In accordance with the Nigeria Data Protection Act (NDP Act) 2023, the filing of Data Protection Compliance Audit Returns (CAR) is a mandatory obligation for both data controllers and data processors, as stipulated in the Nigeria Data Protection Regulation (NDPR) 2019. This comprehensive guide aims to provide a step-by-step approach for filing these returns, promoting transparency, and ensuring accountability in the processing of personal data.
1. Reliance on NDPR for Filing of CAR
Data Controllers and Data Processors are advised to rely on Articles 4.1(5) and (7) of the NDPR to submit CAR to the Nigeria Data Protection Commission (the Commission). It is crucial to note that the NDPR remains applicable, subject to any overriding provisions of the NDP Act or regulatory instruments issued pursuant to it.
2. The Role of Data Protection Compliance Organizations (DPCOs)
a) DPCOs are instrumental in facilitating the filing of CAR with the Commission, minimizing financial constraints for Data Controllers and Data Processors. b) DPCOs may, under certain circumstances, engage in CAR work as a Corporate Social Responsibility (CSR), particularly for start-ups, non-profit organizations, and low-revenue entities, emphasizing the promotion of voluntary compliance. c) CAR serves as an opportunity for practical training of designated Data Protection Officers (DPOs) and staff members, with evidence of training earning CPD credits. d) DPCOs are responsible for disseminating this Guidance Notice to their clients or prospective clients.
3. CAR Focus Areas
a) The audit report should emphasize the following: i. Awareness ii. Capacity Building iii. Privacy Policy iv. Compliance Directives to Employees, Contractors, Agents, etc. v. Availability of Data Protection Officers vi. Categories of Personal Data being processed vii. Technical Measures for ensuring Confidentiality, Integrity, and Availability of Personal Data viii. Grievances Redress Mechanism ix. List of agents or contractors engaged for data processing and their compliance with the NDP Act.
b) For the year 2022, agents or contractors should provide details of their Technical and Organizational Measures (TOM) for data protection in the Digital TOM form provided by the Commission.
4. Compliance Memorandum
a) Data controllers or processors may outline a time-bound intention to regularize data processing activities in line with the NDP Act in a Memorandum. b) The Memorandum, signed by the designated DPO, should be submitted to the Commission as part of the CAR, with a time-bound intention not later than March 31, 2024.
5. Free Induction Training for Designated DPOs
a) Designated DPOs are required to participate in an induction training organized by the Commission in January 2024. b) The training will focus on data subjects’ rights and compliance obligations of data controllers and processors under the NDP Act and its General Application and Implementation Directive (GAID).
6. Default Fee
The deadline for filing under the NDP Act and the NDPR is March. The applicable date for the 2022 CAR under this Guidance is March 15, 2023. A default fee, amounting to 50% of the filing fee, applies if a data controller fails to file on or before the deadline.
Effect of Non-Compliance
Failure to comply with this Guidance Notice may lead to enforcement orders or sanctions under the NDP Act, including penalties or remedial fees, depending on the severity of the violation.
For detailed liabilities and enforcement procedures, refer to Sections 48 and 32 of the Nigeria Data Protection Act.
Rating Compliance Metrics in the National Data Protection Programme (NaDPAP) Whitelist
| S/N | METRICS | NDP ACT SECTIONS | POINT |
| 1 | Verifiable Evidence of Conformity with Data Protection Principles and Lawful Basis. (Privacy Policies and Notices, Consent forms, Visitors Book, audio visual evidence of compliant data processing, etc may be used) | 24 & 25 | 15 |
| 2 | Accountability and Prompt Responsiveness to Regulatory Processes. (Timely filing of CAR, Resolution of Complaints, Registration and Data Subjects Access Request are focal areas) | 24, 6(d), 24(3) & 61(2) (g) | 15 |
| 3 | Sensitization of Data Subjects on Data Subjects Rights | 27 & 34-38 | 10 |
| 4 | Appointment of A Verifiably Competent DPO | 32 | 5 |
| 5 | Engagement of a DPCO | 33 | 5 |
| 6 | Filing of Compliance Audit Returns | 6(d) & 61(2)(g) | 10 |
| 7 | Data Privacy Impact Assessment | 28 | 10 |
| 8 | Accessible and Functional Internal Remediation Mechanism | 40(8) | 10 |
| 9 | Globally Acceptable Information Security Certifications. Privacy by design is pivotal. | 24(2) & 39 | 10 |
| 10 | Continuous Awareness / Capacity Building Programme for Staff, Contractors, Licensees, etc (This in furtherance of the overall objectives of the Act | 1 | 10 |
| TOTAL | 100 |
Clarification on NaDPAP Whitelist: A Tool for Accountability
The NaDPAP Whitelist serves as a vital instrument for accountability, distinguishing itself from an immunity list or a shield against data subject complaints.
- Not an Immunity List or Shield: The Whitelist should not be misconstrued as conferring immunity or acting as a shield against data subject complaints.
- Functional Data Repository: It functions as a comprehensive repository of data controllers and processors, providing a clear overview of entities involved in data processing activities.
- Rebuttable Presumption of Commitment: Inclusion in the Whitelist creates a rebuttable presumption. It is understood that a data controller or processor on the list is committed to implementing robust technical and organizational measures to safeguard the rights of data subjects.
All enquires about filing data audit returns in Nigeria should be forwarded to info@progressionlawfirm.com.
Data returns filing Nigeria Data returns filing Nigeria
Charles Rapulu Udoh is a Lagos-based lawyer, who has several years of experience working in Africa’s burgeoning tech startup industry. He has closed multi-million dollar deals bordering on venture capital, private equity, intellectual property (trademark, patent or design, etc.), mergers and acquisitions, in countries such as in the Delaware, New York, UK, Singapore, British Virgin Islands, South Africa, Nigeria etc. He’s also a corporate governance and cross-border data privacy and tax expert. As an award-winning writer and researcher, he is passionate about telling the African startup story, and is one of the continent’s pioneers in this regard.