The Nigeria Data Protection Commission (NDPC) has issued a Guidance Notice ("Notice") regarding the filing of data protection Compliance Audit Returns ("CARs") for the 2022 cycle. The objective of the Notice is to provide guidance to data controllers and data processors on the filing of annual data protection Compliance Audit Returns with the Nigeria Data Protection Commission. Key points in the Notice are captured hereunder:

a. CARs Filing

The annual filing of CARs is a legal obligation for data controllers under the Nigeria Data Protection Regulation (NDPR) 2019, which was preserved by the Nigeria Data Protection Act (NDP Act) 2023. The NDPR Implementation Framework 2020 extended this obligation to data processors under Article 6.1 of the Framework. Therefore, all data controllers and processors who meet the prescribed minimum thresholds under the NDPR, are required to file CARs with the NDPC on an annual basis on or before March 15 of the following year. The prescribed minimum thresholds under the NDPR are as follows:

  1. The processing of the personal data of more than 1000 data subjects in a period of 6 months
  2. The processing of the personal data of more than 2000 data subjects in a period of 12 months.

Filing of CARs can only be done through a licenced Data Protection Compliance Organization (DPCO). By this Notice, the period for filing of CARs for the 2022 period is extended until the commencement of a new filing cycle in 2024, with a default fee which is 50% of the filing fee, if the 2022 CARs is filed after March 15, 2023.

b. National Data Protection Adequacy Programme (NaDPAP) Whitelist

The filing of CARs is one of the ten (10) compliance metrics highlighted in the Notice, to be used to determine the inclusion of a data controller or processor on the NaDPAP Whitelist. Inclusion on the NaDPAP Whitelist which was published by the Nigeria Data Protection Bureau (now NDPC) in the last quarter of 2022, is an indication of a rebuttable presumption of accountability by data controllers and processors on the list. It contains information of data controllers and processors that have presumably but rebuttably exhibited commitment to taking adequate technical and organizational measures in safeguarding data-subjects rights. It also serves as a reference point for organizations in relevant transactions and proceedings. The failure or refusal of a data controller or processor to file CARs may constitute grounds for disqualification from listing on the NaDPAP Whitelist.

c. New CARs Filing Cycle

A new cycle of CARs filing will commence in 2024 under the NDP Act 2023, and the General Application and Implementation Directive (GAID) and the deadline for filing is March 15, 2024. The NDP Act GAID is expected to be issued by the Commission in the 1st Quarter of 2024. As earlier highlighted, the filing of CARs is facilitated only through licenced Data Protection Compliance Organizations (DPCOs).

d. Free Training and Induction for Designated DPO's

All designated Data Protection Officers (DPO's) are required by the Notice to participate in an induction training to be organized by the NDPC in January 2024. The training will focus on data subjects' rights and compliance obligations of data controllers and data processors under the NDP Act and the GAID. In addition to this, the process of preparing and filing of CARs should be used as an opportunity for practical training of designated Data Protection Officers and other members of staff.

e. Continuous Professional Development (CPD)

From the 1st Quarter of 2024, the continuous professional development of designated DPO's will be an essential audit parameter under the NDP Act GAID. Evidence of practical training will entitle a designated DPO to Continuous Professional Development (CPD) credits.

f. Consequences For Non-Compliance

Where a data controller or processor contravenes the Notice which relates to a specific provision of the NDP Act, the liability for the violation stipulated under the NDP Act or any subsidiary legislation will apply, and some are as follows:

  1. Criminal Sanctions.
  2. An order to address the breach or infringement.
  3. Imposition of Sanctions by the NDPC.
  4. Payment of Compensation to Data Subjects.
  5. Payment of Fine: A defaulting data controller or processor of major importance could face a fine of N10,000,000, or 2% of its annual gross revenue in the preceding financial year, whichever is higher. Where the defaulting party is a data controller or data processor not of major importance, they could face a fine which shall be the greater of N2,000,000, or 2% of its annual gross revenue in the preceding financial year

Alliance Law Firm (ALF) is a DPCO duly licensed by the Nigeria Data Protection Commission to monitor, audit, report and file Compliance Audit Returns for data controllers and processors. ALF also assists data controllers and processors to adequately identify and remediate gaps in their privacy governance programs, and train personnel, thus ensuring adequate compliance with the NDPA and all other privacy regulations, guidelines and directives that may be issued by the NDPC under the NDPA 2023.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.