Integrated Advisory Capabilities for Regulator-Ready and Board-Visible Outcomes.

Many organisations possess policies but lack operational evidence of privacy governance. Policies sit in document repositories, DPIAs have never been conducted, processing records are incomplete or absent, and no one in the organisation can produce evidence of compliant processing under inspection — because it does not exist.

NDPA and GAID require accountability, transparency, lawful processing, breach readiness, and demonstrable governance. The NDPC's inspection framework tests for operational capability — not policy posture. Organisations that cannot evidence their processing activities, DPIA completion, and DPO function face active enforcement risk.

As an NDPC-Licensed DPCO (NDPC/DCP/01784), SAC designs, implements, and embeds privacy governance frameworks that are regulator-aligned and audit-defensible — structured to the documentation standard the NDPC's inspection framework applies, not the standard that satisfies internal review.

Annual Compliance Audit Returns are mandatory for all DCPMI-classified organisations — and must be filed by a licensed DPCO. Most organisations are overdue. Some are unaware of the obligation. Others have attempted to file but lack the structured evidence that the NDPC's submission format requires.

NDPA Section 32 and the GAID require data controllers and processors of major importance to file annual compliance audit reports — prepared and certified by a licensed DPCO. The NDPC has moved from advisory to enforcement on this obligation. Failure to file carries active sanction risk.

As a licensed DPCO, SAC prepares, certifies, and files CAR submissions directly with the NDPC — not just advisory support for client-managed filing. We conduct the compliance audit, structure the evidence, certify the report, and manage the NDPC correspondence in SAC's name as the licensed DPCO of record.

Many organisations have not confirmed whether they meet the DCPMI threshold — and therefore do not know whether registration is mandatory for them. Others have determined they must register but have not progressed the application. Both positions carry enforcement exposure.

NDPA Section 30 and the GAID define Data Controllers and Processors of Major Importance as those processing personal data of 2,000 or more data subjects in a 12-month period, or processing special category data at any volume. Most regulated entities, banks, hospitals, and public sector bodies meet this threshold. Registration is mandatory — not voluntary — and failure to register is an active enforcement risk.

SAC conducts threshold assessment, prepares the DCPMI registration application, coordinates submission to the NDPC, and manages the annual renewal cycle — ensuring organisations are registered, current, and able to evidence their registration status under inspection.

Most organisations that have attempted to build Records of Processing Activities have produced lists, not records — missing the lawful basis documentation, data subject categories, retention schedules, and transfer controls that the NDPC's inspection framework requires. DPIAs, where they exist, are one-time documents rather than living risk assessments integrated into the project lifecycle.

NDPA Sections 24 and 28 require data controllers to maintain complete, current records of all processing activities and to conduct DPIAs for high-risk processing operations. The GAID specifies the minimum content of each. Incomplete or superficial records and DPIAs will not satisfy NDPC inspection and carry direct enforcement consequences.

SAC conducts structured processing interviews across the organisation, constructs the RoPA to NDPC-prescribed content standards, identifies and executes DPIAs for high-risk activities, and produces both to the evidence standard required for NDPC submission and board reporting — not just internal documentation.

The NDPA requires organisations above the DCPMI threshold to designate a Data Protection Officer with the expertise, independence, and operational capacity to discharge the role effectively. A junior staff member with the DPO title carries legal accountability without the capability to discharge it. A full-time senior hire is disproportionate for most organisations. Both options fail the NDPC's standard.

NDPA Section 32(d) and the GAID specify DPO designation requirements — including independence from operational management, expertise sufficient to advise on NDPA compliance, and sufficient access to fulfil the role. A nominal DPO without genuine capability or independence is not compliant, regardless of the title.

SAC provides a named, credentialled DPCO practitioner as the organisation's designated DPO on a monthly retainer — registered with the NDPC in SAC's name as a licensed DPCO, delivering board-level quarterly reports, managing DSR workflows, and providing the independence and expertise the NDPA's DPO obligation requires.

Most Nigerian boards acknowledge accountability for digital trust — under the NDPA, CBN guidelines, and corporate governance expectations — but have no framework for measuring, governing, or reporting on it. Digital risk is managed at the operational level and invisible at the governance level. Accountability without structure is exposure.

The NDPA places board-level accountability for data protection governance on the board of every DCPMI-classified organisation. The CBN cyber risk management framework assigns cyber governance accountability to boards and audit committees. The ISACA Digital Trust Ecosystem Framework (DTEF) provides the seven-domain governance architecture for organisations that wish to structure and measure digital trust — with SAC as Nigeria's only certified DTEF Facilitator.

As Nigeria's ISACA DTEF Certified Facilitator, SAC conducts DTEF maturity assessments across all seven trust domains, builds board digital trust governance frameworks, establishes measurable KPIs, and activates the board reporting dashboards that make digital trust a governable — not merely acknowledged — institutional asset.

Most cybersecurity advisory in Nigeria is technical in orientation — focused on penetration testing, vulnerability management, and IT controls. Boards and audit committees require a different output: a governance-layer view of cyber risk, with accountability structures, board-reportable KPIs, and a controls assurance framework that satisfies both CBN supervisory expectations and NDPA security obligations simultaneously.

The CBN Cyber Risk Management Framework assigns cyber governance accountability to boards and audit committees of financial institutions. The NDPA Section 38 requires data controllers to implement appropriate technical and organisational security measures. Both obligations are board-level, not IT-level — and neither is dischargeable by reference to a technical team's activity.

SAC delivers cybersecurity assurance at the governance layer — enterprise cyber risk frameworks, accountability structures, incident response governance, and controls assurance structured for boards and audit committees using NIST CSF, ISO 27001, COBIT, and CBN framework alignment.

Internal assurance functions often lack the independence, multi-discipline scope, or technical credentialling to provide the objective assurance that boards, audit committees, regulators, and external auditors require. Organisations that ask their internal team to assure work they implemented — or that rely on advisers to assure their own recommendations — do not have independent assurance. They have internal review under a different name.

Corporate governance codes, NDPA audit requirements, CBN governance expectations, and international audit standards require independent, objective assurance that cannot be provided by those responsible for the control environment being assessed. Boards that receive assurance only from internal functions or the firm that designed the controls are not discharging their governance obligation.

SAC provides credentialled independent assurance — CISA, CRISC, and FCA-credentialled — over governance, privacy, cybersecurity, risk, and financial controls. Co-sourced internal audit, forensic investigations, governance reviews, and control design assessments — structured for the scrutiny of regulators, external auditors, and institutional investors.

Financial governance decisions — from capital structuring to transaction due diligence to financial reporting architecture — require FCA-credentialled leadership that satisfies investor, lender, and regulatory scrutiny. Most organisations either over-invest in advisory for straightforward decisions or under-resource complex ones. Neither produces the financial governance quality that institutional stakeholders require.

Financial reporting in Nigeria requires FRCN-registered practitioners for sign-off. Institutional investors and lenders apply IFRS-aligned governance expectations. Compliance with PENCOM, ITF, and CAC financial obligations requires practitioner expertise, not just management attention. FCA principals carry the professional obligations that underwrite the credibility of financial advisory.

SAC's financial advisory practice is led by dual FCA-credentialled principals registered with the Financial Reporting Council of Nigeria — delivering accounting systems advisory, capital structuring, transaction due diligence, project finance support, and financial governance frameworks to the standard that boards, auditors, and institutional investors depend on.