Nigeria: Guidance On Filing Of Data Protection Compliance Audit Returns In Nigeria

Introduction

The Nigeria Data Protection Commission (NDPC) recently issued a Guidance Notice (the"Notice") on the filing of data protection Compliance Audit Returns (CARs) ahead of the next cycle for the filing of CARs in 2024. The Notice provides information and instructions for data controllers and data processors on how to comply with the Nigeria Data Protection Act (NDPA) 2023 and the Nigeria Data Protection Regulation (NDPR) 2019. A summary of the Notice is described in this newsletter.

1. Filing Compliance Audit Reports

Further to the provisions of the NDPR and the direction of the NDPC, Data Controllers and Data Processors are required to file CARs with the NDPC by March 15 2024. The CARs filed should focus on: data protection principles; lawful basis of processing data; technical measures for ensuring confidentiality, integrity, and availability of personal data; and grievance redress mechanism, amongst other compliance matters stipulated under the NDPR. Data Controllers and Data Processors that are not yet compliant as at March 15, 2024 may also submit a memorandum of their intention to regularize their data processing activities in line with the NDPC by March 31, 2024. It is important to note that CARs must be submitted to the NDPC through licensed Data Protection Compliance Organisations. Furthermore, a default fee of 50% of the filing fee will apply where a Data Controller or Data Processor fails to file their CAR by the March 2024 deadline.

2. Free Training for Data Protection Officers

The NDPC will organize a free induction training for all designated DPOs in January 2024. The training will cover the rights of data subjects and compliance obligations under the NDPA as well as the NDPC's General Application and Implementation Directive (GAID) which will be released in 2024.

3. National Data Protection Adequacy Programme Whitelist

The NDPC has provided a compliance metric for Data Controllers and Data Processors to be included on the National Data Protection Adequacy Programme (NaDPAP) Whitelist.[1] The metrics include conformity with data protection principles, accountability, sensitization, appointment of a DPO, engagement of a DPCO, filing of CAR, data privacy impact assessment, internal remediation mechanism, information security certifications, and continuous awareness/capacity building. The maximum score for each metric is 10 points, and the total score is 100 points.

The Whitelist is a tool of accountability and transparency that shows the commitment of Data Controllers and Data Processors to safeguarding data subjects rights. However, the NDPC also reminds that publication in the Whitelist is not a shield against the complaints of data subjects.

4. Effect of Non-Compliance

The NDPC warns that failure to comply with the Notice which results in a contravention of provisions of the NDPA may result in enforcement orders, sanctions, penalties, or remedial fees as provided in the NDPA. The penalties under the NDPA range from NGN2 Million to NGN10 Million, or 2% of the annual gross revenue, depending on the size and importance of the Data Controller or Data processor.[2]

Conclusion

The Notice is a useful guidance for Data Controllers and Data Processors aiming to comply with the NDPA and wishing to be included on the NaDPAP Whitelist. For a deeper understanding of data protection in Nigeria, we invite you to explore our collection of articles via this link.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.