Data Protection Compliance in Nigeria: Mandatory Compliance Audit Returns (CAR)

Data Protection Audit is a systematic examination carried out in order to ascertain whether an organization’s processing of personal data is compliant with data protection laws applicable to the data processed; industry standards; and an organization’s data policies.

The Nigerian Data Protection Act, 2023 (“The Act”) and the Nigerian Data Protection Act-General Application and Implementation Directives, 2024 (“NDP Act-GAID”) requires companies who process the personal data of data subjects resident in Nigeria to carry out periodic compliance audit of its operations and file a Compliance Audit Returns (CAR) with the Nigerian Data Protection Commission (“The Commission”).

How Often Should a Company Carry Out Data Compliance Audit and File a Compliance Audit Report?

According to the NDP Act – GAID, every organization in Nigeria, that processes personal data should carry out a periodic audit of their data processes. More specifically, in the case of a data controller or a data processor of major importance that was established before the 12^th day of June, 2023, it shall file its CAR not later than 31^st of March each year.

In the case of a data controller or data processor of major importance established after the 12^th day of June 2023, it shall file its CAR not later than eighteen (18) months after its establishment and shall subsequently file its CAR annually.

Furthermore, for the purposes of ensuring proportionality of obligations, the Commission classifies data controllers and data processors into three (3) levels or categories of data processing namely:

1. Major Data Processing-Ultra High Level (MDP-UHL)
2. Major Data Processing-Extra High Level (MDP-EHL)
3. Major Data Processing-Ordinary High Level (MDP-OHL)

Major Data Processors of Ordinary High Level or the 3^rd category are not required to file CAR annually. However, they are required to renew their registration with the Commission every year.

For clarification, Data processors and Controllers in the MDP-UHL category are organisations that processes the personal data of over 5000 data subjects within a period of six (6) months. On the other hand, Data Processors and Controllers in the MDP-EHL category are data processors and controllers that process the personal data of over 1000 data subjects within a period of six (6) months. Lastly, Data processors and Controllers in the MDP-OHL category are data controllers and processors that the process the personal data of at least 200 data subjects within a period of six months.

What are the Documents Required for Filing Data Protection Compliance Audit Returns?

1. Data protection policy
2. Data impact assessment procedure and workbook
3. Privacy policy
4. Data subject consent form
5. Internal breach register
6. Data subject access request procedure and form
7. Subject access request record
8. Document stipulating the management of sub-contract processing
9. Data breach notification procedure
10. Retention schedule
11. Audit schedule
12. Information regarding the training and awareness of the organisation’s staff on data protection requirements and process
13. Information on the category of personal data processed by the organization and how they are stored
14. Information on how the organization determines the relevance and adequacy of the personal data obtained for each processing purpose
15. Contingency plans put in place/implemented by the organization to handle data breach, loss, destruction, and damage, and security measures established to mitigate against same
16. Where the organization is a data controller, the list of its agents and contractors engaged for data processing is required. In addition to this, the organization will be required to highlight the considerations made in choosing a data processor, and steps taken to ensure that the data processor complies with data protection requirements
17. How the organization determines the lawful basis for processing personal data, etc.

How Much Does It Cost to File a Compliance Audit Report?

The following are the filing fees according to the category of data processing within Nigeria.

1. Major Data Processing-Ultra High Level (MDP-UHL) – N20,000
2. Major Data Processing-Extra High Level (MDP-EHL) – N10,000

Are There any Penalties for Failing to File Compliance Audit Returns with the Nigerian Data Protection Compliance?

Yes, any data controller or data processor that fails to file its CAR as and when due, shall be required to pay, in addition to the stipulated filing fee, an administrative penalty, which shall be 50% of the stipulated CAR filing fee.

Conclusion

In conclusion, as a data controller and processor of major importance (processing the personal data of over 200 data subjects in Nigeria), you are expected to be registered with the Nigeria Data Protection Commission as such. This is in a bid to ensuring accountability and the proper handling personal data of data subjects within Nigeria.

Also, it is important to note that only licensed Data Protection Compliance Organizations or Data Protection Officers can conduct data protection audits and file data protection compliance audit returns with the Nigerian Data Protection Commission.

Kindly contact us with your enquiries on data protection compliance in Nigeria.