ARTICLE
14 October 2024

Data Protection Compliance In Nigeria: Mandatory Compliance Audit Returns (CAR)

uA
Firmus Advisory

Contributor

Firmus Advisory Limited is a business consulting firm operating in three areas in Ghana, Regulatory Compliance,Market Research and Trade Development. We offer the following under services under these three areas. Regulatory Compliance- Company Formation,Tax Advisory,Immigration Support Services,Regulatory licensing and permits,Product certification.Market Research-Customer Experience,Market Insights,Industry Research,Employee Engagement,Business Plan.Trade Development- Business to Business match-making,Market Development, Market Entry Services,In-market seminars for visiting business delegations.
Data Protection Audit is a systematic examination carried out in order to ascertain whether an organization's processing of personal data is compliant with data protection laws applicable to the data processed.
Nigeria Privacy

Data Protection Audit is a systematic examination carried out in order to ascertain whether an organization's processing of personal data is compliant with data protection laws applicable to the data processed; industry standards; and an organization's data policies.

The Nigerian Data Protection Act, 2023 ("The Act") and the Nigerian Data Protection Act-General Application and Implementation Directives, 2024 ("NDP Act-GAID") requires companies who process the personal data of data subjects resident in Nigeria to carry out periodic compliance audit of its operations and file a Compliance Audit Returns (CAR) with the Nigerian Data Protection Commission ("The Commission").

How Often Should a Company Carry Out Data Compliance Audit and File a Compliance Audit Report?

According to the NDP Act – GAID, every organization in Nigeria, that processes personal data should carry out a periodic audit of their data processes. More specifically, in the case of a data controller or a data processor of major importance that was established before the 12th day of June, 2023, it shall file its CAR not later than 31st of March each year.

In the case of a data controller or data processor of major importance established after the 12th day of June 2023, it shall file its CAR not later than eighteen (18) months after its establishment and shall subsequently file its CAR annually.

Furthermore, for the purposes of ensuring proportionality of obligations, the Commission classifies data controllers and data processors into three (3) levels or categories of data processing namely:

  1. Major Data Processing-Ultra High Level (MDP-UHL)
  2. Major Data Processing-Extra High Level (MDP-EHL)
  3. Major Data Processing-Ordinary High Level (MDP-OHL)

Major Data Processors of Ordinary High Level or the 3rd category are not required to file CAR annually. However, they are required to renew their registration with the Commission every year.

For clarification, Data processors and Controllers in the MDP-UHL category are organisations that processes the personal data of over 5000 data subjects within a period of six (6) months. On the other hand, Data Processors and Controllers in the MDP-EHL category are data processors and controllers that process the personal data of over 1000 data subjects within a period of six (6) months. Lastly, Data processors and Controllers in the MDP-OHL category are data controllers and processors that the process the personal data of at least 200 data subjects within a period of six months.

To view the article in full clickhere

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More