On 27 February 2020, the National Information Technology Development Agency (NITDA) notified all Data Protection Compliance Organisations (DPCOs) that Data Controllers, Data Processors and other concerned entities that submitted the statutory Initial Data Audit Report between 2019 and 15 March 2020 are exempted from submitting the 2020 Annual Data Audit Report.


In January 2019, NITDA issued the NDPR to regulate organizations that collect and process personal data of individuals (Data Controllers). The NDPR requires Data Controllers to conduct a mandatory data protection audit of their organizations and file the audit report with NITDA through a Data Protection Compliance Organization (DPCO) within six months from the issuance of the NDPR (i.e. 25 July 2019). This timeline was however extended till 25 October 2019.

The NDPR also mandates Data Controllers to file an annual audit report by 15 March through a DPCO. Failure to comply with these obligations attracts penalties of up to 2% of the annual gross revenue of a non-compliant company in addition to other penalties provided under the NITDA Act.

Given the short timeframe between the period for filing the Initial Data Audit Report in 2019 and the annual audit report in March 2020, NITDA has now notified all DPCOs that entities that submitted the statutory Initial Data Audit Report between 2019 and 15 March 2020 are exempted from submitting the 2020 Annual Data Audit.

According to NITDA, affected entities are expected to put necessary processes in place to remediate identified gaps or to improve their systems to ensure data protection compliance and information security. All Data Controllers and Processors are also expected to ensure continued compliance with the NDPR by updating their Privacy Policy, training of relevant staff, process improvement and information security.

NITDA further states that entities that fail to file their Data Audit report entirely will be in breach of the NDPR and the NITDA Act 2007. This is also a criminal offence which could attract criminal or other administrative sanctions.


It is imperative for non-compliant companies and organizations to take immediate steps to forestall enforcement by NITDA and imposition of the sanctions under the NDPR. They should do this by engaging a licensed DPCO to review their data collection and processing activities, and carry out the necessary measures for complying with the NDPR. Companies may also engage with NITDA through their appointed DPCOs, to obtain more information about how they can comply with the NDPR and the possibility of getting additional time to comply. It should be noted that based on NITDA's notification, companies that entirely fail to file an audit report or engage with NITDA in this regard are already in breach of the NDPR and face the risk of fines and other civil and criminal sanctions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.