Nigeria · Fractional DPO

Outsourced DPO for Nigerian fintechs

A named Data Protection Officer under NDPA Section 32, on a fixed monthly retainer. NDPC coordination, breach response, DSARs, DPIA reviews, and DPCO liaison.

CIPP/E certified Nigerian lawyer (BL) with 10+ years in financial services compliance. Currently Market Privacy Officer at TMF Group covering British Isles, Ireland, and Luxembourg with 30+ DPIAs delivered, zero late regulator notifications.

Book a ₦500,000 scoping callMessage us on WhatsApp

From ₦600,000/month. 12-month minimum. Naira billing, no hourly surprises.

Called to the Nigerian Bar (BL)CIPP/E Certified30+ DPIAs DeliveredZero Late Regulator Notifications

Who this is for

Nigerian fintechs at or approaching DCMI / DPMI threshold

The Nigeria Data Protection Act 2023 requires Data Controllers and Processors of Major Importance (DCMIs / DPMIs) to designate a Data Protection Officer. The threshold typically catches fintechs processing data for over 2,000 data subjects, processing sensitive data, or operating in regulated sectors. Most fintechs licensed under CBN cross this threshold quickly.

For most fintechs at this stage, a full-time internal DPO is not commercially justified. The compliance workload is real but not full-time. The right answer is a fractional DPO with the experience to cover the obligation properly at a fraction of full-time cost.

Where this fits:

  • Series A–C fintechs scaling past 2,000+ active customers and adding regulated services
  • Payment processors and PSPs with cross-border data flows to international acquirers
  • Digital banks (DMBs) and microfinance banks scaling NDPA compliance alongside CBN obligations
  • AI-using fintechs (credit scoring, fraud detection, KYC automation) processing personal data at scale
  • Diaspora-serving fintechs with EU/UK data subjects (GDPR layered on NDPA)

Pricing tiers

Three retainer tiers, fixed monthly Naira pricing

All tiers include a named DPO designation under NDPA Section 32. The differences sit in scope of DPIA reviews, DPCO liaison, Board reporting, and response SLAs.

Essentials

₦600,000

~£300 GBP equivalent

per month

Early-stage fintechs at DCMI / DPMI threshold or scaling toward it. Lean compliance posture, occasional DSARs, low incident volume.

  • ·Named DPO designation under NDPA Section 32
  • ·NDPC-facing coordination and correspondence
  • ·DSAR handling
  • ·Breach assessment and 72-hour notification preparation
  • ·Monthly check-in (60 minutes)
  • ·Email + WhatsApp access during business hours
Start with a scoping call

Standard

₦1,000,000

~£500 GBP equivalent

per month

Growth-stage fintechs with active product changes, vendor onboarding, and regular regulator interaction. Most Series A-B Nigerian fintechs sit here.

  • ·All Essentials services
  • ·DPCO liaison and CAR preparation pack
  • ·DPIA reviews for new products and vendors (up to 4 per quarter)
  • ·Article 28-equivalent processor agreements
  • ·Privacy training (annual refresher + onboarding materials)
  • ·Quarterly review with leadership
Start with a scoping call

Premium

₦1,500,000

~£750 GBP equivalent

per month

Larger fintechs, payment processors, banks, and DMBs with significant data volumes, frequent regulator contact, and Board-level privacy reporting needs.

  • ·All Standard services
  • ·Quarterly Board reporting pack ready for governance materials
  • ·Dedicated quarterly site visit (Lagos / Abuja)
  • ·Board attendance for quarterly governance reviews (virtual or in-person)
  • ·Unlimited DPIA reviews within reasonable scope
  • ·Priority breach response (named contact, 4-hour response SLA)
Start with a scoping call

12-month minimum. Naira billing. No hourly billing, no FX surprises. GBP figures shown for reference; invoicing is in Naira.

What's included

The work the DPO actually does

Named DPO designation under NDPA Section 32

A specific named individual designated as your DPO and registered with the NDPC. Direct contact details, formal acknowledgement of the role, and the independence requirements of Section 32 met.

NDPC-facing coordination and correspondence

All NDPC inquiries, notices, audits, and routine engagement handled. Responses drafted, filed, and tracked. Your engagement log kept current.

Data Subject Access Requests (DSARs)

DSAR intake, identity verification, scope assessment, redaction, and response within statutory timelines. Templates and SLAs documented; audit trail maintained.

Breach assessment and notification (72-hour workflow)

Section 40 breach awareness assessment, severity scoring, regulator notification preparation, and affected data subject notification where required. Incident register maintained.

DPIA reviews for new products and vendors

Privacy impact assessments for new product launches, system changes, and material vendor onboarding. Article 22-equivalent considerations where automated decisioning is involved.

Article 28-equivalent processor agreements

Vendor data processing agreements drafted, reviewed, and tracked. Sub-processor register kept current. Standard Contractual Clauses for cross-border data flows.

CAR preparation pack

The data, documentation, and supporting evidence the licensed DPCO needs to file the annual Compliance Audit Return on your behalf. We prepare the pack; the DPCO files. (Higher tiers include direct DPCO liaison.)

DPCO coordination

If you have an existing DPCO partner we coordinate with them. If you do not, we recommend a vetted DPCO and manage the relationship for filing-season tasks.

Privacy training for staff

Onboarding privacy training for new joiners and annual refresher training for the wider team. Materials maintained and updated as the regulation evolves.

Monthly review and quarterly Board pack

Monthly check-in on privacy posture, open incidents, and DSAR throughput. Premium tier includes the quarterly Board reporting pack ready for inclusion in your governance materials.

What's not included

Honest scope

Stating what is out of scope upfront avoids the friction and surprise that ruin retainer relationships.

  • CAR filing itself (must be performed by a licensed DPCO; we coordinate with one)
  • Litigation, contentious dispute resolution, or representation in court
  • Sector-specific regulatory work outside NDPA / NDPC remit (e.g., bespoke CBN AML automation build, securities regulation)
  • Custom software development or technical implementation
  • External communications strategy or PR response (we coordinate but do not lead)

Why Janus

Why Nigerian fintechs choose Janus

Lawyer plus builder

Most DPOs are lawyers. Most fintech CTOs find them theoretical. Michael writes the system prompts. Built AI Shield (deepfake detection) and AgentScore (trust scoring for AI agents) end-to-end. Privacy advice that accounts for how your systems actually process data.

Active program owner

Currently Market Privacy Officer at TMF Group covering British Isles, Ireland, and Luxembourg. 500+ employees, 4,000+ B2B client relationships, two Local Privacy Officers as direct reports, 30+ DPIAs delivered, zero late regulator notifications. The DPO methodology you get is what already runs at TMF.

Cross-jurisdictional fluency

NDPA + GDPR + UK DPA 2018 + Luxembourg DP law + CCPA reading. If your fintech serves diaspora customers, accepts international cards, or partners with European processors, you need a DPO who handles every regime in one engagement.

Open-source toolkit

The Compliance Engineering Toolkit (CC BY 4.0) includes the NDPA Section 40 breach response framework, chatbot and autonomous agent DPIA templates. Public artefacts of the methodology you get on retainer.

Practitioner publication

Compliance Engineering is a weekly practitioner newsletter on AI privacy and frontier regulation. Recent issues cover NDPA Section 40 breach awareness-trigger ambiguity and AI agent DPIA construction. Direct evidence of the substantive thinking.

Naira-billed, no FX risk

Fixed monthly Naira retainer. No FX surprises, no hourly billing, no scope creep. You know what the DPO costs every month. The DPO knows what the engagement is. Both sides plan around it.

Common questions

How does this work alongside our DPCO?

The DPO and the DPCO are different roles in the NDPC framework. The DPO sits inside your governance, owns day-to-day privacy operations, and is the named individual under NDPA Section 32 (internal or external). The DPCO is a separately licensed organisation that performs certain regulated services on your behalf, including the annual CAR filing. The two roles work together cleanly. Our outsourced DPO runs the day-to-day privacy program (DSARs, breach response, DPIAs, NDPC coordination) and prepares the CAR pack; your licensed DPCO files. Premium tier includes direct DPCO liaison. If you do not have a DPCO yet, we recommend a vetted partner from our list and manage the handover.

What does the outsourced DPO actually do day-to-day?

The named DPO under your retainer handles: NDPC-facing correspondence and inquiries, Data Subject Access Requests within statutory timelines, breach assessment and 72-hour notification preparation, DPIA reviews for new products and vendors, the Records of Processing Activities (RoPA), Article 28-equivalent processor agreements, privacy training, and quarterly Board / leadership reporting. Tier dependent. The work pattern matches what an internal DPO would do, charged on a fixed monthly retainer instead of a salary.

How does this work with our existing DPCO?

If your fintech already has a licensed DPCO for CAR filing and other regulated services, the outsourced DPO works alongside them. The DPO owns day-to-day privacy operations; the DPCO files. We coordinate handovers, share documentation, and make sure the CAR pack the DPCO files reflects the actual privacy program we run. If you do not have a DPCO yet, we recommend a vetted DPCO from our partner list and manage the relationship.

What is the minimum engagement length?

Twelve months minimum. The DPO designation is registered with NDPC; the relationship is intended to be ongoing. The DPO designation is not a thing to switch every quarter. You can review the engagement at six-month checkpoints, but the registered designation is annual.

Why fractional rather than full-time?

For most Nigerian fintechs at the DCMI / DPMI threshold (over 2,000 data subjects, regulated sector, sensitive data processing), a full-time DPO is not commercially justified yet. The compliance workload is real but not full-time. A fractional DPO with the right experience covers the obligation properly at a fraction of full-time DPO salary plus benefits. As the fintech grows past Series A or hits significantly larger data volumes, internal DPO hire becomes the right move.

Why a Nigerian lawyer based in the UK?

Called to the Nigerian Bar (BL), CIPP/E certified, 10+ years compliance experience across UK and global financial services (Royal Bank of Scotland, Fidelity International, UnitedHealth Group, currently Market Privacy Officer at TMF Group covering British Isles, Ireland, and Luxembourg). Nigerian fintechs that serve diaspora customers, accept Visa/Mastercard, partner with European processors, or fundraise from international VCs need a DPO who understands both NDPA and the international frameworks (GDPR, UK DPA 2018, CCPA where relevant) at the same time. That cross-jurisdictional fluency is rare in the Nigerian DPO market.

How is pricing structured?

Fixed monthly retainer in Naira. Three tiers (Essentials ₦600,000/month, Standard ₦1,000,000/month, Premium ₦1,500,000/month) with clearly defined scope at each level. Twelve-month minimum. Quoted in Naira to remove FX risk for the fintech. Invoiced monthly. No hourly billing.

Want to discuss outsourced DPO for your fintech?

A ₦500,000 scoping call covers your data flows, classification (DCMI / DPMI), existing privacy posture, and which retainer tier fits. Written report within one week. Credited against the first retainer month if you proceed.

Book the ₦500,000 scoping callMessage on WhatsApp