Data Protection Officer Nigeria: Do You Need One?

Short answer: if you have more than 2,000 Nigerian data subjects in your system, you need a DPO. That's not a suggestion — the NDPA makes it a requirement.

The longer answer involves figuring out what a DPO actually does all day, whether you can afford a full-time hire, and whether outsourcing the role makes more sense. I've worked both sides of this — as a compliance professional inside large financial institutions, and now advising Nigerian businesses on how to set it up properly.

The threshold is lower than you think

You're classified as a Data Controller or Processor of Major Importance (DCMI/DPMI) — and therefore need a DPO — if any of these apply:

You process data of more than 2,000 data subjects. That's customers, users, employees, anyone. If you run a fintech app, you cleared that number in your first month. An e-commerce platform, a payroll provider, a SaaS tool with Nigerian users — all over the line.

You process sensitive personal data. Financial records, health data, biometrics, children's data. If you're in fintech, you're processing financial data by definition.

You're in a regulated sector. Banking, insurance, telecoms, healthcare.

Even if you technically fall below the threshold, I'd still recommend appointing one. Enterprise clients increasingly ask about it during procurement. Regulators view it favourably. And once you're processing data at any meaningful scale, the work of a DPO needs doing whether or not you've given someone the title.

What the DPO actually does

I've seen too many companies appoint a DPO and then give them no authority, no resources, and no idea what they're supposed to be doing. Here's what the role actually involves:

They're the NDPC's first phone call. When the regulator has questions — and they will, eventually — they contact the DPO. This isn't admin. It's the person who needs to understand every data flow in your organisation well enough to answer questions under pressure.

They manage compliance day-to-day. Reviewing processing activities, checking lawful bases, making sure privacy notices match reality, ensuring the data subject rights process actually works. The 30-day clock on a data subject request doesn't care that your DPO was on leave.

They own the CAR filing. Preparation, coordination with your DPCO, and submission. This is annual but the prep takes weeks.

They handle breaches. Assessing severity, deciding whether to notify NDPC, coordinating the response. Ideally at 2am on a Saturday, because that's when breaches happen.

They review DPIAs. Every new AI system, every significant change to data processing. The DPO signs off on the risk assessment before deployment, not after.

They train your team. Most data breaches start with a person, not a hacker. The DPO makes sure your people know what personal data is, why it matters, and what to do when something goes wrong.

What a full-time DPO costs

In Nigeria, the salary range:

• Junior (1-3 years): ₦4-8 million/year
• Mid-level (3-7 years): ₦8-15 million/year
• Senior with CIPP/E or equivalent (7+ years): ₦15-25 million/year

Add benefits, equipment, training, and you're looking at a serious line item. For a Series A fintech or an established bank, fine. For an early-stage company that needs maybe 10-20 hours of DPO work per month? That's a lot of money for a part-time need.

The outsourced alternative

DPO-as-a-Service exists for exactly this reason. You get an external professional acting as your named DPO — registered with NDPC, handling compliance obligations, available when you need them — on a monthly retainer.

What you typically get:

• Named DPO registered with NDPC
• CAR filing preparation and oversight
• Data subject request management
• Annual privacy audit of your processing activities
• Breach assessment and response coordination
• DPIA reviews for new systems
• Regulatory update briefings when NDPC publishes new guidance
• Annual staff training session

What it costs: ₦600,000 – ₦1,500,000/month depending on your complexity. A fintech with 3 AI systems and cross-border data flows is more work than a domestic retailer with a customer database.

The maths is straightforward. A mid-level full-time DPO costs ₦8-15 million/year. Outsourced runs ₦7.2-18 million/year at the ranges above, but you get someone who's already experienced, already certified, and doesn't need ramping up. For most SMEs, outsourced wins until the workload justifies a dedicated hire.

Why AI makes this harder

A DPO for a business running AI systems needs to understand more than data protection law. They need to understand how the systems actually work.

A WhatsApp chatbot processing thousands of customer conversations daily creates a volume of personal data that needs systematic management. An AI fraud detection system doing automated decisions about real people triggers specific NDPA obligations around transparency and human review. A credit scoring model making lending decisions based on transaction patterns needs explainability documentation.

Every AI API call to OpenAI or Anthropic sends data outside Nigeria, creating cross-border transfer obligations. The DPO needs to understand these data flows well enough to document them properly and assess the risks.

A DPO who treats AI as a black box will miss things. You want someone who's actually built or deeply worked with these systems, not someone who's just read about them.

What to look for when choosing

If you're going the outsourced route, a few things matter:

Nigerian regulatory knowledge. The NDPA is not GDPR with different branding. The DPCO requirement, the CAR filing process, NDPC's enforcement approach — these are Nigeria-specific. Someone who only knows GDPR will miss things.

Technical understanding. Can they have a real conversation about your AI architecture? Can they assess a data flow diagram and spot the compliance risks? If they can't, their DPIAs will be generic templates that won't survive regulatory scrutiny.

Fixed pricing. Monthly retainer, known cost. Not hourly rates that balloon when a breach happens or a regulator asks questions — which is exactly when you need the most help.

CAR filing capability. Make sure they either are a licensed DPCO or work with one. Your DPO and your DPCO can be different entities, but the DPO should at minimum coordinate the filing process.

Responsiveness. Breaches don't happen during business hours. Regulatory inquiries come with deadlines. A DPO you can't reach when it matters is worse than no DPO at all.

Getting started

Figure out whether you're over the DCMI/DPMI threshold. If you process data of more than 2,000 Nigerians — and you almost certainly do — you need to appoint.

Decide full-time vs outsourced based on your actual workload, not aspiration. Most businesses under 50 employees don't need a full-time DPO. They need reliable, competent oversight a few days per month.

Get them registered with NDPC. And then actually let them do the job — access to systems, authority to flag issues, and a direct line to whoever makes decisions.

---

Need a DPO for your Nigerian business? Our NDPA Fintech Compliance Programme includes DPO services, NDPC registration, and CAR filing — from ₦3,500,000. Not sure where you stand? Start with an NDPA Readiness Diagnostic — ₦500,000.