- INTRODUCTION.. 5
- POLICY STATEMENT.. 5
- SCOPE OF APPLICATION.. 6
- DEFINITIONS. 6
- DATA PROTECTION GOVERNANCE. 7
5.1 Data Protection Structure. 7
5.2 Data Protection Officer (DPO) 7
8.2 Organisational Controls. 10
10.2 Cross-Border Transfers. 11
12.2 Response Requirements. 12
- DATA RETENTION AND DELETION.. 13
- DATA PROTECTION AUDITS. 14
- TRAINING AND AWARENESS. 14
- NON-COMPLIANCE. 14
- CONTACT.. 15
Olotu Square Solutions Ltd. is a technology innovation and capacity development organisation based in Port Harcourt, Nigeria. Our operations include software development, digital training programmes, startup incubation, coworking services, and technology consulting.
In the course of these activities, we collect and process personal data belonging to trainees, clients, employees, partners, vendors, and website users.
This policy establishes the principles, governance, and safeguards guiding all personal data processing activities within the organisation.
It ensures that personal data is handled:
- lawfully and transparently
- securely and responsibly
- in compliance with the Nigeria Data Protection Act (NDPA) 2023
Olotu Square commits to full compliance with applicable data protection laws, including the NDPA 2023 and related regulatory directives issued by the Nigeria Data Protection Commission (NDPC).
We ensure that:
- personal data is processed only for legitimate purposes
- individuals’ rights are respected at all times
- appropriate safeguards are implemented to prevent misuse, loss, or unauthorised access
- accountability is embedded across all operations
This policy applies to:
- All staff (full-time, part-time, interns, volunteers)
- Contractors, consultants, and third-party service providers
- All systems, platforms, and physical records used by the organisation
- All processing activities conducted in Nigeria or involving Nigerian data subjects
It covers:
- training and bootcamp registrations
- software development projects
- HR and payroll processing
- client engagement and service delivery
- digital platforms and websites
- coworking and event management systems
| Term | Meaning |
| Personal Data | Any information relating to an identified or identifiable individual |
| Sensitive Personal Data | Data revealing health, biometrics, religion, ethnicity, political views, or similar categories |
| Processing | Any operation performed on data (collection, storage, use, transfer, deletion) |
| Data Subject | The individual whose data is being processed |
| Data Controller | Olotu Square (determines purpose and means of processing) |
| Data Processor | Any third party processing data on behalf of Olotu Square |
| Consent | Freely given, informed, specific and unambiguous indication of agreement |
| Personal Data Breach | Any security incident leading to accidental or unlawful exposure or loss of data |
Olotu Square operates a lightweight governance model:
- Executive Management (oversight)
- Data Protection Officer (compliance lead)
- IT & Security Unit (technical enforcement)
- All Staff (operational responsibility)
5.2 Data Protection Officer (DPO)
The DPO is responsible for:
- Monitoring compliance with NDPA requirements
- Advising management on data protection obligations
- Managing data subject requests
- Coordinating breach response procedures
- Maintaining records of processing activities (RoPA)
- Acting as liaison with the NDPC
We ensure that all personal data is:
- collected for specific and legitimate purposes
- limited to what is necessary (data minimisation)
- accurate and updated where required
- stored only for defined retention periods
- protected against unauthorised access or loss
Personal data shall only be processed where at least one lawful basis exists:
- consent of the data subject
- contractual necessity
- legal obligation
- legitimate interest (balanced against rights of data subjects)
- protection of vital interests
- public interest (where applicable)
Consent must be:
- freely given (no coercion or hidden conditions)
- specific (clearly defined purpose)
- informed (data subject understands use)
- unambiguous (clear affirmative action)
We ensure:
- consent records are maintained
- withdrawal of consent is respected immediately where applicable
- separate consent is obtained for marketing activities
We protect personal data using a combination of technical and organisational measures:
- encryption of sensitive data where applicable
- role-based access control (RBAC)
- secure authentication mechanisms
- firewall and endpoint protection
- secure cloud configurations
- staff confidentiality agreements
- background checks where necessary
- restricted access to sensitive systems
- periodic security training
Data subjects may exercise the following rights:
- right of access
- right to correction
- right to deletion (where legally applicable)
- right to object to processing
- right to withdraw consent
- right to data portability
- right to lodge complaints
Operational handling rule:
- requests acknowledged within 7 days
- resolved within 30 days unless legally extended
Personal data shared with third parties must be governed by written agreements including:
- confidentiality clauses
- security requirements
- limitation of processing purposes
- breach notification obligations
Data may only be transferred outside Nigeria where:
- adequate protection exists in destination country, OR
- explicit consent is obtained, OR
- NDPA-approved safeguards are implemented
Internal sharing of data is:
- strictly role-based
- limited to operational necessity
- logged where sensitive data is involved
A DPIA is required where processing may:
- involve sensitive personal data
- introduce high risk to data subjects
- involve new technologies or systems
- include large-scale monitoring or profiling
DPIA must:
- identify risks
- evaluate necessity
- propose mitigation controls
- be approved before deployment
A breach includes any unauthorised access, disclosure, alteration, or loss of personal data.
Upon detection:
- immediate containment of the incident
- assessment of scope and impact
- documentation of the incident
- notification to DPO and management
- regulatory reporting where required
Where high risk exists:
- affected individuals will be notified without undue delay
- NDPC notification will be made in compliance with NDPA timelines
Data is retained only for:
- legal requirements
- contractual obligations
- operational necessity
Retention rules:
- training data: limited post-programme period except otherwise as required
- employee data: retained per employment law requirements
- client data: retained for service lifecycle + legal buffer
At end of retention:
- secure deletion OR
- anonymisation for statistical use
We conduct:
- periodic internal audits
- compliance checks on vendors
- system security reviews
- policy effectiveness evaluations
Findings are reported to management for corrective action.
All personnel must:
- complete onboarding data protection training
- undergo annual refresher training
- report suspected breaches immediately
- understand handling rules for personal data
Violations of this policy may result in:
- disciplinary action
- termination of contract/employment
- regulatory penalties
- legal liability
- reputational damage
Data Protection Officer
Olotu Square Solutions Ltd.
31 Isiokpo Street, D/Line, Port Harcourt
Email: [email protected]
Phone: +234 916 766 6752
This policy is reviewed annually or earlier where required by law, regulation, business changes, or material data protection risks. All staff shall receive a copy upon engagement and periodic refresher training thereafter.
This Data Protection Policy has been reviewed and approved by the Head of the Board:
| Name | Designation | Signature | Date |
| Bruce Lucas | Chief Executive Officer (CEO) | BL | 04/24/2026 |
