The NDPR checklist every tertiary institution should have
March 2026 · 9 min read · by the Belrald team
The Nigeria Data Protection Regulation (NDPR), now complemented by the Nigeria Data Protection Act, sets baseline expectations for how institutions handle personal data. Tertiary institutions are squarely in scope — and the stakes are high because of the volume of sensitive student, staff and financial data processed.
This is not a legal article. It's a pragmatic checklist your ICT director can take to the registrar, the bursary and leadership to set a baseline. Consult qualified counsel for specifics.
Governance. Appoint a Data Protection Officer (or equivalent role). Document who is accountable for data-protection decisions. Maintain a record of processing activities — what data you collect, why, where it's stored, and for how long.
Lawful basis. Identify the lawful basis for each category of processing. For students, that's usually contractual (the admission agreement) or legitimate interest (academic record-keeping). For marketing communications, consent is required.
Consent and notice. Provide clear privacy notices at the point of collection — admissions forms, portal sign-up, event registration. Consent must be explicit, specific and revocable. Generic institutional privacy policies are insufficient.
Security measures. Encryption in transit and at rest. Role-based access control. Audit logs for administrative actions. A backup and disaster-recovery plan that is tested, not just documented.
Vendor management. Every vendor that processes institutional data must have a Data Processing Agreement (DPA) in place. This includes your student information system, your LMS, your payment gateway, your SMS provider and your email service.
Rights handling. Have a process for handling data-subject requests — access, rectification, deletion, portability. Most institutions receive more of these than they expect once students become aware of their rights.
Incident response. A written plan that covers detection, containment, notification and reporting. Under the NDPR, some breaches must be reported within 72 hours.
Training. Staff who handle personal data must be trained — not once, but annually. Documentation of training is part of compliance.
If you're working through NDPR alignment, Belrald's platform includes role-based access control, complete audit logs, encryption in transit and at rest, and a DPA for institutional customers. See our Security page or contact us to walk through specifics.
