NDPA Compliance for SMEs: A 90‑Day Action Plan

• Lawful, fair, transparent: tell people what you’ll do with their data, and have a legal basis.
• Purpose & minimisation: collect only what you need for specified purposes.
• Accuracy & retention: keep data accurate and only as long as necessary.
• Security: protect against loss, unauthorised access or disclosure.
• Rights: enable access, correction, deletion, objection and portability where applicable.
• Accountability: document what you do (records, policies, logs, contracts).

This guide is NDPA‑inspired and keeps language generic—always confirm current regulator guidance before final implementation.

1. Map data flows: for HR, customer, vendor and product data. Identify controllers vs processors.
2. Choose lawful bases: contract, legal obligation, legitimate interests, consent where needed.
3. Draft external privacy notice: website/app notice + short notice for forms/checkout.
4. Stand up RoPA: start with top 10 processes. Capture purpose, categories, recipients, retention, security.
5. Quick security fixes: MFA on email & admin tools; revoke stale accounts; encrypt laptops; backups.
6. Cookie & tracking review: switch off unneeded third‑party tags; prepare a consent banner if you rely on cookies for marketing/analytics.
7. Vendor list & contracts: collect DPAs or add NDPA clauses; verify location & sub‑processors.
8. DSR intake: create a working email (privacy@…) and a web form with ID verification steps.

If you’re a larger or high‑risk operator, consider designating a DPO function and registering/engaging with the regulator as required by current guidance.

1. Policies: approve Privacy Policy, Retention Schedule, Information Security Policy, Acceptable Use, BYOD, Access Control.
2. DSR workflow: verify identity, assess scope, search systems, respond within internal SLA; keep a response log.
3. Contracts: roll out NDPA‑compliant DPAs to processors (processing instructions, confidentiality, security, sub‑processor approval, return/delete on exit).
4. Cross‑border transfers: identify transfers; apply approved mechanisms/safeguards; document transfer risk assessment.
5. Retention & deletion: implement auto‑deletion in systems where possible; add manual review cadence.
6. Access control & logging: least privilege, quarterly access reviews, admin logs, vendor access management.

1. DPIA: run privacy impact assessments for high‑risk processing (e.g., large‑scale profiling, sensitive data, CCTV/biometrics).
2. Training: 30‑minute annual privacy & security basics for all staff; role‑based training for HR/Support/Engineering.
3. Incident response: define what is a breach; create a triage matrix; tabletop exercise with leadership; have regulator & data subject notification templates ready per current rules.
4. Website & app: publish privacy notice, cookie notice; enable consent banner if used; add “manage my data” link.
5. Board sign‑off: present compliance status, risk register, and 12‑month roadmap.

Records of Processing (RoPA) — sample columns

Data Subject Request (DSR) tracker — sample columns

Vendor DPA — essential clauses

• Processing instructions & confidentiality
• Security measures & breach notification
• Sub‑processor approval & listing
• Assistance with DSRs & DPIAs
• Return/delete data on exit; audit rights

Retention schedule — example

Do we need a DPO?

Designate a DPO function where appropriate for your risk profile and as required by current regulator guidance. Smaller low‑risk entities can assign the role to a trained staff member.

What about breach timelines?

Keep a process to assess and notify the regulator/individuals in line with the latest Nigeria Data Protection Commission (NDPC) requirements. Practically, structure your playbook so you can assess within hours—not days.

Are cookies covered?

Be transparent. If you rely on tracking for analytics/ads, provide notice and an easy way to consent/manage preferences.