Consultant for Data Protection Audit and Filling with the Nigeria Data Protection Commission at Action Against Hunger | ACF-International

Action Against Hunger is the world’s hunger specialist and leader in a global movement that aims to end life-threatening hunger for good within our lifetimes. For 40 years, the humanitarian and development organization has been on the front lines, treating and preventing hunger across nearly 50 countries. It served more than 21 million people in 2018 alone.

We are recruiting to fill the position below:

Job Title: Consultant for Data Protection Audit and Filling with the Nigeria Data Protection Commission

Location: Yobe
Geographical scope coverage: Borno State, Sokoto State and Yobe State, Nigeria.

Description

• The purpose of this agreement is for the Auditor to perform a data protection audit to evaluate and examine the Coordinator’s compliance status as relating to data protection.
• The Auditor's objective is to conduct these procedures, and provide a report of factual findings to the Coordinator. This is an assurance engagement; therefore, the Auditor is expected to provide an audit opinion or express assurance.
• The Coordinator must submit a Data Protection Audit Report, prepared by an external auditor (DPCO), to the Nigerian Data protection Commission.
• The NDPC requires this report to validate the Coordinator’s compliance status with the NDPA

Responsibilities of the Parties to the Engagement

• Coordinator's Responsibilities: The Coordinator is responsible for sharing all documents, reports and information relating to data protection. These documents, reports and information must align with the Nigerian Data Protection Act/Regulations.
• The Coordinator must also provide sufficient data protection and non-data protection information to support the audit process and granting the Auditor full access to staff, databases, and relevant records, enabling the Auditor to perform the required procedures effectively.
• Auditor's Responsibilities: The Auditor, a data protection compliance organization (DPCO) engaged for this purpose, is tasked with performing the agreed-upon procedures specified in these ToR.
• The Auditor must provide a report of factual findings to the Coordinator. The "Auditor" can refer to the engagement partner or other team members responsible for the process.

 The Auditor confirms they meet at least one of the following conditions:

• NDPC License: The Auditor or firm is licensed by the Nigerian Data Protection Commission.
• NDPA Compliance: The Auditor or firm fully understands and is knowledgeable on the requirements of the Nigerian Data Protection Act.
• EU GDPR Compliance: The Auditor or firm fully understands and is knowledgeable on the requirements of the European Union’s General Data Protection Regulations.

Standards and Ethics
The Auditor will conduct this engagement according to:

• NDPA 2023: Nigeria Data Protection Regulation of 2023, related to agreed-upon procedures for data protection compliance.
• ISO/IEC 27001 Standards: The Auditor will adhere to the ISO/IEC 27001 Standards for Professionals which outlines principles regarding integrity, objectivity, independence, professional competence, confidentiality, and technical standards in ensuring data security and avoiding data breaches.

Procedures, Evidence, and Documentation:

• The Auditor will plan and execute the audit, following the procedures listed in Annex 1 and guidelines in Annex 2.
• The evidence gathered will support the report of factual findings, ensuring the work aligns with NDPA 2023 and this ToR.
• Annex I: Listing of specific procedures to be performed
• Annex 2: Guidelines for specific procedures to be performed.

Profile of the Consultant (Qualifications and Experience)
The consultant must be a qualified Data Protection Auditor with the following minimum requirements:

• Professional certification in Data Protection such as NDPR DPCO Certification, ISO 27001 Lead Auditor, or equivalent
• Minimum of 3 - 5 years practical experience in data protection compliance, auditing, or information security
• Proficiency in preparing the mandatory annual filings required by NDPC for high‑level data controllers/processors under GAID 2025
• Demonstrated experience conducting NDPR audits for organizations in Nigeria
• Skilled in conducting and preparing Compliance Audit Returns (CAR) as required for Data Controllers/Processors of Major Importance under NDPC guidelines
• Strong understanding of Nigeria Data Protection Act (NDPA 2023), NDPR 2019, and global data protection standards (GDPR, ISO 27001)
• Excellent report‑writing, communication, and analytical skills
• Ability to advise organizations on compliance measures, including data subject rights, consent management, and risk mitigation
• Experience with information management, data lifecycle governance, and confidentiality/integrity controls.
• Knowledge of cyber‑security fundamentals aligned with NDPC‑approved skill areas such as cyber law and information security.
• Ability to provide actionable recommendations and support remediation efforts.

Application Closing Date
Wednesday, 18th February, 2026 at 12 noon (Nigerian Time).

How to Apply
Interested and qualified candidates should send their applications to: supply@ng-actionagainsthunger.org using "Consultancy for Data Protection Audit and Filling with the Nigeria Data Protection Commission" as the subject of the mail.

Note

• Proposal without request of the full ToR will not be accepted.
• The prospective consultancy is expected to submit a brief methodology with concept note while responding to this expression of interest (EoI)
• The sending of full ToR will commence from Thursday, 5th February, 2026 until the deadline of the submissions to all expressions of interest from prospective consultants and submission of proposals will be on or before 18th February, 2026 by 5PM, Nigerian time.