Data Protection Audit is a systematic examination carried out in order to ascertain whether an organization's processing of personal data is compliant with data protection laws applicable to the data processed; industry standards; and an organization's data policies.
The Nigerian Data Protection Act, 2023 ("The Act") and the Nigerian Data Protection Act-General Application and Implementation Directives, 2024 ("NDP Act-GAID") requires companies who process the personal data of data subjects resident in Nigeria to carry out periodic compliance audit of its operations and file a Compliance Audit Returns (CAR) with the Nigerian Data Protection Commission ("The Commission").
How Often Should a Company Carry Out Data Compliance Audit and File a Compliance Audit Report?
According to the NDP Act – GAID, every organization in Nigeria, that processes personal data should carry out a periodic audit of their data processes. More specifically, in the case of a data controller or a data processor of major importance that was established before the 12th day of June, 2023, it shall file its CAR not later than 31st of March each year.
In the case of a data controller or data processor of major importance established after the 12th day of June 2023, it shall file its CAR not later than eighteen (18) months after its establishment and shall subsequently file its CAR annually.
Furthermore, for the purposes of ensuring proportionality of obligations, the Commission classifies data controllers and data processors into three (3) levels or categories of data processing namely:
- Major Data Processing-Ultra High Level (MDP-UHL)
- Major Data Processing-Extra High Level (MDP-EHL)
- Major Data Processing-Ordinary High Level (MDP-OHL)
Major Data Processors of Ordinary High Level or the 3rd category are not required to file CAR annually. However, they are required to renew their registration with the Commission every year.
For clarification, Data processors and Controllers in the MDP-UHL category are organisations that processes the personal data of over 5000 data subjects within a period of six (6) months. On the other hand, Data Processors and Controllers in the MDP-EHL category are data processors and controllers that process the personal data of over 1000 data subjects within a period of six (6) months. Lastly, Data processors and Controllers in the MDP-OHL category are data controllers and processors that the process the personal data of at least 200 data subjects within a period of six months.
To view the article in full clickhere
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.