Introduction

The existing data protection regime in Nigeria is backed up by two main legislative frameworks (i.e. The Nigeria Data Protection Act (NDPA), 2023, and the Nigeria Data Protection Regulations (NDPR), 2019). These legislations impose certain obligations on organisations that handle data belonging to Nigerians or persons residing in Nigeria. One of such obligations is the requirement to file yearly data protection Compliance Audit Returns (CAR) with the NDPC.

In this article, we have provided some information that will help you in filing your CAR with the NDPC.

The Relevance of CAR

Filing annual CAR is a statutory obligation for data controllers and processors. These audits assess an organisation’s data protection practices, ensuring compliance with regulatory standards. A data protection audit typically includes a review of data processing activities, security measures, incident response procedures, staff training amongst others. Filing CAR are relevant to help organisations stay compliant with the NDPA and NDPR; identify lapses in data protection practices in place; and showcase transparency, trust, and commitment to continuous improvement of data protection practices within an organisation.

The Nigeria Data Protection Commission (NDPC) Guidance Notice on Filing CAR

Whilst the NDPA imposes an obligation on data controllers and processors to file CARs, the NDPC also issued a Guidance Notice on the filing of Data Protection Compliance Audit Returns (the “Guidance Notice”).

The Guidance Notice clearly describes the usefulness of CARs as an avenue for data processors and controllers to display accountability and a commitment to safeguarding personal data and enhancing trust among stakeholders and data subjects. According to the Guidance Notice, CARs are to be filed on or before the 15^th of March each year.

Non-compliance with the Guidance Notice amounts to a contravention of the NDPA and will attract the penalties stipulated in the NDPA or any subsidiary legislation.

Who Should File CAR?

The obligation to file CAR is imposed on all organisations (whether local or foreign) who collect and process personal data-

1. belonging to Nigerians; or
2. persons residing in Nigeria regardless of their nationality; or

• those whose personal data have been transferred to Nigeria; or

1. those whose personal data are in transit through Nigeria.

These organisations are referred to as data controllers and data processors, and they include banks and other financial institutions, religious organisations, health institutions, technology companies, insurance companies, real estate and investment firms, insurance companies, insurance companies, gaming and betting companies, all employers of labour, etc.

When are you Required to File CAR?

Under the NDPR, all data controllers and processors are required to conduct a data audit and file CAR once they have reached the statutory data protection threshold of 1,000 (one thousand) data subjects within 6 (six) months, and 2,000 (two thousand) data subjects within 12 (twelve) months.

The above notwithstanding, NDPC has advised that all data controllers and data processors should file their CARs regardless of the amount of data they currently process. This will ensure proper data protection culture, practices and systems even before the organisations reach the threshold prescribed under the NDPR.

It is important to note however that further to the General Application and Implementation Directive (GAID) issued by the NDPC, where you are considered a data controller or data processor in the ordinary high level (OHL) category, you are not required to file an annual CAR, although you are encouraged to do so.

Procedure for Filing CAR

The filing process involves the following steps:

1. Engage the services of duly licensed Data Protection Compliance Organisations (DPCO) to advise and file the CAR– This is the first step towards complying with the requirement to file CAR, as the NDPA, NDPR, and the Guidance Notice provides that only certified DPCOs may conduct an audit and file the CAR on behalf of the organisation. Please note that a DPCO is different from a data protection officer, who is usually an employee of the company or an external organisation. The DPCO will advise the organisation on the best approach or audit processes suited to the organisation’s processes.

1. Audit of the Organisation’s Data Protection Practice– The DPCO will conduct an audit to evaluate the organisation’s data protection practices by requesting documents and information to enable the conduct of a thorough audit. The DPCO is required to request for documents or information on the organisations’s existing data protection policies and procedures, including data protection impact assessment procedure, privacy policy, consent forms, data subject access request procedure and records, data breach notification procedure, records of processing activities, internal audit schedule, training policies and evidence of staff training on data protection, etc.

The DPCO may also request for information regarding awareness and training of staff on data protection practices; data breach (if any), the impact of same, and how the organisation managed same;  list of sub-processors and evaluation of considerations made by the organisation in choosing the processors or sub-processors; category of data processed by the organisation and how same are retained; and such other relevant information and documentation. In addition, the DPCO may conduct some interviews with key stakeholders within the organisation to obtain information.

1. Preparation of Audit Report – Based on the findings, the DPCO will prepare an audit report which should align with the NDPR regulations. The timeline for the conclusion of the exercise is largely dependent on how timely any requested information or document is made available to the DPCO.

1. Filing of the Audit Report – The CAR report is filed by the DPCO with the NDPC. Timely submission of the audit report to the NDPC is crucial to avoid penalties for late filing. Late filing of the audit report will attract a penalty of 50% of the filing fee being imposed on the data controller/processor.

The information contained in this article is solely for educational purposes. It does not and is not intended to constitute legal or any other professional advice. If you require any further information or professional advice on the data protection audit process, you can reach out to us at [email protected] and we will be happy to provide any assistance you may need.