SAC Training Academy · CDPO Certification Program
Practical Data Protection Officer Training for Professionals Who Must Deliver Compliance in the Real World.
SAC delivers NDPC/IIM-aligned CDPO training with practical DPIA exercises, breach simulations, audit evidence walkthroughs, and regulator-aware compliance implementation. Certification is the credential. Operational capability is the outcome.
Eight roles that benefit from CDPO certification.
The CDPO is not only for designated DPOs. Every professional who touches data governance, risk, audit, legal, or compliance has a specific capability gap the CDPO program addresses.
Designated DPOs who require an IIM-recognized qualification to formalise their role and register with the NDPC as the organization’s compliance officer of record.
CCOs and compliance leads who need NDPA operational skills — not just a policy understanding — to build and maintain the organization’s compliance program.
Legal professionals advising on NDPA obligations who need the operational and procedural knowledge to translate legal requirements into implementable compliance architecture.
Auditors assessing privacy and data governance controls who need the technical knowledge to evaluate NDPA compliance evidence to the NDPC’s inspection standard.
Technical professionals who implement the systems processing personal data and need NDPA literacy to align technical controls with privacy-by-design principles.
Risk professionals integrating data protection risk into the organizational risk framework who need NDPA-specific risk identification and assessment methodology.
HR professionals managing employee data at scale who need NDPA obligations specific to employment data, payroll records, and HR system processing activities.
MDA officers and parastatal compliance leads who must address NDPA obligations in a public sector context — with the specific accountability and procurement dimensions that entails.
Nine Modules.
Twenty Outcomes.
One Qualification.
The SAC CDPO curriculum is built around the NDPA 2023 and GAID — taught from the NDPC's inspection framework, not from the legislation in isolation. Every module combines targeted instruction with a practical exercise drawn from a real Nigerian regulatory scenario. Participants don't just understand data protection. They can deploy it.
Select a module to explore the content and practical exercise.
Each module is mapped to the official IIM/NDPC CDPO curriculum and includes a practical exercise based on a real Nigerian regulatory scenario. Click any module card to see the full topic list, practical exercise, and learning outcome.
Introduction to Data Protection and Privacy
A grounded introduction to the foundational concepts, legislative framework, and institutional structure of data protection in Nigeria. Covers the definition and distinction between privacy and data protection, the nature of personal data — including sensitive categories and children's data — and the key stakeholders in the ecosystem. Introduces the Nigeria Data Protection Act (NDPA) 2023 in its regulatory context, including the NDPC's mandate and enforcement role.
Participants map a Nigerian organization's data landscape — identifying categories of personal data processed, flagging sensitive data, and determining applicable NDPA obligations. The exercise reveals how many organizations process sensitive data and children's data without recognizing the heightened obligations this triggers.
- Definition of Privacy and Data Protection
- Importance of Data Protection in Nigeria's digital economy
- Categories of Personal Data — standard, sensitive, children's
- Processing of Personal Data — what constitutes processing
- Conditions for Processing Sensitive Personal Data
- Processing of Personal Data of Children — special provisions
- Key Stakeholders — controllers, processors, data subjects, NDPC
- Nigeria Data Protection Act (NDPA) 2023 — structure and scope
- Objectives of the NDPA 2023
- Roles and mandate of the Nigeria Data Protection Commission (NDPC)
Participants can articulate the NDPA's scope, identify different categories of personal data and the heightened obligations attached to each, and explain the roles of key stakeholders in Nigeria's data protection ecosystem.
Principles and Lawful Basis for Data Processing
The eight data protection principles under the NDPA — examined not as abstract statements but as operational obligations that shape how personal data must be handled at every stage of processing. Each principle is taught alongside its enforcement implication and the evidence required to demonstrate compliance. The six lawful bases for processing under the NDPA are analyzed with decision frameworks for selecting and documenting the appropriate basis.
Participants work through a lawful basis mapping exercise for five processing activities drawn from a Nigerian financial services organization. For each activity, they select the appropriate basis, identify the documentation required, and flag activities that currently lack a documented basis — a gap found in almost every real-world engagement.
- Principles of Personal Data Processing — overview
- Lawfulness, Fairness, and Transparency — three distinct obligations
- Purpose Limitation — collection and compatibility requirements
- Data Minimization — adequacy, relevance, and necessity
- Storage Limitation — retention periods and deletion protocols
- Accuracy — data quality obligations and correction mechanisms
- Appropriate Security and Protection — technical and organizational measures
- Duty of Care and Accountability — the accountability principle
- Lawful Basis for Personal Data Processing — all six bases
- Lawful Basis for Processing Data According to the NDPA
- Consent — requirements, validity, and withdrawal
- Legitimate Interests — application and balancing test
- Determining the Appropriate Lawful Basis for Each Processing Activity
Participants can identify the applicable lawful basis for any processing activity, document that basis to NDPC inspection standard, and demonstrate compliance with all eight data protection principles through evidence.
Data Subjects' Rights
All ten data subject rights recognized under the NDPA — each examined from the perspective of what an organization must do to discharge the right, not merely what the right means. The module is built around a four-step operationalization framework: receive, verify, assess, respond. Particular attention is paid to the rights that generate the most enforcement risk — access, erasure, and objection.
DSAR simulation: participants manage three concurrent data subject requests — an access request from a former employee, an erasure request from a customer citing the right to be forgotten, and an objection to direct marketing processing. Each scenario includes complications (partial exemptions, third-party data, competing legitimate interests) that reflect real-world enforcement situations.
- Identification of a Data Subject — who qualifies
- Right to Be Informed — privacy notices and just-in-time disclosure
- Right of Access — DSAR process, timelines, and exemptions
- Right to Rectification — inaccuracy and correction obligations
- Right to Erasure — when it applies, when it doesn't
- Right to Data Portability — scope and technical requirements
- Right to Restriction of Processing — temporary suspension obligations
- Right to Object — grounds, absolute rights, and balancing
- Right to Withdraw Consent — timing and effect
- Right Not to Be Subject to Automated Decision-Making and Profiling
- Right to Complain to the NDPC — regulatory escalation
- Steps to Operationalize Data Subject Rights Requests end-to-end
Participants can manage any data subject request to completion — including complex, multi-right scenarios — within NDPA timelines and with full documentation of the decision-making process.
Obligations of Data Controllers and Processors
A precise delineation of the roles of data controllers and processors — and what that distinction means in practice for accountability, contracting, and regulatory liability. This module addresses the most commercially significant question the NDPA creates: when the processor fails, how far does the controller's liability extend? Covers the full suite of NDPA controller and processor obligations and the consequences of non-compliance.
Accountability gap analysis: participants assess a Nigerian company's current controller-processor relationships against NDPA Section 29 requirements — identifying missing data processing agreements, inadequate sub-processor controls, and accountability structures that would not withstand NDPC scrutiny.
- Who is a Data Controller — definition, identification, examples
- Who is a Data Processor — definition, identification, examples
- Responsibilities of Data Controllers — the full accountability framework
- Responsibilities of Data Processors — obligations and limits
- Data Processing Agreements — mandatory content under NDPA Section 29
- Obligations of Data Controllers and Processors under the NDPA
- Sub-processor controls and accountability chain
- DPO designation obligations — who must have one, what qualifies
- Record-keeping and accountability documentation requirements
- Consequences of Non-Compliance — sanctions, enforcement actions, liability
Participants can map their organization's controller-processor relationships, identify missing contractual protections, and implement the accountability structures required to demonstrate NDPA compliance.
Data Security
The most technically comprehensive module in the program — covering the full spectrum of data security obligations from incident classification through DPIA methodology, privacy by design implementation, and cookie management. Built around the question regulators ask: what did you do before the incident, not what did you do after? Teaches proactive security architecture, not reactive incident response.
DPIA live workshop: participants conduct a full Data Privacy Impact Assessment for a Nigerian fintech company's new customer onboarding system — completing processing description, necessity assessment, risk identification (using the SAC risk matrix), mitigation design, and residual risk determination. Output is a DPIA document ready for DPO review.
- Data Security — scope and obligations under the NDPA
- Security Incidents — definition, categories, and examples
- Identifying and Classifying Data Security Incidents
- Responding to Data Security Incidents — SOP and escalation
- Data Breach — NDPA definition and distinction from security incidents
- Data Breach under the NDP Act — notification obligations
- Impact of Data Breaches — regulatory, reputational, financial
- Technical and Organizational Measures — the proportionality standard
- Pseudonymization — application and limitations
- Anonymization — true anonymization vs pseudonymization
- Data Encryption — types, application, and NDPA expectations
- Stages of Data Processing — lifecycle security requirements
- Data Backup — obligations and recovery planning
- Privacy Policy — definition, mandatory components, sample
- Cookies and Their Significance in Privacy — types and consent
- Cookie Policy — drafting and implementation
- Understanding Cookie Management — technical and legal alignment
- Data Privacy Impact Assessment (DPIA) — when mandatory, how to conduct
- Privacy by Design — principles and practical implementation
- Privacy by Default — the default settings obligation
Participants can classify security incidents, conduct a defensible DPIA, implement privacy by design in new processing activities, draft compliant privacy and cookie policies, and apply appropriate technical and organizational measures proportionate to processing risk.
Managing Third-Party Risk: Vendors, Partners and Collaborations
The compliance risk that sits outside most organizations' primary focus: the data they share with vendors, cloud providers, payroll processors, and third-party service partners. Under NDPA Section 29, the controller remains fully liable for processor compliance — making vendor due diligence a core governance function, not an IT procurement consideration.
Vendor risk assessment exercise: participants evaluate four vendor relationships — a cloud storage provider, a payroll processor, a marketing automation platform, and a delivery logistics partner — against the NDPA Section 29 due diligence framework. For each, they determine the required DPA clauses, identify cross-border transfer risks, and draft the key provisions of a data processing agreement.
- Introduction to Third-Party Data Risks — scope and regulatory exposure
- Categories of Third-Party Data-Related Risks
- Controller accountability for processor failures — NDPA Section 29
- Proactive Management of Third-Party Risks — the due diligence framework
- Vendor Due Diligence by the Data Controller and Processor
- Benefits of Proactive Third-Party Risk Management
- Data Processing Agreement — mandatory content and negotiation
- Sub-processor notification and approval requirements
- Vendor risk register — structure and maintenance
Participants can assess any vendor relationship for NDPA compliance, identify the DPA clauses required for each vendor category, implement a vendor risk management framework, and maintain a sub-processor register that withstands NDPC inspection.
Cross-Border Data Transfer
International data transfers have become unavoidable for most Nigerian organizations — cloud services, international payroll, cross-border HR platforms, and multinational parent company data flows all create transfer obligations under NDPA Sections 43–44. The NDPC has identified cross-border transfer compliance as a 2025–2026 enforcement focus. This module provides the framework for achieving and evidencing lawfulness.
Transfer mapping exercise: participants map the international data flows of a Nigerian subsidiary of a multinational corporation — identifying transfers to non-adequate jurisdictions, determining the applicable transfer instrument for each flow, and drafting the key elements of a Transfer Impact Assessment for transfers to the United States and United Kingdom.
- Cross-Border Data Transfer — definition and NDPA scope
- Adequacy Decisions — countries recognized as providing adequate protection
- Cross-Border Data Transfer Instruments — SCCs, BCRs, and alternatives
- Consent as a Transfer Basis — requirements and limitations
- Other Bases for Cross-Border Transfer — contractual necessity, vital interests
- Challenges in Cross-Border Data Transfer — practical complications
- Safeguarding Data in Cross-Border Transfer — supplementary measures
- Transfer Impact Assessments — when required and how to conduct
- NDPC 2025–2026 cross-border transfer enforcement priorities
Participants can identify and document the lawful basis for every international data transfer in their organization's processing activities, implement the required transfer safeguards, and prepare Transfer Impact Assessments that would withstand NDPC review.
Emerging Technologies and Data Protection
The data protection challenges created by technologies that were not contemplated when traditional privacy frameworks were designed — artificial intelligence, cloud computing, IoT, biometric systems, and blockchain. Taught from the NDPA's existing framework applied to novel contexts, not as a speculative future-facing session. Every technology discussed is in active deployment in the Nigerian regulatory environment.
Emerging technology risk assessment: participants assess the data protection implications of three Nigerian organizations' technology deployments — a bank deploying a facial recognition customer authentication system, a logistics company using IoT fleet tracking, and a healthtech startup processing biometric health data. Each assessment applies the NDPA's existing framework and identifies the compliance obligations triggered.
- Understanding Emerging Technologies — scope and regulatory relevance
- Artificial Intelligence and Data Protection — profiling, automated decisions, bias
- Cloud Computing and Data Protection — shared responsibility and transfer risk
- Internet of Things (IoT) — continuous data collection and consent challenges
- Biometric Systems — sensitive data obligations and NDPA requirements
- Blockchain and Personal Data — the right to erasure problem
- Emerging Technologies and the NDPA — applying the existing framework
- Privacy by Design for Emerging Technologies — embedding compliance at design
- NDPA enforcement considerations for emerging technology deployments
- Practical considerations and regulatory guidance for Nigerian organizations
Participants can assess the data protection implications of any emerging technology deployment, apply the NDPA framework to novel contexts, and implement privacy by design measures that embed compliance from the outset.
Roles and Responsibilities of a Data Protection Officer
The capstone module — synthesizing the entire program through the lens of the DPO function. Covers the DPO's role in ensuring compliance with each of the eight data protection principles, the DPO's reporting structure and independence requirements, the operational checklist that defines an active DPO function, and the DPO's specific obligations in relation to emerging technologies. This is the module that separates a CDPO-qualified professional from someone who has merely passed an exam.
DPO function deployment exercise: participants build a 90-day DPO onboarding plan for a newly designated DPO at a Nigerian financial services firm — mapping the first actions required, the documentation gaps to address, the board reporting structure to establish, and the compliance program timeline to present to management. The output is a deployment-ready DPO action plan.
- Definition and formal designation of a Data Protection Officer
- Functions of a Data Protection Officer — the full statutory scope
- DPO Roles in Relation to the Eight Principles of Data Protection
- DPO Role in Ensuring Transparency — notices, communications, records
- DPO Role in Ensuring Purpose Limitation — processing scope governance
- DPO Role in Ensuring Storage Limitation — retention oversight
- DPO Role in Ensuring Data Minimization — collection governance
- DPO Role in Ensuring Accuracy — data quality management
- DPO Role in Ensuring Integrity and Confidentiality — security oversight
- DPO Role in Ensuring Accountability — evidence management and board reporting
- Basic Checklist of a DPO's Functions — the operational reference
- DPO Role in Relation to Emerging Technologies — governance and risk
- Building and maintaining an effective compliance program
Participants leave as operationally capable DPOs — IIM-qualified, NDPC-designation-ready, with the tools, templates, and practical experience to deploy an effective data protection function from day one.
Twenty outcomes. Every one verifiable on Monday morning.
These are the specific competencies a CDPO-qualified professional is expected to demonstrate — mapped to the official IIM/NDPC curriculum and organized by practice area. Not what participants will know. What they will be able to do.
Six capabilities. Deployment-ready on Monday.
Operate as a credentialled DPO — IIM-qualified, NDPC-designation-ready, and operationally capable of the functions the NDPA requires the DPO to perform.
Construct and maintain a full RoPA — NDPC-format, all mandatory fields completed, maintained as a live document rather than a point-in-time exercise.
Determine DPIA necessity, execute the full assessment, document output to NDPC standard, and maintain a DPIA register that reflects the organization’s high-risk processing history.
Execute a complete breach response from discovery — severity assessment, NDPC notification, data subject decision, evidence preservation — within the mandatory 72-hour window.
Assemble a complete Compliance Audit Return evidence pack that supports DPCO certification — structured to the NDPC’s 32-point framework and ready before the filing deadline.
Produce quarterly board data protection reports — RAG indicators, trend analysis, open actions — that enable the board to discharge NDPA governance accountability with specificity.
Different from compliance training. Built for compliance deployment.
The gap between compliance certification and compliance capability is where most training programs lose their value. A DPO who has passed an examination but cannot construct a Records of Processing Activities, conduct a defensible DPIA, or manage a 72-hour breach notification has received a credential, not a capability.
SAC’s CDPO program is built by the practitioners who conduct NDPA compliance audits, file Compliance Audit Returns with the NDPC, and engage regulators in live advisory mandates. Every case study, scenario, and exercise is drawn from Nigerian NDPA enforcement proceedings — not GDPR case law adapted for Nigerian conditions.
Every instructor holds active practitioner credentials — FCA, CISA, CDPSE, CDPO, CRISC — and is currently delivering the compliance programs and engaging the regulators they teach. Practice precedes instruction, because the NDPC’s standard demands it.
CDPO graduates receive an IIM-recognized qualification — verifiable with IIM Africa, recognized by the NDPC as a DPO designation pathway. Reference #d193ed82f32a4e64.
Every scenario, exercise, and case study is drawn from Nigerian NDPA enforcement proceedings. Participants apply knowledge to situations that reflect their actual regulatory environment.
The breach response module includes a full simulation — participants execute the complete response from discovery to NDPC notification in a controlled environment before facing a real incident.
Participants receive working documents: NDPC-format RoPA template, DPIA framework, DSAR SOP, breach register, and board report template — ready to use on return to their organization.
Instructors are currently filing NDPC CARs, advising on NDPC correspondence, and conducting NDPA compliance audits. They teach from live regulatory experience.
Train your compliance team as a cohort — same framework, same tools, zero implementation friction.
When a compliance team attends CDPO training together, they return to the same organization with the same reference framework, the same templates, and the same understanding of what the NDPC’s standard requires. The implementation friction that comes from individual training — where each team member has a slightly different understanding — is eliminated.
Corporate cohort delivery is calibrated to your organization’s sector, existing compliance state, and the specific NDPA obligations most relevant to your processing activities. Minimum 4 participants.
Within 90 days of IIM certification: team independently constructed the bank’s full RoPA, completed three DPIAs, and filed the first NDPC CAR — without external advisory support.
Following the program: agency identified 12 evidence gaps and remediated 10 within 30 days, producing the first NDPC-formatted evidence pack in the agency’s compliance history.
Content calibrated to your sector’s specific regulatory context — financial services, public sector, technology, NGO — with sector-specific scenarios and case studies.
Delivered at your premises, SAC’s facility, or as a live virtual cohort. Same practical exercises and Nigerian case studies regardless of format.
SAC reviews your current compliance position before the cohort and incorporates specific gaps into the exercises — so the training addresses your actual implementation challenges.
Optional quarterly DPO coaching sessions after the cohort — keeping your designated DPO current on NDPC developments and implementation challenges.
Corporate cohort available from 4 participants. Pricing by agreement. Contact SAC to discuss scope, format, and scheduling.
Register for CDPO Training
Complete the form to register for an open-enrolment cohort or to request a corporate cohort for your organization. SAC responds to all training enquiries within one business day.
For open-enrolment registration, SAC will confirm your place and send the joining instructions including pre-reading, session format, and venue details. For corporate cohort requests, SAC will contact you to discuss scope, calibration, and scheduling.
Upcoming Open-Enrolment Dates
Contact training@sac.ng to confirm current date availability before making travel arrangements.
SAC will send you a confirmation with joining instructions, pre-reading, and session details. For questions contact training@sac.ng.
Certification is the credential. Operational capability is the outcome.
The June 2026 cohort has limited seats. Open enrolment registrations are confirmed on a first-come, first-served basis. Corporate cohorts are scheduled by agreement.