Welcome back to OTL Law and Nexa Advisory’s Knowledge Management Series on Privacy and Data Protection. We have spent the past nine articles unpacking the building blocks of data protection. We have discussed topics ranging from the principles of privacy, the lawful bases for processing, the importance of assessments, to key obligations under the Nigeria Data Protection Act (NDPA) and the General Application and Implementation Directive (GAID 2025).
In this tenth article, we bring it all together.
A privacy programme is the architecture of compliant processing. It is the organisation’s roadmap to embedding privacy principles into everyday operations. While principles and obligations provide the “what” of compliance, a privacy programme explains the “how”.
For startups and small to medium-sized enterprises (SMEs), a privacy programme provides structure, consistency, and accountability. It ensures that data protection is not a one-off activity but an integrated part of the business culture.
1. Leadership Commitment and Accountability
Every privacy programme begins with clear ownership. Founders and executives must recognise that data protection is a business responsibility, not just a legal one. Leadership sets the tone for compliance and determines how seriously the rest of the organisation will take it.
Section 32 of the NDPA requires data processors and controllers of major importance to designate a Data Protection Officer (DPO). The DPO must have independence, expertise, and direct access to senior management. Smaller entities may rely on a licensed Data Protection Compliance Organisation (DPCO) to discharge this function until they can build internal capacity.
Practical Steps for Privacy Leaders:
– Secure executive sponsorship and allocate a privacy budget.
– Create a data protection steering committee that meets regularly.
– Include privacy performance indicators in organisational goals.
2. Map Your Data and Processing Activities
A privacy programme cannot function without understanding what data the organisation processes. Data mapping is the foundation of compliance because it provides visibility into where personal data is collected, how it moves, and why it is processed. Each organisation should document:
– The categories of personal data collected.
– The purpose for which data is processed.
– The lawful basis under the NDPA or GAID 2025.
– The data retention period.
– Where data is stored and who has access.
– Any third-party processors or vendors involved.
– Any cross-border transfers that occur.
This record forms the Data Map, which supports the Record of Processing Activities (ROPA) required under the NDPA and GAID 2025. It also helps demonstrate accountability and identify potential compliance gaps before an audit or investigation.
Practical Steps for Privacy Leaders:
– Use a spreadsheet or simple database to record data flows.
– Consistently review and update the ROPA (monthly or quarterly, depending on the size of your privacy programme).
– Work with heads of departments to validate details of data processing.
Example: Simplified Data Mapping Sheet
3. Develop Core Policies and Procedures
Policies give structure to your privacy programme. They set out the organisation’s stance on data protection and establish procedures for day-to-day operations.
Every organisation should have:
– Privacy Policy,: Explains to data subjects how their data is collected, used, and safeguarded.
– Data Retention and Disposal Policy: Defines how long data will be stored and how it will be securely deleted.
– Data Breach Response Policy, 2025: Describes how to identify, contain, report, and record breaches.
– Access Control and Security Policy: Outlines who can access personal data and for what purpose.
– Vendor Management Policy: Ensures that contracts contain required data protection clauses and that vendors comply with the NDPA and GAID 2025.
Practical Steps for Privacy Leaders:
– Use the templates provided by the NDPC or DPCOs as a starting point.
– Keep all policies in a shared, version-controlled repository.
– Review and update policies annually or when business processes change.
4. Build Awareness and Train Continuously
People are central to every privacy programme. A well-informed team helps reduce the risk of breaches and strengthens organisational resilience. It is important to train the entire staff about ethical data processing. Most importantly, the customer service (or customer support or customer excellence) team must be trained on every processing activity and the organisation’s approach to processing. This allows them to relay important information to users about the organisation’s data processing culture.
Article 30 of the GAID 2025 requires POs to ensure that all personnel receive regular training appropriate to their role.
Practical Steps for Privacy Leaders:
– Include data protection awareness in employee induction.
– Provide refresher training every quarter.
– Track participation and test understanding through short assessments.
– Include case studies from Nigerian and international enforcement actions.
5. Integrate Privacy by Design and by Default
“Privacy by Design and by Default” means embedding privacy into systems and processes from the outset, not as an afterthought. The GAID 2025 encourages data processors and controllers to prioritise privacy by design and by default to guarantee compliance with the principles of data processing (Schedule 1, Paragraph 2, GAID 2025).
Practical Steps for Privacy Leaders:
– Involve the DPO in all new projects at the design stage.
– Apply techniques such as data minimisation, pseudonymisation, and encryption.
– Conduct Data Protection Impact Assessments (DPIAs) fin accordance withor high-risk processing.
– Create a privacy checklist for developers and product managers.
6. Manage Vendors and Cross-Border Transfers
Startups often rely on cloud platforms and international service providers. This reliance introduces compliance obligations around third-party management and cross-border transfers.
Schedule 5 of the GAID 2025 provides clear guidance on Cross-Border Data Transfers. Data may only be transferred outside Nigeria where:
– The destination country or organisation ensures an adequate level of protection, or
– The parties have executed a Cross-Border Data Transfer Instrument (CBDTI) approved by the NDPC.
Practical Steps for Privacy Leaders:
– Maintain a vendor register indicating the transfer mechanism used.
– Update data processing agreements to meet GAID 2025’s mandatory clauses.
– Conduct annual vendor due diligence and request updated security certifications.
7. Monitor, Audit, and Continuously Improve
A privacy programme is not a static document. It must evolve with the business and regulatory expectations.
The NDPA and it’s GAID requires DPOs to submit Internal Semi-Annual Data Protection Reports. It also requires data processors and controllers of major importance to file Compliance Audit Returns (CARs) through licensed DPCOs.
Practical Steps for Privacy Leaders:
– Conduct annual internal audits and management reviews.
– Maintain logs of breaches, complaints, and subject rights requests.
– Track corrective actions in a compliance register.
– Benchmark practices against NDPC and international standards.
Conclusion
A privacy programme brings together every aspect of data protection we have discussed so far. It is the framework that translates principles, legal obligations, and assessments into a structured system for everyday practice. It ensures that privacy compliance is intentional, documented, and demonstrable.
For startups and SMEs, building a privacy programme may appear daunting, but starting small is perfectly fine. Begin with leadership commitment, policy documentation, and training. Then, build out data mapping, audits, and continuous improvement as your organisation grows. A well-designed privacy programme strengthens trust, reduces risk, and demonstrates accountability to clients, partners, and regulators.
If you still have questions or you need help with building a privacy programme for your organisation, you can respond to this email and we’d be sure to assist you.
In the next article, we will discuss data subject rights and how organisations can operationalise requests for access, correction, deletion, and portability.
Short Test
- What is the purpose of a privacy programme?
a) To market data services
b) To provide a roadmap for compliant data processing
c) To replace legal advice
d) To manage customer engagement only
- Under which NDPA provision must organisations designate a DPO?
a) Section 32
b) Section 25
c) Section 7
d) Section 15
- What is the primary purpose of data mapping?
a) To understand the flow and purpose of personal data
b) To track website visitors
c) To assess employee satisfaction
d) To review system backups
- Which GAID Schedule addresses Cross-Border Data Transfers?
a) Schedule 4
b) Schedule 5
c) Schedule 7
d) Schedule 9
- True or False: Privacy by Design is applied only after a product is launched.