- with readers working within the Property and Law Firm industries
- within Privacy, Transport and Finance and Banking topic(s)
The Nigerian Data Protection Act (NDPA) 2023 and its General Application and Implementation Directive (GAID) 2025, require data controllers and data processors of major importance ("DCMIs/DPMIs") to file Compliance Audit Returns (CAR) with the Nigerian Data Protection Commission (NDPC) no later than the 31st of March 2026 in respect of their data processing activities for 2025.
Who should file Compliance Audit Returns
DCMIs/DPMIs categorized as Ultra-High Level (UHL) and Extra-High Level (EHL) are required to file Compliance Audit Returns (CARs) with the NDPC on or before the above referenced deadline. Organizations designated as DCMIs and DPMIs fall into the UHL and EHL categories based on the following criteria:
Ultra High Level: this includes i) Commercial banks operating at national or regional level; ii) Telecommunication companies; iii) Insurance companies; iv) Multinational companies; v) Electricity distribution companies; vi) Oil and Gas companies; vii) Public social media App developers and proprietors; viii) Public e-mail App developers and proprietors; ix) Communication devices manufacturers; x) Payment gateway service providers; xi) Fintechs; and any organisation that processes the personal data of over 5, 000 data subjects within 6 months.
Extra High Level: this includes i) Ministries, Departments and Agencies (MDAs) of government; ii) Micro Finance Banks; iii) Higher Institutions; iv) Hospitals providing tertiary or secondary medical services; v) Mortgage Banks; and any organisation that processes the personal data of over 1,000 data subjects but less than 5,000 within 6 months.
When should DCMIs/DPMIs File the CAR
DCMIs/DPMIs are required to file their CAR on or before 31st March of every year.
Information Required for CAR Filing
The CAR is currently based on the template provided in Schedule 2 of the GAID, and the assessment areas set out for the conduct of the compliance audit include:
- Governance practice of the DCMI/DPMI which includes the people and process;
- Data security controls and standard;
- Accountability and risk evaluation;
- Cross border transfer;
- Third party data processors
Filing of the CAR
The CAR is to be filed at the NDPC's data protection compliance portal, through a licensed Data Protection Compliance Organisation (DPCO) acting on behalf of the DCMI/DPMI. Please see link here
What are the Filing Fees
The CAR filing fees as set out under the GAID are as follows:
Effect of Non-compliance
a) Late Filing: DCMIs/DPMIs who file their CAR after 31st March 2026, will pay an additional administrative fee of up to 50% of the applicable filing fee.
b) Non Filing: The failure to file the CAR as a DCMI/DCPMI may attract a fine of up to 2% of the defaulting entity's annual gross revenue in the preceding financial year or ₦10,000,000 (Ten Million Naira), whichever is greater. It may also attract regulatory scrutiny of the defaulting company's data processing activities.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]
