The Nigeria Data Protection Act (NDPA) 2023 was recently passed as a comprehensive legal framework in Nigeria providing for compliance and best practices in data processing for all companies in Nigeria that process the personal information of persons resident in Nigeria.

In furtherance to the NDPA, the Nigeria Data Protection Commission (NDPC) on the 15th of November 2024, issued a Guidance Notice on the Filing of Data Protection Compliance Audit Returns (CAR) For 2022 (NDPC/HQ/GN/VOL.01/23), pursuant to Section 6(c)-(d) of the Nigeria Data Protection Act. The essence of this Notice was to emphasise the importance of Data Protection Compliance Audit Returns (CAR) in ensuring accountability and transparency in data processing in Nigeria. In the said notice, while reiterating the need for concerned Data Processors and controllers to still file CAR 2022, the NDPC announces that a new cycle of CAR filing will commence in 2024, aligning with the NDPA and its General Application and Implementation Directive (GAID).

The notice also provides that from 2024, filing CAR will provide an opportunity for Data Controllers and Data Processors to demonstrate accountability and potentially be listed on the National Data Protection Adequacy Programme (NaDPAP) Whitelist. However, being on the whitelist does not grant immunity against data subjects’ complaints, but will serve as a tool for accountability as it contains information about Data Controllers and Processors who have demonstrated a commitment to safeguarding data subjects’ rights through adequate technical and organizational measures.

Data Controllers and Data Processors are advised to rely on Articles 4.1(5) and (7) of the NDPR when filing CAR with the Commission. These articles provide the necessary framework for compliance.

The Importance of DPCOs

The Notice emphasizes the vital role of the Data Protection Compliance Organizations (DPCOs) in facilitating CAR filing. It further outlines the key focus areas for the CAR report, including raising awareness about data protection, developing privacy policies, implementing compliance directives, appointing Data Protection Officers, specifying personal data categories and lawful basis for processing, implementing technical measures for data protection, and establishing grievance redress mechanisms. For the year 2022, agents or contractors of data controllers who carry out data processing for data controllers shall only provide details of their Technical and Organizational Measures (TOM) for data protection in the Digital TOM form provided by the Commission.

Compliance Memorandum

To further demonstrate their commitment, the NDPA provides that Data controllers or processors may outline a time-bound intention to align their data processing activities in line with the NDPA. This is to be documented in a Memorandum, signed by the designated Data Protection Officer, and submitted to the Commission along with the CAR. The deadline for submitting the time-bound intention is 31 March 2024.

Default Fee

The Guidance reiterated that failing to file the CAR by the deadline, 15th March 2023, will result in the application of a default fee, which is 50% of the filing fee. Thus, the Default fee will apply to a Data Controller who could not file on or before the said deadline for 2022 CAR.

Conclusion

Generally, organizations perceive audits as daunting tasks. However, audits should not be feared or postponed until the last minute. With the right approach, audits can be effectively managed. Data protection audits, like any other audits, provide organizations with an opportunity to assess their compliance level and identify areas of improvement. Companies are also able to evaluate the efficiency of their existing processes while ensuring compliance with data protection regulations and safeguarding the privacy and security of personal data.

It is important to remember that neglecting to conduct an audit can expose the organization to legal, financial, and operational penalties that might affect its reputation in the long run. Weencourage Data processors and Controllers to thoroughly review the guidance provided by the NDPC and take proactive steps to ensure compliance with the filing of Data Protection Compliance Audit Returns.

About Stren & Blan Partners: 

Stren & Blan Partners is a full-service commercial Law Firm that provides legal services to diverse local and multinational corporations. We have developed a clear vision for anticipating our clients’ business needs and surpassing their expectations, and we do this with an uncompromising commitment to Client service and legal excellence. Stren & Blan Partners are also licensed Data Protection Compliance Officers (DPCOs)Data Protection