NDPA / GAID Compliance Diagnostic
Find out whether your organisation can demonstrate compliance before scrutiny arrives.
SAC’s diagnostic review identifies gaps across privacy governance, DPIA, RoPA, breach readiness, data subject rights, vendor risk, and audit evidence — in five business days, delivered by a licensed DPCO.
Six situations where the diagnostic is the right immediate step.
The diagnostic is appropriate for any organisation that has not completed a structured assessment of its NDPA compliance posture — or that has reason to believe its documented compliance may not hold under regulatory scrutiny.
An NDPC notice, inspection letter, or regulatory query requires an immediate gap assessment to understand your exposure before you respond.
The CAR must be prepared and certified by a licensed DPCO. A diagnostic establishes what evidence exists and what gaps must be remediated before filing.
Internal audit findings create board accountability. A SAC diagnostic provides an independent, DPCO-level assessment of the specific gaps identified and their regulatory significance.
Board members have personal accountability under the NDPA. A diagnostic gives the board a structured, externally verified view of the organisation’s compliance posture.
Most organisations that believe they are “basically compliant” have never had a structured review against the NDPC’s inspection framework. The gap between assumed and actual compliance is typically significant.
Following an incident, a diagnostic identifies the compliance failures that contributed to or were exposed by the breach — and produces the evidence of remediation that the NDPC will require.
What the diagnostic reviews.
Each domain is assessed against the NDPC’s inspection framework — not a generic checklist. The diagnostic identifies what evidence exists, what is absent, and what the regulatory significance of each gap is.
Accountability structure, DPO designation, governance documentation, NDPA obligation mapping, and CAR filing history.
DPIA programme existence, mandatory trigger compliance, completed DPIAs for high-risk processing, and DPIA register currency.
RoPA completeness, field compliance with NDPA Section 24, lawful basis documentation, and currency of processing records.
72-hour notification capability, breach assessment procedures, breach register, NDPC notification templates, and evidence of breach simulation testing.
NDPA-compliant content, transparency obligations, layered notice approach, website privacy notice, HR and client notices.
DSAR procedure, response timeline compliance, exemption knowledge, DSAR log, and evidence of handled requests.
DPO designation, independence, competence, NDPC registration, board reporting function, and DPO operational capacity.
Data processing agreements, vendor due diligence, sub-processor controls, data sharing register, and international transfer compliance.
Evidence inventory, NDPC-format documentation, evidence gaps against CAR requirements, and management action plan currency.
Board privacy accountability framework, DPO reporting structure, digital trust KPIs, Audit Committee agenda inclusion, and board oversight evidence.
Delivered as a structured written report — domain-by-domain findings, regulatory significance, priority classification, and recommended actions.
The diagnostic is conducted by a named SAC principal — an NDPC-Licensed DPCO and active practitioner — not delegated to a junior analyst or automated tool.
SAC reviews existing documentation and conducts a structured interview with the DPO, compliance officer, or relevant lead — typically 60–90 minutes.
Five outputs. Five business days.
Every diagnostic produces the same five deliverables, regardless of organisation size or sector. The outputs are designed to be immediately actionable — by the DPO function, by the board, and in response to any NDPC engagement.
A domain-by-domain compliance status view — what exists, what is absent, and what is partially in place across all ten diagnostic domains.
Each identified gap is assessed for regulatory risk — which gaps carry enforcement exposure, which carry board accountability risk, and which are operational failures.
The ten most critical actions sequenced by regulatory urgency — addressing the gaps that carry the highest enforcement risk first, regardless of implementation difficulty.
A 90-day remediation roadmap — sequenced, scoped, and responsibility-assigned — with the evidence requirements for each action item.
A 45-minute debrief with the SAC principal who conducted the diagnostic — walking through the findings, answering questions, and advising on the right next step.
Form submission & SAC confirmation
Information request & interview scheduling
Documentation review & structured interview
Report drafting & internal quality review
Report delivery & debrief scheduling
45-min debrief & next steps discussion
A diagnostic is only as useful as the standard it is measured against.
Most compliance gap assessments are measured against the organisation’s own understanding of what compliance requires. SAC measures against the NDPC’s actual inspection framework — the criteria that NDPC inspectors apply when they review an organisation’s compliance posture. This produces a different finding.
The difference matters because organisations that appear compliant by internal standards frequently appear non-compliant when measured against the NDPC’s evidence requirements. The gap between “we have a policy” and “we can demonstrate the policy operates in practice” is where enforcement happens.
SAC’s diagnostics are conducted by the principals who file Compliance Audit Returns with the NDPC, advise organisations on NDPC correspondence, and deliver the evidence packs that NDPC inspectors review. The diagnostic reflects the standard as it is applied in practice — not as it is described in the legislation.
NDPC-Licensed DPCO — NDPC/DCP/01784. SAC is licensed to conduct and certify Compliance Audit Returns filed with the NDPC. The diagnostic is conducted to the same standard as a CAR review.
IIM Africa Accredited Training Organisation — #d193ed82f32a4eb64. SAC’s practitioners hold active CDPO qualification and are assessed annually against IIM’s competence framework.
ISACA DTEF Certified Facilitator — the only active certified facilitator of the Digital Trust Ecosystem Framework in Nigeria’s professional services sector. Board governance assessments draw on DTEF methodology.
FCA · CISA · CDPSE — active practitioner credentials in financial assurance, information systems audit, and data privacy. The diagnostic integrates financial and cybersecurity governance assessment where relevant.
Registered Nigerian firm — CAC RC 2638736. SAC is a Nigerian professional services firm, advising Nigerian institutions under Nigerian law. No adaptation from foreign frameworks required.
Request Diagnostic Review
Complete the form to request your NDPA/GAID Compliance Diagnostic. SAC will confirm receipt within one business hour and send the initial information request the same day.
The form takes approximately three minutes to complete. The diagnostic is conducted within five business days of receiving the required information from your organisation.
SAC confirms receipt of your request and sends the initial information request document within one business day.
A 60–90 minute structured interview is scheduled with your DPO, compliance officer, or relevant lead at your convenience.
SAC reviews documentation, conducts the interview, and delivers the gap snapshot, risk analysis, priority actions, and roadmap.
A 45-minute debrief with the SAC principal who conducted the diagnostic — findings, questions, and the recommended advisory response.
If your organisation has received NDPC correspondence or is under active regulatory scrutiny, note this in the urgency field — SAC will prioritise your diagnostic and respond within four business hours.
SAC treats all diagnostic requests as confidential. Information provided is used solely to conduct the diagnostic and will not be shared with third parties. For urgent matters call +234 803 447 2628 directly.
A named SAC principal will confirm receipt within one business hour and send the initial information request the same day. For urgent matters — NDPC correspondence or active breach — call +234 803 447 2628 directly.
The NDPC doesn’t announce its inspections. Your diagnostic should happen now.
Most organisations that receive NDPC correspondence had a compliance programme they believed was sufficient. The diagnostic tells you whether yours would hold — before scrutiny arrives, not under it.