NDPC Introduces Mandatory Annual CPD Framework for Data Protection Officers

The Nigeria Data Protection Commission (NDPC) has unveiled a new assessment framework for Data Protection Officers (DPOs), making continuous professional development (CPD) a mandatory requirement for maintaining active verification status.

The framework, issued under Schedule 3 of the General Application and Implementation Directive (GAID) 2025, establishes a structured assessment system aimed at ensuring DPOs remain up to date with evolving data protection regulations, cybersecurity trends and global privacy standards.

According to the Commission, the initiative is designed to improve transparency in the allocation of CPD credits, encourage active participation in activities that promote data privacy, strengthen Nigeria’s pool of data protection professionals, and motivate training providers, data controllers and data processors to prioritise continuous professional development.

Annual CPD Requirement

Under the new guideline, certified Data Protection Officers must earn a minimum of 20 Continuous Professional Development (CPD) points annually from a total allocation of 40 points to retain their active verification status.

The Commission also requires that at least 10 of the mandatory 20 points come from structured learning programmes to ensure meaningful professional development.

The assessment framework is divided into three key categories:

Formal Training and Certification
Knowledge Contribution (maximum of 10 points annually)
Professional Engagement and Ecosystem Participation (maximum of 8 points annually)
Evidence and Verification

To demonstrate compliance, DPOs seeking annual verification will be required to submit supporting documents.

According to the guideline, acceptable evidence includes certificates of attendance, confirmation emails, copies or links to published works, formal participation letters, and Professional Education and Engagement Review Forms.

Annual Compliance Review

The NDPC said CPD compliance will now form part of the annual certification revalidation process.

Data Protection Officers who fail to meet the required threshold may have their verification status temporarily changed to inactive until they complete the outstanding professional development requirements.

To streamline implementation, the Commission also plans to deploy a digital platform for the submission, tracking and monitoring of CPD records.

Shift Towards Continuous Learning

The new framework represents a significant shift from one-time certification to continuous professional development as the benchmark for maintaining active status.

Beyond formal training, DPOs can earn additional CPD points by publishing articles, speaking at conferences, participating in NDPC technical working groups, maintaining membership in recognised professional bodies, mentoring emerging privacy professionals and contributing to regulatory consultations.

The Commission said the framework is intended to ensure Nigeria’s data protection professionals continuously update their knowledge and skills as the country’s digital economy expands and organisations process increasing volumes of personal data across sectors.