Problem-Led · Outcome-Focused
Structured Interventions for Compliance, Trust, Governance and Resilience.
Our solutions are designed around the real problems institutions face: regulatory scrutiny, weak evidence, fragmented accountability, breach exposure, vendor risk, and board-level visibility gaps.
Select a solution to see the full detail.
Each solution is scoped, deliverable-defined, and outcome-anchored. Click any card to expand the challenge, SAC's intervention, what you receive, and the expected outcome.
NDPA / GAID Compliance Enablement
Organisations often have documents but cannot demonstrate that privacy governance operates in practice.
Board Privacy Governance
Boards acknowledge privacy accountability but have no framework for reporting on, governing, or evidencing it.
Audit Evidence Readiness
When NDPC inspects or internal auditors request compliance evidence, organisations scramble to produce records that should already exist.
Breach Readiness & Incident Response
Most organisations could not execute a NDPA-compliant breach response today — the 72-hour notification clock starts ticking the moment a breach is discovered.
Vendor & Third-Party Risk Management
Organisations share data with dozens of vendors without structured data processing agreements, due diligence, or transfer risk assessments.
Cross-Border Data Transfer Advisory
Multinationals and organisations using international cloud services are transferring data internationally without confirming NDPA lawfulness.
DCPMI Readiness & Registration Support
Organisations have not assessed whether they meet the DCPMI classification threshold — and therefore do not know if mandatory registration is overdue.
Compliance Remediation Roadmap
Following a gap assessment, internal audit finding, or regulatory notification, organisations need a structured, sequenced remediation plan — not a list of recommendations.
Organisations often have documents but cannot demonstrate that privacy governance operates in practice. Policies sit in document repositories; DPIAs have never been conducted; processing records are incomplete. When the NDPC inspects, the gap between policy existence and operational evidence becomes immediately apparent and immediately enforceable.
- Lawful basis documentation for every processing activity
- DPIA evidence for high-risk processing
- Records of Processing Activities (RoPA) — current and complete
- Breach readiness — 72-hour notification capability
- Data subject rights handling procedures
- Accountability records — timestamped, attributed, retrievable
As an NDPC-Licensed DPCO (NDPC/DCP/01784), SAC implements an end-to-end compliance architecture aligned with NDPA and GAID expectations — structured to the evidence standard the NDPC's inspection framework applies, not the standard that satisfies internal review.
- Privacy governance framework
- NDPA-compliant privacy notices
- DPIA framework and completed DPIAs
- Full Records of Processing Activities
- DSAR handling SOP
- Breach response framework
- Staff awareness programme
- Compliance evidence tracker
- Board reporting pack
30–60 days
Dependent on organisation size and processing complexity. Delivered by NDPC-Licensed DPCO.
A defensible compliance posture that can withstand internal review, board scrutiny, and regulatory engagement — with evidence that exists before inspection, not assembled under it.
Boards acknowledge privacy accountability under the NDPA but have no governance framework for measuring, reporting on, or evidencing their discharge of that accountability. Digital trust and data protection are managed operationally but invisible at the governance layer — leaving the board exposed to accountability it cannot demonstrate.
- Board-level data protection oversight structure
- Regular DPO reporting to the board or audit committee
- Digital trust KPIs in board governance agenda
- Board-visible accountability for NDPA obligations
- Audit committee digital trust briefings
As Nigeria's ISACA DTEF Certified Facilitator, SAC builds a board-level privacy and digital trust governance framework — from accountability structures to KPI dashboards — that makes board oversight structured, measurable, and reportable to the NDPC and external stakeholders.
- Board privacy governance framework
- DPO reporting structure and templates
- Digital trust KPI framework (DTEF-aligned)
- Audit committee quarterly report template
- Board digital trust briefing programme
- NDPA accountability documentation
45 days
Delivered by ISACA DTEF Certified Facilitator.
A board that can report on digital trust and privacy governance with specificity — to the NDPC, CBN, auditors, and investors — with a governance framework that converts accountability into a measurable, board-reportable asset.
When the NDPC inspects or internal auditors request compliance evidence, organisations scramble to produce records that should already exist. Evidence assembled under time pressure is structurally weaker than evidence built into the compliance architecture from the start — and auditors and inspectors can usually tell the difference.
- Contemporaneous, timestamped compliance records
- Attributed documentation (who approved, who actioned)
- Structured evidence pack formatted to NDPC's inspection framework
- Management action plans for identified gaps
- Evidence of remediation — not just intent
SAC conducts a structured audit evidence review, identifies and fills documentation gaps, formats the evidence pack to the NDPC's inspection standard, and builds the ongoing evidence management architecture that ensures future audit readiness without a pre-inspection scramble.
- Compliance audit evidence pack (NDPC format)
- Documentation gap analysis and remediation
- Evidence tracker and management system
- Management action plan
- Audit readiness assessment report
- Annual evidence management calendar
15–30 days
Dependent on current documentation state.
An organisation that is inspection-ready at any point — with evidence that exists before the audit clock starts, not assembled under its pressure.
Most organisations could not execute an NDPA-compliant breach response today. The 72-hour notification clock starts running the moment a breach is discovered — not when it is investigated. Breach response plans that exist only as documents and have never been tested produce disorganised, delayed, and incomplete notifications that compound the original breach liability.
- 72-hour NDPC notification from moment of discovery
- Documented breach assessment process
- Data subject notification where required
- Breach register with timeline evidence
- Remediation records and post-breach review
SAC builds the breach response architecture — framework, protocols, roles, breach register, notification templates, and escalation procedures — and then tests it through a structured simulation. As a licensed DPCO with 24-hour response SLA, SAC can also be engaged as the first-call breach response resource when an incident occurs.
- Breach response framework and playbook
- Role assignments and escalation procedures
- NDPC notification templates (72-hour compliant)
- Breach register and assessment process
- Tabletop breach simulation exercise
- Post-simulation findings report
- Optional: 24-hour incident retainer
10–20 days
An organisation that can execute a complete NDPA-compliant breach response within the 72-hour window — with documented evidence of the response, notification, and remediation for NDPC inspection.
Organisations routinely share personal data with vendors — cloud platforms, payroll processors, marketing tools, IT support providers — without data processing agreements in place, without due diligence on the vendor's security posture, and without a formal assessment of the transfer risk. Under the NDPA, a controller is accountable for what its processors do with data on its behalf.
- Data Processing Agreements with all processors
- Processor due diligence and security assurance
- Third-party transfer risk assessments
- Sub-processor oversight and notification procedures
- Vendor privacy risk register and review cycle
SAC maps the organisation's data sharing relationships, identifies unprotected transfers, drafts DPA terms, conducts vendor privacy risk assessments, and builds the ongoing third-party risk management architecture that keeps the vendor estate NDPA-compliant across its lifecycle.
- Third-party data sharing inventory
- Data Processing Agreement templates
- Vendor privacy risk assessment framework
- Vendor onboarding privacy checklist
- Vendor risk register
- Sub-processor notification procedure
20–35 days
A compliant vendor estate — every material data sharing relationship governed by a DPA, every processor assessed, every transfer risk documented and managed.
Multinationals, development organisations, and businesses using international cloud services are transferring personal data outside Nigeria without confirming whether the transfer is lawful under the NDPA. International data transfers without a lawful basis are a breach of the NDPA — and NDPC enforcement has begun targeting organisations with cross-border transfer exposures.
- Lawful basis for each international transfer
- Adequacy assessment for the recipient country
- Standard Contractual Clauses or equivalent where adequacy is not confirmed
- Transfer impact assessment for high-risk transfers
- Transfer records in the RoPA
SAC maps all international data flows, assesses each against NDPA transfer conditions, identifies unlawful transfers, designs the lawful transfer mechanism for each, and builds the ongoing transfer monitoring architecture — producing a transfer compliance framework that holds under NDPC scrutiny.
- International data flow mapping
- Transfer lawfulness assessment per destination
- Standard Contractual Clause templates
- Transfer impact assessments (high-risk flows)
- Transfer register (RoPA-integrated)
- Ongoing transfer monitoring procedure
15–25 days
Every international data transfer operating on a documented lawful basis — with the transfer mechanism and impact assessment evidence available for NDPC inspection.
Organisations have not assessed whether they meet the DCPMI classification threshold — and therefore do not know if mandatory registration is overdue. Some have heard of DCPMI requirements but assume they do not apply. Most regulated entities, banks, hospitals, and public sector bodies meet the threshold. Registration is mandatory, not voluntary — and failure to register carries active enforcement risk.
- Threshold assessment against GAID criteria
- NDPC DCPMI registration application
- DPO designation and registration
- Annual renewal and compliance maintenance
- CAR filing by a licensed DPCO
SAC conducts the threshold assessment, prepares and submits the DCPMI registration application, manages NDPC correspondence, and supports the DPO designation — as a licensed DPCO authorised to act as the organisation's DPCO of record for registration and CAR filing purposes.
- DCPMI threshold assessment report
- NDPC registration application (prepared and submitted)
- NDPC correspondence management
- Registration certificate custody
- Annual renewal management
- Post-registration compliance roadmap
10–15 days (SAC preparation) + NDPC processing
DCPMI registered with the NDPC — enforcement risk eliminated, registration certificate held, and annual renewal cycle managed. The organisation can evidence its registration status on demand.
Following a gap assessment, internal audit finding, or regulatory notification, organisations receive lists of compliance gaps — but not a structured plan for closing them. Compliance remediation without a sequenced roadmap produces scattered, incomplete action that leaves material gaps unresolved while less critical items receive disproportionate attention.
- Prioritised remediation sequence with risk rationale
- Responsibility assignment for each action item
- Progress tracking with evidence requirements
- Board-visible remediation status reporting
- Independent verification of remediation completion
SAC designs a structured compliance remediation roadmap — gap-prioritised by regulatory risk, sequenced for operational feasibility, assigned with named responsibilities, and tracked with the evidence disciplines that allow independent verification of completion. Available as a standalone scoping engagement or as a follow-on to a SAC gap assessment.
- Prioritised compliance gap register
- Sequenced remediation roadmap (12-month)
- Responsibility assignment matrix
- Evidence requirements per action item
- Progress tracking dashboard
- Board remediation status report template
- Optional: quarterly remediation review
10–15 days (roadmap design)
A structured remediation plan that closes material compliance gaps in priority sequence — with evidence of progress available for board reporting, NDPC response, or external audit.
NDPA Obligation to SAC Solution Mapping.
Every SAC solution maps directly to a named NDPA provision. The table below shows the regulatory obligation, the statutory source, the NDPC enforcement posture, and the SAC solution that addresses it.
| Compliance Obligation | NDPA / GAID Provision | Status | NDPC Enforcement Posture | SAC Solution |
|---|---|---|---|---|
DCPMI Threshold Assessment & Registration S.30 · GAID Art. 4 |
NDPA Section 30 · GAID Article 4 | Required | Active enforcement. NDPC issuing sanctions for unregistered DCPMIs. | Solution 07: DCPMI Readiness & Registration |
Records of Processing Activities (RoPA) |
NDPA Section 24 · GAID | Required | Inspected during NDPC audits. Absence is an immediate finding. | Solution 01: NDPA Compliance Enablement |
Data Protection Impact Assessment (DPIA) |
NDPA Section 28 · GAID | Required | Required before high-risk processing commences. NDPC verifies completion. | Solution 01: NDPA Compliance Enablement |
DPO Designation & Registration |
NDPA Section 32(d) · GAID | Required | NDPC inspects for DPO competence and independence — not just title existence. | DPO-as-a-Service (see Services) |
Annual Compliance Audit Return (CAR) |
NDPA Section 32 · GAID | Required | Must be filed by a licensed DPCO. NDPC enforcing non-filing. Most organisations overdue. | NDPC Compliance Audit Returns (Services 02) |
Breach Notification — 72 Hours |
NDPA Section 40 | Required | 72-hour clock runs from discovery. NDPC sanctions for late, incomplete, or absent notification. | Solution 04: Breach Readiness & Response |
International Data Transfer Lawfulness |
NDPA Sections 43–44 · GAID | Required | NDPC has identified cross-border transfer compliance as a 2026 enforcement focus. | Solution 06: Cross-Border Transfer Advisory |
Data Processing Agreements (Vendors) |
NDPA Section 29 · GAID | Required | Controllers accountable for processor compliance. DPAs mandatory for all material processors. | Solution 05: Vendor & Third-Party Risk |
Board Digital Trust Governance |
NDPA · CBN Cyber Framework · DTEF | Recommended | Board accountability framing increasingly applied during NDPC engagement. CBN examination applies. | Solution 02: Board Privacy Governance |
Audit Evidence Architecture |
NDPA · NDPC Inspection Framework | Recommended | Organisations without structured evidence consistently fare poorly under NDPC inspection. | Solution 03: Audit Evidence Readiness |
Source: NDPA 2023 · GAID · NDPC Enforcement Framework · SAC engagement intelligence · April 2026. Required = mandatory under NDPA/GAID. Recommended = strongly indicated by regulatory posture.
Which Solution Fits Your Situation?
Select the statement that best describes your current challenge. SAC will show you the recommended solution and immediate next step.
Select a situation on the left to see the recommended SAC solution.
NDPA / GAID Compliance Enablement
Your priority is building the compliance architecture from the ground up — RoPA, DPIA framework, privacy notices, DPO function, and breach readiness — before the NDPC selects you for an inspection cycle.
Audit Evidence Readiness
You have a compliance programme in name but the evidence infrastructure is absent or insufficient. The priority is building evidence that exists before inspection — not assembled under it.
Board Privacy Governance
Your operational compliance may be reasonably sound, but the governance layer is absent. The priority is building the board-visible oversight framework that makes privacy accountability structural, not nominal.
NDPC Compliance Audit Return Filing
CAR filing is overdue and carries active enforcement risk. SAC, as a licensed DPCO, can prepare, certify, and file the CAR directly with the NDPC — often within 10–15 business days of engagement commencement.
Vendor & Third-Party Risk Management
Your immediate exposure is the vendor data-sharing relationship without DPAs. Under NDPA, you are accountable for what your processors do with data — and every unprotected transfer is an active enforcement risk.
DCPMI Readiness & Registration
If you process the data of 2,000 or more data subjects annually, DCPMI registration is mandatory and likely overdue. SAC can assess your threshold status and initiate the registration process within days.
Compliance Remediation Roadmap
You have audit findings or a regulatory notification. The priority is a structured, sequenced remediation plan — not scattered action on the lowest-risk items while material gaps remain open.
Breach Readiness & Incident Response
If a breach has occurred or is suspected, the 72-hour NDPC notification clock may already be running. SAC's licensed DPCO team can be engaged immediately as first-call incident response support — assessment, notification drafting, and NDPC liaison.
Not sure which solution you need? Start with a 20-minute diagnostic.
A substantive conversation with a named SAC principal — not a sales call, not a questionnaire. Clarity on your specific regulatory exposure, governance gap, and the SAC solution that addresses it, in 20 minutes and at no obligation.