Sector-Specific Advisory for Institutions Operating Under Scrutiny.

Ministries, departments, agencies, and parastatal bodies sit among Nigeria's largest processors of personal data — citizen records, employee information, beneficiary registers, procurement files, and enforcement data. The NDPC has identified the public sector as a priority enforcement focus, specifically citing the volume of personal data processed by government institutions and the near-universal absence of documented compliance programmes in most agencies.

The NDPA 2023 applies to all public sector data controllers regardless of ministry or parastatal status — there is no public sector exemption. DCPMI registration is mandatory for most government institutions by volume alone. The BPP procurement compliance framework requires documentation of data protection practices in vendor onboarding. SCUML registration imposes AML/CFT obligations that overlap with NDPA data handling requirements.

SAC helps public institutions build privacy governance, audit evidence, compliance reporting, and staff capability aligned with NDPC expectations — while accounting for the procurement compliance, transparency, and accountability requirements of public sector governance frameworks. As a BPP-listed firm (Ref 0000-0019-0144), SAC is eligible for direct public sector engagement under BPP procurement rules.

Banks, fintechs, MFBs, and payment providers process the largest volumes of customer personal and financial data in Nigeria's private sector. The NDPC has indicated financial services as a priority enforcement sector. Most financial institutions meet the DCPMI threshold by customer volume alone — and face simultaneous compliance obligations under the NDPA and the CBN's cyber risk management framework that require coordinated, not sequential, advisory.

The NDPA 2023 mandates DCPMI registration, DPO designation, RoPA, DPIA, and annual CAR filing. The CBN Cyber Risk Management Framework assigns board-level accountability for cyber governance and requires audit committee oversight of cyber risk. NAICOM imposes data handling obligations on insurance entities. AML/CFT regulations require SCUML registration and create additional data processing obligations with their own documentation requirements.

SAC delivers integrated NDPA and CBN cyber governance advisory in coordinated engagements — DCPMI registration, DPO enablement, annual CAR filing, and CBN framework gap assessment without the overhead of managing separate advisory relationships. As an NDPC-Licensed DPCO, SAC can address the full scope of a financial institution's NDPA obligations in a single engagement mandate.

Oil and gas operators — upstream explorers, midstream transporters, and downstream marketers — process employee, contractor, and community data across multiple jurisdictions, often involving cross-border transfers to international joint venture partners and parent companies. Many operate Critical National Infrastructure, where data security obligations intersect with operational technology risks and sector-specific regulatory requirements under the Petroleum Industry Act 2021.

The NDPA 2023 applies to all processing activities regardless of sector. NUPRC regulatory filings increasingly intersect with data governance requirements. The PIA 2021 introduces community development and host community data obligations. Cross-border transfer restrictions under the NDPA are directly relevant to operators who share data with international joint venture partners, parent companies, or technical service providers in non-adequate jurisdictions.

SAC maps data processing activities across the operational and corporate layers, structures the NDPA compliance programme around the sector's specific data flows — contractor registers, employee records, community data, technical operations — and addresses cross-border transfer risks for data shared with international partners. Cybersecurity resilience at the governance layer for critical infrastructure is addressed through SAC's DTEF and NIST CSF-aligned advisory.

Technology companies and digital platforms occupy a unique position under the NDPA — many are simultaneously data controllers (for their employees, internal users, and business relationships) and data processors (for their clients' end users). The dual obligation creates compliance complexity that most tech companies have not mapped. Platforms serving financial, health, or government clients inherit their clients' regulatory exposure through the data they process.

The NDPA 2023 applies to all technology platforms processing Nigerian personal data — including platforms hosted outside Nigeria that process data of Nigerian residents. NCC regulations impose telecommunications data obligations on platforms using mobile infrastructure. Data localisation requirements affect cloud infrastructure decisions. Fintech platforms carry simultaneous CBN and NDPA obligations with specific data retention and security requirements.

SAC assesses the controller/processor boundary for each product and business relationship, builds privacy-by-design architecture into the compliance programme, structures data processor agreements for client relationships, and addresses the platform's cross-border data transfer obligations — producing a compliance framework that scales with the technology business rather than creating drag on it.

Development organisations and INGOs process sensitive beneficiary data — health, income, displacement, and vulnerability information — often involving special category data under the NDPA. Many operate under both Nigerian regulatory obligations (NDPA, NDPC, SCUML) and international donor governance frameworks (USAID data requirements, EU GDPR where applicable, and organisational data protection policies set by international headquarters). The dual-standard compliance requirement is distinctive to this sector and is rarely addressed in one advisory relationship.

The NDPA 2023 applies to all processing of Nigerian personal data — including beneficiary and programme participant data. SCUML registration is mandatory for NGOs operating in Nigeria and imposes AML/CFT-linked data obligations. Special category data provisions under the NDPA impose heightened consent, documentation, and security requirements on health, vulnerability, and displacement data. International donor frameworks may independently require GDPR-equivalent data protection standards that must be reconciled with NDPA obligations.

SAC builds NDPA compliance programmes calibrated to the development sector context — beneficiary data governance, consent frameworks for programme participation, special category data protocols, and cross-border transfer mechanisms for donor reporting — while ensuring alignment with international donor standards where applicable. As a SCUML-registered firm (RN:SC 151513507), SAC understands the AML/CFT compliance context that NGOs operate within.

Real estate and infrastructure companies process extensive personal and financial data — buyer and tenant identification documents, financial records for AML compliance, contractor and employee data, and in some cases biometric access control data. Most operate without formalised privacy governance, data retention policies, or vendor data agreements. The intersection of NDPA obligations and SCUML/AML requirements creates a dual compliance burden that property sector companies rarely address in a coordinated way.

The NDPA 2023 applies to buyer, tenant, and employee data collected by real estate entities. SCUML registration and AML/CFT compliance obligations apply to estate agents and developers receiving significant transaction values. EFCC enforcement on money laundering in real estate transactions creates financial data governance obligations. The FRCN applies to financial reporting in listed or significant real estate entities.

SAC builds NDPA compliance programmes calibrated to the real estate sector — covering KYC data governance under AML requirements, tenant and buyer data retention and deletion policies, contractor data management, and the evidence architecture that demonstrates compliance to both NDPC inspectors and financial institution counterparties conducting due diligence on property transactions.

Educational institutions are significant personal data processors — student records (academic, health, financial, disciplinary), staff data, parent and guardian information, alumni records, and increasingly research data involving human subjects. The NDPA's special category data provisions apply broadly in educational settings — health clinic records, counselling records, and financial aid information all carry heightened protection requirements. Many institutions process data of minors, creating additional consent and governance obligations.

The NDPA 2023 imposes full compliance obligations on all educational institutions regardless of funding source or ownership model. NUC and NBTE accreditation frameworks increasingly intersect with data governance and research ethics requirements. Processing of data concerning minors requires enhanced consent procedures and cannot rely on the same lawful basis provisions applicable to adult data. Research institutions face particular exposure from data collected for research purposes where consent may be contingent or time-limited.

SAC builds NDPA compliance programmes calibrated to the educational context — student record governance, research data protocols, staff awareness, and special category data handling procedures that address the sector's specific processing activities. The SAC Training Academy also offers accredited data protection training directly relevant to education sector compliance and research ethics practitioners.