Regulatory Update: NDPC Extends Data Audit Filing Deadline

The Nigeria Data Protection Commission (“NDPC”) has announced an extension of the deadline for the filing of the 2025 Data Protection Compliance Audit Returns (“CAR”) from March 31 to May 30, 2026. Data Processors and Controllers of Major Importance (“DPCMIs”) are therefore encouraged to utilise this period to ensure that their data protection frameworks are aligned with regulatory expectations and to file their Compliance Audit Returns within the extended timeline.

DPCMIs should note that failure to file within the prescribed timeline will attract regulatory sanctions. In particular, late filing of the CAR is subject to a penalty of 50% of the applicable filing fee, in addition to the risk of further regulatory scrutiny or enforcement action by the NDPC.

1.  Practical Steps During the Extension Period

To make effective use of the extended timeline, DPCMIs should consider the following:

1. Data Mapping: Ensure that all personal data processing activities are clearly identified and documented, including the nature of data collected, purposes of processing, storage locations, and third-party disclosures.
2. Policy Review: Review privacy policies and internal data protection procedures to confirm that they are up to date and aligned with regulatory requirements and actual data processing practices.
3. Remediation of Prior Findings: Ensure that any identified gaps or recommendations from prior audits have been appropriately addressed and implemented.
4. Engage a licensed Data Protection Compliance Organisation (DPCO): A licensed DPCO can conduct the data protection compliance audit and file the CAR on behalf of the organisation, helping to ensure that the audit meets NDPC expectations.

2. Update on Filing Fees

DPCMIs are also reminded that the filing fees applicable to the CARs were revised under the General Application and        Implementation Directive, 2025 (“GAID”). The fees depend on the DPCMI category, as well as the number of data subjects processed by the organisation, as outlined below:

1. Ultra-High Level DPCMI
   Tier A – 50,000 data subjects and above: N1,000,000
   Tier B – 25,000 – 49,999 data subjects: N750,000
   Tier C – below 25,000 data subjects: N500,000
2. Extra-High Level DPCMI
   Tier A – 10,000 data subjects and above: N250,000
   Tier B – 2,500 – 9,999 data subjects: N200,000
   Tier C – below 2,500 data subjects: N100,000

3. Further Guidance

For a more detailed overview of compliance obligations under Nigerian data protection laws, and the role of DPCOs, please refer to our previous publications:

• Compliance with Nigerian Data Protection Laws – The Role of Data Protection Compliance Organizations
• Important Data Protection Obligations and Practices for Companies in Nigeria
• Checklist for Filing Data Protection Compliance Audit Returns in Nigeria

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.