Navigating NDPC Audits: Essential Documentation And Strategic Responses Under The NDPA

Introduction

Data controllers and Data Processors Major Importance must prepare, maintain, and make available certain documents for audit review before filing its NDPA compliance audit return with the NDPC and when invited for an investigation by the NDPC to show its compliance with the NDPA. These essential documents include but not limited to;

1. Certificate of Registration: Data controllers and data processors of major importance are required to be registered with the NDPC, hence must obtain and possess a registration certificate as proof of such registration.¹
2. DPO Certification: The NDPC carries out Annual Credential Assessment (ACA) of DPOs in order to ensure that each DPO maintains the level of professionalism required to carry out his or her responsibilities. The certification of a DPO will be verified by the Commission as part of the Compliance Audit Return or registration.²
3. Staff Training Schedule on Data Privacy: Data controllers and data processors are required to prepare and implement an organizational schedule for internal sensitization and training of staff on privacy.³
4. Basic Privacy Checklist of Dos and Don’ts: A practical, accessible reference document for staff summarizing key permitted and prohibited actions relating to personal data handling in day-to-day operations⁴
5. Consent Management Policy: Whenever a data controller relies on consent, it’s expected to keep a proper record that guarantees accountability in respect of the consent. The policy defines how consent is solicited, recorded, withdrawn, and renewed across all data processing activities. ⁵
6. Document Embodying the Lawful Bases Employed: A document identifying and justifying the specific lawful bases (e.g., consent, legitimate interest, legal obligation) relied upon for each category of data processing.⁶
7. Schedule for Monitoring, Evaluation and Maintenance (MEM): Data controllers and data processors are required to prepare and follow Schedules on Monitoring, Evaluating and Maintaining Data Security System in order to guarantee data confidentiality, integrity and availability.⁷
8. Disaster Recovery Plan: A formal plan detailing how the organization will restore data processing capabilities and recover personal data in the event of a system failure, cyberattack, or other disaster.
9. Data Privacy Impact Assessment (DPIA) Policy and Report: Organizations are required to conduct a Data Privacy Impact Assessment when data processing may likely result in high risk to the rights and freedoms of a data subject hence must maintain a policy governing when and how DPIAs must be conducted.⁸ Must also possess a completed DPIA reports for all relevant processing activities.
10. Legitimate Interest Assessment (LIA) Policy and Report: Where a Data controller relies on legitimate interest as lawful basis for data processing, it must carry out Legitimate Interest Assessment before embarking on data processing. There must be a policy framework encompassing the three-part test: purpose, necessity, and balancing.⁹
11. DPO Semi-Annual Data Protection Report to Company Management: A data controller or a data processor DPO is required to submit a semi-annual data protection report to its management covering compliance activities, incidents, and developments.¹⁰
12. DPO’s Annual Report to Company Management: The DPO’s comprehensive annual report to senior management, summarizing the state of data protection compliance, risks, incidents, and recommendations for the year.
13. Data Subject Access Request Policy: The policy governing how the organization receives, processes, and responds to requests from data subjects exercising their right of access. Includes timelines, verification procedures, and escalation paths¹¹
14. Data Processing Agreement: Formal agreements with all data processors, mandating compliance with the organization’s data protection standards and the applicable legal framework.¹²
15. Transfer & Sharing Instruments: Includes Binding Corporate Rules, Data Transfer Agreements, Data Sharing Agreements, Standard Contractual Clauses, and a Cross Border Transfer Record collectively governing all lawful international and inter-organizational data flows.
16. Cookies Policy: A comprehensive policy outlining the cookies used on the website, their purposes, retention periods, and how users can manage or withdraw their consent, presented in clear and simple language.¹³
17. Website Privacy Notice: A detailed privacy notice published on the organization’s website, informing visitors about how their data is collected, the purposes of processing, applicable legal bases, retention periods, and their rights as data subjects.
18. Record of Processing Activities (RoPA): A comprehensive register of all data processing activities carried out by the organization, including purposes, categories of data, recipients, retention periods, and security measures. Mandatory under modern data protection law and a primary audit artifact.

Steps to take when invited by the NDPC for an investigation

1. Acknowledge the Invitation:  Reply formally to confirm receipt of the notice and your willingness to cooperate.
2. Engage a Licensed DPCO: Consult a licensed Data Protection Compliance Organization (DPCO) experienced in NDPC matters. They will guide your response and represent your interests where necessary.
3. Review the Allegations or Scope: Carefully examine the issues raised whether it concerns a complaint, breach, or routine audit. Understand what laws or obligations are being questioned under the Nigeria Data Protection Act.
4. Gather Relevant Documentation: Compile all necessary records, including Privacy policies and notices, Data processing records (ROPA), Consent records (if applicable), Contracts with third parties/processors and Security policies and incident logs
5. Conduct an Internal Assessment: Assess your compliance status. Identify any gaps or potential breaches and document steps already taken (or being taken) to address them.
6. Prepare a Formal Response: Provide clear, accurate, and well-structured answers. Avoid speculation and stick to verifiable facts and supporting documents.
7. Attend Meetings or Hearings (If required): Ensure your representatives (legal/DPO) are present. Provide honest responses and avoid misleading statements.
8. Demonstrate Cooperation and Remediation:  Regulators value cooperation. If any non-compliance is identified, show evidence of corrective actions, such as policy updates, staff training, or system improvements.
9. Follow Up and Implement Recommendations: After the investigation, comply with any directives, sanctions, or recommendations issued by the NDPC within the stipulated timeframe.

Conclusion

Compliance with the NDPA requires a continuous and well-documented approach to data protection. Maintaining accurate records and policies enables data controllers and processors to demonstrate accountability during audits and investigations by the Nigeria Data Protection Commission.

An invitation for investigation should be approached with preparedness and cooperation, supported by proper documentation and expert guidance. Ultimately, organizations that prioritize compliance and proactively address gaps are better positioned to manage risks and maintain regulatory trust.

Footnotes

1. Article 9 of the NDPC-GAID 2025

2. Article 12 of the NDPC-GAID 2025

3. Article 30 of the NDPC-GAID 2025

4. Article 7(n) of the NDPC-GAID 2025

5. Article 17(6) of the NDPC-GAID 2025

6. Article 23 of the NDPC-GAID 2025

7. Article 7(f) of the NDPC-GAID 2025

8. Article 28 of the NDPC-GAID 2025

9. Article 26 of the NDPC-GAID 2025

10. Article 13 of the NDPC-GAID 2025

11. Article 7(s) of the NDPC-GAID 2025

12. Article 34 of the NDPC-GAID 2025

13. Article 19 of the NDPC-GAID 2025

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.