Training Employees and Management on Data Privacy and Protection: A Practical Guide to the NDPC Guidance Notice

Training Employees and Management on Data Privacy and Protection: A Practical Guide to the NDPC Guidance Notice

By Olawale Adedipe

Introduction

The Nigeria Data Protection Commission (NDPC) recently issued a Guidance Notice that clarifies the requirement for data controllers and processors to train their employees on data privacy and protection under the Nigeria Data Protection Act (NDPA) and the General Application & Implementation Directive (GAID). Article 30(1) of the GAID mandates organisations to prepare and implement an organisational schedule for internal sensitisation and training, while Article 46(3) requires employees and contractors to be trained periodically on emerging developments in data processing.

In practice, untrained employees are a weak link in an organisation’s data‑security architecture, exposing companies to privacy breaches, legal liabilities and reputational damage.

Whether a company’s privacy team manages training internally or assigns this responsibility to external providers, the following items represent the actionable steps for designing a robust training programme for general staff, management and Data Protection Officers (DPOs).

1. Content Requirements for General Employees and Management

The Notice provides clarity by setting out the fundamental content requirements that all data privacy and protection training must address. Specifically, it requires the following:

1. Training programmes for general employees and senior management should cover four core areas:
   1. basic data‑protection principles and concepts
   2. the lawful bases of processing

• data‑subject rights

1. technical and organisational measures of data protection.

These pillars reflect the core obligations in the NDPA and should be tailored to the organisation’s operations. For example, principles such as lawfulness, fairness and accountability can be brought to life through departmental case studies; lawful bases should be contextualised with real‑world processing scenarios; and data‑subject rights should be explained alongside the organisation’s internal request‑handling procedures. Technical and organisational measures include access controls, encryption, secure disposal, breach‑response plans and privacy‑by‑design practices. Because these measures vary across sectors, companies should conduct a data‑protection impact assessment to identify risk‑appropriate safeguards and incorporate them into training.

1. Training for Data Protection Officers – The Guidance Notice emphasises that DPO training must go beyond the fundamentals taught to general employees. A DPO is required to possess “expert knowledge of data‑protection law and practices, and the ability to carry out tasks” mandated by the Act.[1] This means that DPOs should receive advanced instruction on legal frameworks, regulatory interpretations, risk assessment methodologies, audit preparation and tools for implementing data‑protection programmes. The NDPC encourages organisations to engage accredited training providers and to ensure that DPO certifications align with the NDPA’s requirements. Once certified, DPOs must undertake continuous professional development (CPD); the NDPC’s Virtual Privacy Academy (VPA) courses and other approved events attract CPD points.
2. Training Standards and Frequency

Training should be undertaken before any employee performs a task that involves processing personal data. The NDPC expects companies to conduct trainings at least twice a year and to supplement formal sessions with frequent sensitisation. Employers should adopt a blended approach: onboarding sessions for new hires, periodic refresher workshops, role‑based deep dives for teams that process sensitive data and “lunch‑and‑learn” briefings when laws or internal policies change. Trainers must be verifiably competent; where organisations engage third parties, due diligence should confirm their credentials and alignment with the NDPA’s objectives.

3. Virtual Privacy Academy and Continuous Learning

To support compliance, the NDPC established the Virtual Privacy Academy. The VPA currently hosts “Privacy 101,” an introductory course covering the NDPA, practical workplace scenarios, data‑subject rights, responsibilities of controllers and processors and enforcement mechanisms. The Commission considers training via the VPA as part of CPD and encourages organisations to use it as a foundational, refresher or supplementary tool. However, the VPA’s catalogue is still limited; companies should develop customised training materials that meet the Guidance Notice’s expectations and the NDPA’s principles. DPOs and privacy teams should track NDPC announcements on new VPA courses and CPD‑accredited events to ensure ongoing compliance.

4. Conclusion

A strong privacy‑compliance culture begins with knowledgeable people. The NDPC’s Guidance Notice offers a clear framework for building an internal training programme that balances statutory requirements with organisational realities. General employees and management must understand core concepts and practical safeguards; DPOs require expert, accredited training and ongoing professional development; and all staff should be trained before handling personal data at least twice per year. While the NDPC’s Virtual Privacy Academy provides a useful starting point, companies should tailor their training to reflect their business models, data flows and risk profiles. By investing in comprehensive and continuous education, organisations can reduce human‑factor breaches, satisfy legal obligations and demonstrate accountability under the NDPA and GAID.

Babalakin and Co. is a licensed Data Protection Compliance Organisation. If you have any questions or would like more information on the issues discussed, please contact us at dataprivacy@babalakinandco.com  

Olawale Adedipe (Associate) – oadedipe@babalakinandco.com

 

References

[1] Section 32 of the NDPA