome.
Eight roles that benefit from CDPO certification.
The CDPO is not only for designated DPOs. Every professional who touches data governance, risk, audit, legal, or compliance has a specific capability gap the CDPO programme addresses.
Designated DPOs who require an IIM-recognised qualification to formalise their role and register with the NDPC as the organisation’s compliance officer of record.
CCOs and compliance leads who need NDPA operational skills — not just a policy understanding — to build and maintain the organisation’s compliance programme.
Legal professionals advising on NDPA obligations who need the operational and procedural knowledge to translate legal requirements into implementable compliance architecture.
Auditors assessing privacy and data governance controls who need the technical knowledge to evaluate NDPA compliance evidence to the NDPC’s inspection standard.
Technical professionals who implement the systems processing personal data and need NDPA literacy to align technical controls with privacy-by-design principles.
Risk professionals integrating data protection risk into the organisational risk framework who need NDPA-specific risk identification and assessment methodology.
HR professionals managing employee data at scale who need NDPA obligations specific to employment data, payroll records, and HR system processing activities.
MDA officers and parastatal compliance leads who must address NDPA obligations in a public sector context — with the specific accountability and procurement dimensions that entails.
What you will leave capable of doing.
Map processing activities against NDPA obligations, identify lawful basis for each activity, and determine which obligations apply to your organisation’s specific processing.
Construct an NDPC-format RoPA from scratch, populate all mandatory fields, and maintain it as a live document that reflects current processing — not a one-off exercise.
Determine when a DPIA is mandatory, conduct the full assessment from processing description through risk scoring and mitigation design, and document the output to NDPC standard.
Execute breach severity assessment, apply the notification obligation trigger, draft the NDPC notification, make the data subject notification decision, and preserve evidence — within the mandatory window.
Process a DSAR from receipt through acknowledgement, identity verification, exemption consideration, disclosure decision, and response — including complex scenarios where the answer is not straightforward.
Understand what the CAR requires, assemble the evidence that supports each obligation, structure the evidence pack to NDPC format, and prepare the DPO attestation for DPCO certification.
Draft a board-ready data protection quarterly report — RAG indicators, open actions, incident summary, and DSAR performance — formatted to the standard that board members and audit committees can govern against.
Participants receive the IIM Certified Data Protection Officer qualification — verifiable with IIM Africa and recognised by the NDPC as a DPO designation pathway under the NDPA 2023.
NDPC-format RoPA template · DPIA framework and template · DSAR procedure SOP · Breach notification register · Board reporting template · Evidence pack structure
Active NDPC-Licensed DPCO — currently filing Compliance Audit Returns with the NDPC and advising organisations on NDPA engagement. Teaches from operational experience, not academic familiarity.
None. The programme is designed for professionals at all levels of prior data protection knowledge. Sector context is incorporated through participant cohort discussion.
Select a module to explore the content and exercises.
Each module combines targeted instruction with a practical exercise based on a Nigerian regulatory scenario — so participants encounter the challenge before acquiring the knowledge they need to solve it.
NDPA and GAID Foundations
The structure of the NDPA 2023 and its General Application and Implementation Directive — the key obligations, the definitions that matter, the NDPC’s enforcement posture, and the DCPMI classification and registration framework. Taught from the NDPC’s inspection framework, not from the legislation in isolation.
DCPMI threshold assessment exercise — participants assess five realistic organisations against GAID criteria, determine registration status, and identify the DPO designation requirements for each. Findings are mapped to the applicable NDPA provisions.
- NDPA 2023 structure and key sections
- GAID directives and application
- Data controller vs processor distinction
- DCPMI classification criteria
- NDPC registration and CAR requirements
- NDPC enforcement posture 2024–2026
- Six NDPA lawful bases explained
- Special category data — heightened requirements
- Children’s data provisions
Participants can identify NDPA obligations applicable to their organisation, determine DCPMI classification status, and apply the lawful basis framework to their processing activities.
Data Protection Impact Assessments
The NDPA Section 28 mandatory DPIA framework — when a DPIA is required, how to conduct one, how to document risk, and how to present DPIA findings to senior leadership and the NDPC. Every participant completes a full DPIA on a realistic Nigerian high-risk processing scenario.
Full DPIA execution — mandatory determination exercise (five processing scenarios, determine which require a DPIA and why), followed by a complete DPIA on a new biometric employee attendance system: processing description, necessity and proportionality, risk identification and scoring, mitigation design, and NDPC-format output documentation.
- DPIA mandatory trigger criteria (NDPA S.28)
- Processing description framework
- Necessity and proportionality assessment
- Risk identification methodology
- Risk scoring and rating
- Mitigation design and residual risk
- DPIA register management
- SAC NDPC-format DPIA template
- DPIA mandatory trigger checklist
- Completed workshop DPIA (reference output)
Participants can conduct a defensible DPIA independently — from mandatory determination through risk assessment and NDPC-format documentation — for any high-risk processing activity their organisation commissions.
Records of Processing Activities
NDPA Section 24 RoPA requirements — every mandatory field, the lawful basis selection logic, retention schedule construction, and the distribution of RoPA completion across departments. Participants build a partial RoPA for a realistic Nigerian organisation during the session.
RoPA construction workshop — using the SAC NDPC-format RoPA template, participants receive a realistic organisational processing inventory brief and populate a set of processing activity records in full, including lawful basis documentation, retention schedule, security measures, and third-party transfer fields.
- NDPA Section 24 field requirements
- Processing activity inventory methodology
- Lawful basis documentation per activity
- Data category classification
- Retention schedule construction
- Third-party and cross-border transfer fields
- RoPA maintenance as a live document
- SAC NDPC-format RoPA master template
- Lawful basis selection guide
- Partially completed workshop RoPA
Participants can construct a complete, NDPC-format RoPA for their organisation — submission-ready for CAR filing, inspection-ready for NDPC review.
Breach Response & 72-Hour Notification
The NDPA Section 40 breach notification framework — the 72-hour clock, severity assessment, NDPC notification requirements, data subject notification decisions, and evidence preservation. Includes a live breach simulation where participants execute the complete response from discovery to NDPC notification.
Breach response simulation — a realistic breach scenario unfolds in stages: initial detection (unclear scope), severity assessment, internal escalation decision, 72-hour NDPC notification drafting, data subject notification decision, and evidence preservation. Participants work through each stage using the SAC breach response toolkit, then debrief on decisions made and alternatives available.
- NDPA Section 40 notification obligations
- 72-hour clock — when it starts, what resets it
- Breach severity assessment framework
- NDPC notification template and content
- Data subject notification decision framework
- Evidence preservation requirements
- Breach register maintenance
- NDPC breach notification template
- Breach severity assessment tool
- Breach register template
Participants can execute a complete NDPA-compliant breach response within 72 hours — having practised each step under controlled conditions before facing a real incident.
Data Subject Access Requests
The NDPA data subject rights framework — the right of access and its siblings — and the operational procedure for managing DSARs from receipt through response. Emphasis on non-obvious scenarios: partial disclosures, third-party data, exemption decisions, and requests where the correct response requires judgment rather than procedure.
Four DSAR scenarios — increasing complexity: standard access request, request involving third-party data that cannot be disclosed, request from a former employee seeking HR records subject to legal privilege, and a manifestly unfounded request where the fee and extension provisions apply. Participants make the disclosure decision for each and draft the response letter.
- Eight NDPA data subject rights
- DSAR receipt and acknowledgement SOP
- Identity verification requirements
- 30-day timeline and extension provisions
- Exemption framework (legal privilege, third-party data)
- Partial disclosure decision process
- Manifestly unfounded and excessive requests
- DSAR procedure SOP
- DSAR response letter templates (4 scenarios)
- DSAR log template
Participants can manage any DSAR to conclusion — including complex scenarios — within the NDPA’s timelines and with defensible disclosure decisions documented.
Vendor & Third-Party Risk
NDPA Section 29 processor obligations — DPA requirements, vendor due diligence methodology, sub-processor controls, and the international transfer framework for vendors in non-adequate jurisdictions. Participants assess a realistic vendor scenario and draft the DPA clause requirements for that engagement.
Vendor privacy risk assessment — participants receive a realistic vendor onboarding brief (a cloud-based payroll processor based in a non-adequate jurisdiction, with sub-processors in three countries) and conduct the full vendor assessment: lawfulness of the transfer, DPA clause requirements, sub-processor notification procedure, and annual review schedule.
- Controller vs processor accountability (NDPA S.29)
- DPA minimum content requirements
- Vendor due diligence methodology
- Sub-processor controls and notification
- Cross-border transfer lawfulness (NDPA S.43–44)
- Transfer safeguards — SCCs and adequacy
- Vendor risk register maintenance
- Vendor privacy assessment questionnaire
- DPA clause template
- Vendor risk register template
Participants can assess any vendor relationship for NDPA compliance, identify the required DPA clauses, and manage cross-border transfer risk for international processors.
NDPC Compliance Audit Returns
The annual CAR filing requirement — what the NDPC expects, what evidence must be assembled, how the DPO supports the DPCO’s certification, and what the inspection process looks like. Participants review a realistic compliance evidence file and identify the gaps that would produce an adverse CAR finding.
Evidence gap identification — participants receive a realistic CAR evidence file (partially complete, with deliberate gaps and non-conformities) and conduct the review that a DPCO would apply before certifying the CAR. Gap identification, severity assessment, and the management action plan required to remediate before filing.
- CAR filing obligations and timeline
- NDPC evidence framework — 32 obligations
- Evidence assembly methodology
- Management representation requirements
- DPO attestation role and limits
- DPCO certification — what it means
- NDPC inspection response preparation
- CAR preparation checklist
- Evidence pack structure template
- NDPC audit readiness self-assessment
Participants can prepare a complete CAR evidence pack that supports DPCO certification — assembling evidence to NDPC standard before the filing deadline, not under it.
Governance Reporting & Board Accountability
The DPO’s board reporting function — how to structure the quarterly data protection report, what metrics the board needs to govern against, and how to frame compliance status for a board audience that is accountable for NDPA obligations but not operationally expert in them. Participants draft a board report section from real compliance data.
Board report drafting — using a realistic compliance dataset (incident count, DSAR performance, open actions, CAR filing status, DPIA register), participants draft the quarterly data protection board report section, including RAG indicators, trend narrative, and the management action summary that enables the board to discharge its oversight accountability.
- Board accountability under NDPA
- DPO reporting structure and independence
- Digital trust KPI framework (DTEF)
- Audit Committee privacy agenda design
- RAG reporting methodology
- Incident reporting to the board
- Annual governance review format
- Board data protection report template
- Privacy KPI framework
- Audit Committee agenda template
Participants can produce board-ready data protection governance reports that give the board the information needed to discharge NDPA accountability — presented in a format boards can use, not just receive.
Six capabilities. Deployment-ready on Monday.
Operate as a credentialled DPO — IIM-qualified, NDPC-designation-ready, and operationally capable of the functions the NDPA requires the DPO to perform.
Construct and maintain a full RoPA — NDPC-format, all mandatory fields completed, maintained as a live document rather than a point-in-time exercise.
Determine DPIA necessity, execute the full assessment, document output to NDPC standard, and maintain a DPIA register that reflects the organisation’s high-risk processing history.
Execute a complete breach response from discovery — severity assessment, NDPC notification, data subject decision, evidence preservation — within the mandatory 72-hour window.
Assemble a complete Compliance Audit Return evidence pack that supports DPCO certification — structured to the NDPC’s 32-point framework and ready before the filing deadline.
Produce quarterly board data protection reports — RAG indicators, trend analysis, open actions — that enable the board to discharge NDPA governance accountability with specificity.
Different from compliance training. Built for compliance deployment.
The gap between compliance certification and compliance capability is where most training programmes lose their value. A DPO who has passed an examination but cannot construct a Records of Processing Activities, conduct a defensible DPIA, or manage a 72-hour breach notification has received a credential, not a capability.
SAC’s CDPO programme is built by the practitioners who conduct NDPA compliance audits, file Compliance Audit Returns with the NDPC, and engage regulators in live advisory mandates. Every case study, scenario, and exercise is drawn from Nigerian NDPA enforcement proceedings — not GDPR case law adapted for Nigerian conditions.
Every instructor holds active practitioner credentials — FCA, CISA, CDPSE, CDPO, CRISC — and is currently delivering the compliance programmes and engaging the regulators they teach. Practice precedes instruction, because the NDPC’s standard demands it.
CDPO graduates receive an IIM-recognised qualification — verifiable with IIM Africa, recognised by the NDPC as a DPO designation pathway. Reference #d193ed82f32a4eb64.
Every scenario, exercise, and case study is drawn from Nigerian NDPA enforcement proceedings. Participants apply knowledge to situations that reflect their actual regulatory environment.
The breach response module includes a full simulation — participants execute the complete response from discovery to NDPC notification in a controlled environment before facing a real incident.
Participants receive working documents: NDPC-format RoPA template, DPIA framework, DSAR SOP, breach register, and board report template — ready to use on return to their organisation.
Instructors are currently filing NDPC CARs, advising on NDPC correspondence, and conducting NDPA compliance audits. They teach from live regulatory experience.
Train your compliance team as a cohort — same framework, same tools, zero implementation friction.
When a compliance team attends CDPO training together, they return to the same organisation with the same reference framework, the same templates, and the same understanding of what the NDPC’s standard requires. The implementation friction that comes from individual training — where each team member has a slightly different understanding — is eliminated.
Corporate cohort delivery is calibrated to your organisation’s sector, existing compliance state, and the specific NDPA obligations most relevant to your processing activities. Minimum 4 participants.
Within 90 days of IIM certification: team independently constructed the bank’s full RoPA, completed three DPIAs, and filed the first NDPC CAR — without external advisory support.
Following the programme: agency identified 12 evidence gaps and remediated 10 within 30 days, producing the first NDPC-formatted evidence pack in the agency’s compliance history.
Content calibrated to your sector’s specific regulatory context — financial services, public sector, technology, NGO — with sector-specific scenarios and case studies.
Delivered at your premises, SAC’s facility, or as a live virtual cohort. Same practical exercises and Nigerian case studies regardless of format.
SAC reviews your current compliance position before the cohort and incorporates specific gaps into the exercises — so the training addresses your actual implementation challenges.
Optional quarterly DPO coaching sessions after the cohort — keeping your designated DPO current on NDPC developments and implementation challenges.
Corporate cohort available from 4 participants. Pricing by agreement. Contact SAC to discuss scope, format, and scheduling.
Register for CDPO Training
Complete the form to register for an open-enrolment cohort or to request a corporate cohort for your organisation. SAC responds to all training enquiries within one business day.
For open-enrolment registration, SAC will confirm your place and send the joining instructions including pre-reading, session format, and venue details. For corporate cohort requests, SAC will contact you to discuss scope, calibration, and scheduling.
Upcoming Open-Enrolment Dates
Contact training@sac.ng to confirm current date availability before making travel arrangements.
SAC will send you a confirmation with joining instructions, pre-reading, and session details. For questions contact training@sac.ng.
Certification is the credential. Operational capability is the outcome.
The June 2026 cohort has limited seats. Open enrolment registrations are confirmed on a first-come, first-served basis. Corporate cohorts are scheduled by agreement.