NDPC CAR Filing Countdown: What Data-Driven Organisations Must Do Before 31st March

The clock is ticking. With days left to the 31st March Compliance Audit Return (CAR) filing deadline, the Nigeria Data Protection Commission (NDPC) has made it clear that enforcement is no longer theoretical.

Recent NDPC actions leave little room for doubt. The Commission has launched wide-scale sectoral probes, imposed record-breaking fines, and adopted a clear "name-and-sanction" strategy. Over 1,300 organisations across finance, insurance, gaming, and other high-risk sectors have come under regulatory scrutiny, with penalties running into hundreds of millions of naira for data protection failures. This shift matters as missing the CAR deadline is no longer a procedural lapse. It can trigger deeper regulatory audits, public non-compliance listings, administrative penalties, and potentially severe financial exposure. With enforcement accelerating and the filing window closing, organisations that delay are not just late, they are visible.

This Tech Brief sets out what you need to know about who must file, what is required, the cost of getting it wrong, and how to get audit-ready before the deadline.

Who Is Required to File a CAR?

Under the Nigeria Data Protection Act 2023 (NDPA), any Data Controller or Data Processor of Major Importance (DCPMI) is required to conduct periodic compliance audits of its data processing activities and file CAR with the NDPC. In practical terms, this applies to organisations classified as:

1. Ultra-High Level (UHL), or
2. Extra-High Level (EHL).

These classifications are determined primarily by the volume of personal data processed, the number of Nigerian data subjects affected, the sensitivity of the data involved, and the industry in which the organization operates. For a deeper breakdown of these categories, see our publication on DCPMI Classifications. UHL and EHL DCPMIs must file their CAR on or before 31^st March each year.

When Must CAR be Filed?

Put Simply;

• DCMIs/DPMIs that are Ultra-High Level (UHL) and Extra-High Level (EHL) are required to file their CAR on or before 31st March of every year.
• Organisations established before 12 June 2023: File annually by 31 March
• Organisations established after 12 June 2023: File within 15 months of incorporation, and then annually by 31 March thereafter

What Information is Required for CAR Filling

The CAR must be prepared using the Schedule 2 template under the GAID and reflects the outcome of your organisation's data protection compliance audit. Beyond high-level policies, the NDPC expects verifiable, operational evidence of compliance. Your CAR must address the following core areas:

1. Governance framework: Organisational structure, roles, internal policies, and documented processes for managing personal data.
2. Data security controls and standards: Technical and organisational measures in place to prevent breaches, unauthorised access, and data loss.
3. Accountability and risk evaluation: Evidence of compliance monitoring, risk identification, and mitigation measures.
4. Cross-border data transfers: Lawful transfer mechanisms, safeguards, and regulatory approvals (where required).
5. Third-party data processors: Oversight of vendors, processor due diligence, and contractual controls.
6. Awareness and capacity building: Evidence of periodic data protection training for staff and management.
7. Lawful basis and data protection principles: Clear documentation of the lawful basis relied on for each category of personal data processed.
8. Grievance redress mechanism: How data subjects exercise their rights and how complaints are handled, including use of tools such as the Standard Notice to Address Grievance (SNAG).

How to File

CARs are filed through the NDPC Data Protection Compliance Portal and must be submitted by a licensed Data Protection Compliance Organisation (DPCO) acting on behalf of the organisation. Direct filing by the DCMI/DPMI is not permitted. Engagement of a licensed DPCO is therefore a mandatory step, not an administrative option.

Statutory CAR Filing Fees

The new statutory CAR filing fees, as set out under the GAID, are as follows:

Consequences of Non-Compliance

Failure to file CAR by 31st March exposes UHL and EHL DCPMIs to immediate and escalating regulatory consequences. At the most basic level, late filers are required to pay an administrative penalty equal to 50% of the applicable CAR filing fee, in addition to the standard filing cost.

Beyond this surcharge, non-filing constitutes a substantive breach of the NDPA and may attract statutory fines of up to 2% of the organisation's annual gross revenue in the preceding financial year or ₦10 million, whichever is higher. Increasingly, such breaches also trigger heightened regulatory scrutiny, including targeted audits and investigations into the organisation's data processing practices. The operational impact can also be significant. The NDPC is empowered to issue remediation and compliance orders, which may include directives to suspend certain data processing activities until identified violations are corrected. For data-driven businesses, this can result in material disruption to core operations.

Non-compliance further exposes organisations to civil liability, as affected data subjects may seek damages for privacy violations. In cases of serious or persistent breaches, enforcement may escalate to criminal prosecution, with potential personal liability for principal officers, including directors and chief executives.

Practical Tips for Audit Readiness

With limited time left, organisations should focus on substance, not paperwork:

• Run a pre-audit review to iIdentify gaps before the formal CAR process begins.
• Update your Record of Processing Activities (RoPA) as this is one of the first documents DPCOs will examine.
• Validate security controls to ensure access controls, encryption, incident response, and policies are actually implemented not just documented.
• Review vendor and processor contracts because third-party risk is a recurring enforcement focus.
• Engage a licensed DPCO early as late engagement often leads to rushed filings and avoidable penalties.
• Adopt "Privacy by Design" and be prepared to show data protection considerations in new systems or high-risk projects (i.e., through a Data Protection Impact Assessment).
• Maintain a compliance evidence folder with training logs, consent forms, and test results.
• Review your data retention schedule and avoid keeping personal data indefinitely.
• Conduct staff privacy refreshers for those handling sensitive data and record attendance.

Final Takeaway

CAR filing is not a box-ticking exercise. The NDPC is increasingly focused on demonstrable compliance, not last-minute documentation. As enforcement activity rises, the difference between compliance and penalties is early, deliberate preparation. If you haven't started, now is the time, not the week of the deadline.

To view original Tope Adebayo article, please click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.