Understanding The New Data Protection Compliance Audit Regime In Nigeria

Introduction

One of the key compliance mechanisms introduced under the NDPA is the requirement for certain data controllers and data processors to conduct periodic compliance audits and file Compliance Audit Returns (CAR) with the Nigeria Data Protection Commission (NDPC).

This article provides an overview of the new data protection compliance audit regime in Nigeria, with particular focus on the obligations surrounding the filing of Compliance Audit Returns. We examine who qualifies as a Data Controller or Data Processor of Major Importance, the timelines and penalties associated with CAR filings, the classification framework established by the NDPC, applicable exemptions, statutory filing fees, and practical steps organizations can take to achieve compliance.

Data Controllers and Processors required to file Nigeria Data Protection Act Compliance Audit Return

Data controllers and Data processors of major importance are expected to file CAR on an annual basis. In the case of a Data controller or a Data processor of major importance that was established before the 12th day of June, 2023, it must file its CAR not later than 31st of March each year. In the case of a Data controller or Data processor of major importance established after the 12th day of June 2023, it must file CAR not later than fifteen (15) months after its establishment and must subsequently file its CAR annually. Where a Data controller or Data processor fails to file its CAR as and when due, it shall pay, in addition to the stipulated filing fee, an administrative penalty, which shall be 50% of the stipulated CAR filing fee.¹

Data Controllers and Data Processors of Major Importance must register with the NDPC within six months of the NDPA's commencement or within six months of attaining the status of a Data Controller or Data Processor of Major Importance as such.²

Designation of Data Controllers and Data Processors of Major Importance

A Data controller or Data processor of major importance is a data controller or data processor who either processes the personal data of more than Two-Hundred (200) data subjects in six (6) months; or carries out commercial ICT services on any digital device which has storage capacity for personal data; or processes personal data as an organization or a service provider in anyone of the following sectors: Aviation, Communication, Education, Electric Power, Export and Import, Financial, Health, Hospitality, Insurance, Oil and Gas, Tourism, E-Commerce and Public Service.³

Classification of Data Controllers and Data Processors of Major Importance

The NDPA classifies data controllers and data processors of major importance into three (3) levels or categories of major data processing, namely:

1. Ultra-High Level (UHL): Data controller and data processor in this category are required to register once and file CAR annually. These includes Commercial banks operating at national or regional level, Telecommunication companies, Insurance companies, Multinational companies, Electricity distribution companies, Oil and Gas companies, Public social media App developers and proprietors, Public e-mail App developers and proprietors, Communication devices manufacturers, Payment gateway service providers, Fintechs and Organizations that process personal data of over Five-Thousand (5,000) data subjects in six (6) months.
2. Extra-High Level (EHL): Data controllers and data processors in this category are also required to register once and file CAR annually. These includes Ministries, Departments and Agencies (MDAs) of government, Micro Finance Banks, Higher Institutions, Hospitals providing tertiary or secondary medical services, Mortgage Banks and organizations that process personal data of over One-Thousand (1,000) data subjects but less than Five-Thousand (5,000) within six (6) months.
3. Ordinary-High Level (OHL): Data controllers and data processors in this category are required to renew their registration with the NDPC on an annual basis and not required to file annual CAR when it renews its registration annually. These includes Primary and Secondary Schools, Corporate Training Service Providers, Primary Health Centres, Independent Medical Laboratories, Hotels and Guest Houses with less than fifty (50) suites, Processors who process sensitive personal of more than Two-Hundred (200) data subjects for commercial purposes and organizations that process personal data of over Two-Hundred (200) data subjects but less than One-Thousand (1000) within six (6) months.⁴

Data Controllers that are Not of Major Importance

1. Traders or artisans who do not transmit personal data as a trade or business object to other data controllers or processors that may process the transmitted personal data for their business goals.
2. Traders with less than fifteen (15) employees, or Artisans who do not keep any specific filing system of personal data relating to their customers except routine phone contacts files, receipts data, contact addresses and electronic mail addresses.
3. A Community of Friends, Professionals or People of Common Interest who interact on Social Media Platforms.⁵

Data Controllers and Data Processors of Major Importance Exempted from Registration

The following categories of data controllers of major importance are exempted from registration: Community-Based Associations, Faith-Based Organizations, Foreign Embassies and High Commissions, Judicial establishments or bodies carrying out adjudicatory functions and Multigovernmental Organizations.⁶

NDPA Compliance Audit Returns Filing Fee (Statutory Fee)

A data controller or a data processor within the categories of UHL and EHL are required to file CAR through a Data Protection Compliance Organization (DPCO) licensed by the NDPC.

1. Ultra-High Level – UHL
2. 50,000 data subjects and above – N 1, 000, 000
3. 25,000-49,999 data subjects – N 750, 000
4. below 25,000 data subjects – N 500, 000
5. Extra-High Level – EHL
6. 10,000 data subjects and above –N 250, 000
7. 5,000-2,500 data subjects – N 200, 000
8. below 2,500 data subjects – N 100, 000⁷

Steps for Compliance

1. Determine if your organization qualifies as a Data Controller or Processor of Major Importance.
2. Appoint a licensed firm to perform the audit, which assesses data processing activities, privacy policies, and consent methods.
3. Ensure the DPCO files the final audit return with the NDPC before the March 31st deadline.

Conclusion

The NDPA Compliance Audit Return regime reinforces accountability and sound data governance among Data Controllers and Data Processors of Major Importance in Nigeria. Organizations must understand their classification, comply with registration and filing timelines, and engage licensed Data Protection Compliance Organizations to avoid penalties. Timely compliance not only ensures regulatory adherence but also promotes trust, reduces data protection risks, and strengthens overall data management practices.

Footnotes

1. Article 10 of Nigeria Data Protection Act-General Application and Implementation Directive 2025

2. Section 44 of Nigeria Data Protection Act 2023

3. Article 8 of Nigeria Data Protection Act-General Application and Implementation Directive 2025

4. Schedule 7 of Nigeria Data Protection Act-General Application and Implementation Directive 2025

5. Schedule 7 of Nigeria Data Protection Act-General Application and Implementation Directive 2025

6. Section 44(6) of Nigeria Data Protection Act 2023

7. Schedule 10 of Nigeria Data Protection Act-General Application and Implementation Directive 2025

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.