Every company that collects or processes personal data (also known as data controllers and data processors) must comply with the provisions of the NDP Act, which includes appointing a DPCO. Partnering with a DPCO like T.A.A.S Cyber Solutions Ltd ensures you meet all legal and regulatory obligations to comply with the Act and GAID, avoid penalties, and build trust with clients.

Maintaining this compliance, however, is a continuous and specialised task. Partnering with a licensed DPCO, such as T.A.A.S Cyber Solutions Ltd, is the most effective way to navigate these complex requirements.

As your expert partner, we:

• Ensure Legal Compliance: by guiding you through the nuanced complexities of the NDP Act and GAID, helping you meet requirements under law.

• Avoid Costly Penalties: through our audits and Data Protection Impact Assessments (DPIAs), which identify vulnerabilities before they become breaches, thereby significantly reducing your risk of facing fines and sanctions from the NDPC.

• Build Client and Partner Trust: by demonstrating your commitment to data privacy is intentional, rather than optional. Our advisory, gap assessments, remediation, audits, red teaming, training and capacity building, help you prove to clients and stakeholders that you take the protection of their data seriously, enhancing your brand reputation.

• Provide On-Demand Expertise: through a dedicated data protection team, you gain access to certified experts for audits, training, and advisory services precisely when you need them. This may be favourable to companies that prefer outsourcing to a full-time hire.

A Data Protection Officer (DPO) is a mandated role by the NDP Act, responsible for ensuring the organisation’s compliance with applicable data protection legislation. A Data Protection Compliance Organisation (DPCO) like T.A.A.S Cyber Solutions Ltd serves as your licensed external expert, providing the necessary oversight and formal validation of your data privacy policies and procedures. We partner with you to audit your processes, train your DPO and staff, and officially certify your compliance status with the NDPC.

Under the GAID, the fee structure is tiered based on an organisation’s classification (Ultra-High, Extra-High, or Ordinary-High Level) and the volume of unique data subjects.

Non-compliance can lead to regulatory sanctions, fines, and reputational damage. T.A.A.S Cyber Solutions Ltd helps you stay compliant and protects your business.

Failing to comply with the NDP Act carries significant and costly consequences. The NDPC is empowered to enforce the NDP Act, with penalties stretching far beyond a simple warning.

The risks are threefold:

i. Tiered fine structure for violations. Upon conviction, your organisation could face:

• For Data Controllers or Processors of Major Importance: A fine of up to ₦10,000,000 or 2% of your annual gross revenue from the preceding financial year (whichever is greater)

• For other Data Controllers/Processors: A fine of up to ₦2,000,000 or 2% of your annual gross revenue from the preceding financial year (whichever is greater)

• Imprisonment for up to a year for both 

ii. In addition to fines, the NDPC can:

• Issue “Compliance Orders” forcing you to take specific actions or stop processing data

• Publish the names of non-compliant organisations in a public “name and shame” list

• Launch formal investigations into your data handling practices

iii. Business and Reputational Damage

This is often the most lasting and expensive consequence:

• Loss of Trust: A public breach or sanction can instantly destroy the trust that companies work years to build

• Civil Liability: The Act empowers data subjects (your clients or employees) to seek compensation in court for damages, loss, or harm caused by your non-compliance

• Competitive Disadvantage: Compliant competitors can use their certified status as a marketing tool, positioning your organisation as a risk

Partnering with a licensed DPCO like T.A.A.S Cyber Solutions Ltd is a proactive investment in prevention and risk mitigation. We help you identify privacy and compliance risks, implement the necessary controls, and maintain continuous compliance, protecting your finances, industry standing, and reputation.

i. Contact T.A.A.S Cyber Solutions Ltd via our website or email (info@taas-ltd.ng)

ii. Select your preferred training schedule (virtual or physical)

iii. Provide relevant documentation for submission to the IIM on your behalf for exam registration:

• Educational/Professional Certificates

• Recent passport photograph (clear image)

• Government-issued identification (e.g., Driver’s License, Voter’s Card, International Passport, NIN, etc.)

iv. Make payment (of which examination is included: ₦250,000 (Non-IIM Accredited Member) ₦200,000 (IIM Accredited Member))

v. Schedule your training in-person/virtual training and receive joining instructions

vi. Complete the training and receive participants’ pack, in addition to Certificate of Attendance 

vii. Sit the CDPO exam – scheduled at the end of every month

Please note, as of January 2026, the NDPC is mandating all DCPMIs have certified DPOs.

Yes. Data protection compliance is a legal requirement for organisations of all sizes, and our services are designed to be scalable and practical for everyone. 

Our approach is not “one size fits all”. We tailor our services to your specific size, industry, data processing activities, and risk profile to ensure you receive the exact support you need.

Yes, a fundamental part of our service involves meeting this mandatory legal requirement, which applies to many organisations.

The GAID mandates that all “Data Controllers/Processors of Major Importance” (DCPMI) must submit an annual Compliance Audit Return (CAR) to the Nigeria Data Protection Commission.

As a licensed DPCO, T.A.A.S Cyber Solutions Ltd manages this entire critical process for you, from start to finish:

1. Full-Scope Audit: We conduct a thorough and independent audit of your data processing activities, policies, and safeguards to measure your compliance against the NDP Act and GAID

2. Formal Report Preparation: We compile our findings into the official, detailed Compliance Audit Report (CAR) in the precise format required by the NDPC

3. On-Time NDPC Submission: We handle the official submission of your audit report directly to the NDPC, ensuring it is filed correctly and ahead of the annual March 31st deadline

4. Management Reports: We provide a comprehensive management audit report and a current state gap assessment report. These documents outline areas for necessary remediation and include a detailed remediation plan

Partnering with us removes the burden and guesswork from this process. We ensure your submission is accurate, professional, and filed on time, keeping you in good standing with the Commission and demonstrating your commitment to data protection. Most importantly, we meet clients at their level of maturity and assist them in their compliance journey.

Yes. Data Controllers and Processors of Major Importance have varying audit return filing fees depending on their tiers, as stipulated in the table below:

Please note – there are penalties for late filings, which are 50% of the filing fees. 

We request key policies, information around staff procedures, system information, process walkthroughs and evidence of data security controls to adequately assess your compliance level.

To begin a comprehensive compliance assessment, we typically start with a discovery phase. 

This is a standard and essential part of the compliance audit. All information shared with T.A.A.S Cyber Solutions Ltd is treated with the strictest confidentiality, governed by our Non-Disclosure Agreement and Letter of Engagement, and is used solely for the purpose of assessing and improving your compliance with the NDP Act.

Our team will provide a detailed checklist, which generally includes:

• Existing policies and procedures

• Information around your data processing practices (e.g. third party vendors)

• Technical and organisational details around data security

• Examples of your consent forms

The specific information required will depend on the services you need, for instance, a full compliance audit requires more detail than a simple policy review.

The exact duration of the project will depend on the availability of necessary documentation and staff for interviews, the current maturity and existing data protection culture, identified gaps against regulatory requirements, management involvement, collaboration and timely remediation. 

Estimated timelines are agreed upon in the Letter of Engagement and can take between two to four weeks

We follow a structured, multi-phase process: 

Phase 1: Scoping and Kick-Off (Approx. 1-2 Days) 

This initial phase involves our team meeting with yours, defining the exact scope of the audit, and providing a comprehensive checklist of the documents and access we will need.

Phase 2: Audit and Assessment (Approx. 2 Weeks) 

This is the core audit which includes:

• Reviewing your policies, procedures, and contracts

• Conducting interviews with key staff (e.g. Legal, IT, HR, Marketing, Operations)

• Assessing your technical systems and security safeguards

• Analysing your data flows and Record of Processing Activities (ROPA)

Phase 3: Analysis and Report Drafting (Approx. 1-2 Weeks) 

After the assessment, our team analyses the evidence provided, identifies any compliance gaps, and prepares the comprehensive draft audit report. This report details findings, assesses the company’s level of compliance, and provides clear and actionable remediation plans with prioritised recommendations.

Phase 4: Validation and Final Report (Approx. 1-2 Days) 

We present the draft report to your management team, giving you an opportunity to review and validate our findings. Once finalised, we submit the official Compliance Audit Report (CAR) to the NDPC. 

No. We do not share client data with third parties unless required by law or with your written consent. We use Google Workspace, Enterprise as a storage solution, with data stored on servers in the European Union. 

Yes. We offer retainer-based support to monitor compliance, manage data protection risks, and keep your organisation updated on regulatory changes.

The NDPC mandates annual audits and twice-yearly internal reporting to management. Periodic internal reviews are encouraged, especially when business processes change.

There are two mandatory review frequencies:

1. Annual Compliance Audit Return (CAR): 

This is the main, external audit. It must be conducted once yearly by a licensed DPCO like T.A.A.S Cyber Solutions Ltd. This applies to all Data Controllers of Major Importance (DCPMI) and is formally filed with the NDPC by the March 31st deadline.

2. Semi-Annual Internal Report: 

This is an internal report. It must be prepared twice per year by your own Data Protection Officer (DPO) and submitted to executive management. As a licensed DPCO, we are available to assist with this exercise in an advisory capacity. 

No, an on-site visit is generally not required although it could be necessary if sensitive personal data is stored in hard copies. Our fully remote and agile operational model is specifically designed to conduct comprehensive, thorough audits efficiently from a distance.

We leverage secure technology to ensure a seamless process with minimal disruption to your daily operations:

• Secure Collaboration: As part of our transparent process, we set up a dedicated, secure shared drive where your team can upload all necessary documents, policies, and evidence for our review

• Virtual Interviews: We conduct all necessary interviews with your key staff via secure video conferencing, scheduled at your convenience

• Remote System Reviews: We can assess your technical controls and platforms through guided screen-sharing sessions and remote demonstrations