The Nigeria Data Protection Commission (NDPC) has issued a Guidance Notice on Continuous Professional Development (CPD) for Data Protection Officers (Guidance Notice) pursuant to Schedule 3 of the General Application and Implementation Directive (GAID) 2025.

2 July 26

The Guidance Notice operationalises the Data Protection Officers (DPO) verification framework under the Nigeria Data Protection Act (NDPA) 2023 and the GAID by introducing measurable annual professional development requirements for verified DPOs. It establishes a structured CPD points framework, prescribes qualifying professional activities and specifies the evidence required to maintain an active DPO verification status.

Verified DPOs are required to obtain a minimum of twenty (20) CPD points annually to maintain their active verification status. At least ten (10) of the required points must be earned through structured training and certification activities, reflecting the Commission’s emphasis on continuous technical competence.

CPD points may be obtained through a combination of qualifying activities, including:

  • participation in NDPC-accredited training programmes, recognised workshops and webinars, and approved e-learning courses;
  • acquisition or renewal of recognised international privacy certifications;
  • publication of peer-reviewed articles, industry articles and policy briefs;
  • speaking engagements, panel participation and facilitation of NDPC-accredited training programmes;
  • participation in recognised privacy conferences, professional bodies and NDPC technical working groups;
  • mentorship of emerging privacy professionals; and
  • contributions to regulatory consultations and public comment processes.

To support annual verification, DPOs are expected to retain verifiable evidence of completed CPD activities, including certificates of attendance, confirmation emails, copies or links to publications, formal participation letters and Professional Education and Engagement Review (PEER) Forms.

The Guidance Notice further provides that compliance with CPD requirements will be reviewed annually during certification revalidation. A DPO who fails to meet the prescribed requirements may be placed on temporary inactive status pending remediation. The NDPC also indicated that it will establish a digital platform for the submission and monitoring of CPD records.

Implications for Organisations

The Guidance Notice reinforces that compliance with the NDPA extends beyond appointing a qualified Data Protection Officer. Organisations should now ensure that their appointed DPO continues to maintain the professional competence required by the NDPA and the GAID through ongoing learning and active participation in the privacy ecosystem.

Accordingly, organisations should consider:

  • reviewing whether their appointed DPO is meeting the annual CPD requirements;
  • budgeting for privacy training and professional development;
  • supporting participation in recognised privacy conferences and industry initiatives; and
  • maintaining records demonstrating the continuing competence of their DPOs.

The Guidance Notice reflects NDPC’s continued efforts to professionalise the data protection function in Nigeria and aligns with international best practices by promoting continuous learning, technical competence and active engagement within the privacy profession.

For enquiries regarding the implementation of the Guidance Notice, DPO advisory services, or broader data protection compliance obligations under the NDPA and the GAID.

 


Should you have any questions regarding this legal alert, please do not hesitate to contact  GRC@aluko-oyebode.com or ao@aluko-oyebode.com.ng.

Subscribe

* indicates required
Our Social Media


© 2026 ALN. All rights reserved