Introduction

With the beginning of a new year comes the requirement to adhere to various regulatory and compliance provisions governing their sector generally and specifically. One of such compliance requirements is the filing of data protection compliance audit returns with the Nigerian Data Protection Commission (NDPC). Organisations are mandated to file their data protection compliance audit return on or before the end of March 2024, and are expected to have commenced their audit process to meet this deadline.

In this publication, we have set out some information which should help you in your data protection compliance audit.

  1. What type of companies are to adhere to this data protection compliance requirement?

The obligation to adhere to this compliance requirement is imposed on organisations who collect and process personal data of Nigerians, simply referred to as data processors and data controllers. Foreign companies are also caught in this blanket if they process the data of data subjects resident in Nigeria (whether or not they have a subsidiary in Nigeria).

Examples of these companies include: banks and other financial institutions, technology companies, health institutions, insurance companies, gaming and betting companies, religious institutions, all employers of labour, etc.

  1. What steps are Data Processors and Controllers required to take to adhere to this compliance requirement?
    1. The first step to take in this regard would be to engage the services of a data protection compliance organization (DPCO). DPCOs are organisations licensed by the NDPC to facilitate the filing of data protection compliance audit returns with the NDPC. The DPCO will provide guidance on the audit process best suited for your organisation.
    2. In order to commence the data protection compliance audit process, the DPCO may require that you provide the following documents and information:
      1. Documents:
        • Data protection policy
        • Data impact assessment procedure and workbook
        • Privacy policy
        • Data subject consent form
        • Internal breach register
        • Data subject access request procedure and form
        • Subject access request record
        • Document stipulating the management of sub-contract processing
        • Data breach notification procedure
        • Retention schedule
        • Audit schedule
      2. Information: Your organization will be required to provide the following information during the audit process:
        • Information regarding the training and awareness of the organisation's staff on data protection requirements and process
        • Information on the category of personal data processed by the organization and how they are stored
        • Information on how the organization determines the relevance and adequacy of the personal data obtained for each processing purpose
        • Contingency plans put in place/implemented by the organization to handle data breach, loss, destruction, and damage, and security measures established to mitigate against same
        • Where the organization is a data controller, the list of its agents and contractors engaged for data processing is required. In addition to this, the organization will be required to highlight the considerations made in choosing a data processor, and steps taken to ensure that the data processor complies with data protection requirements
        • How the organization determines the lawful basis for processing personal data, etc.

Please note that the above documents and information are not exhaustive and only serve as a guide in preparation for your data protection compliance audit. The documents and information required may vary depending on your organisation's business and operations, and on the specific preference of the DPCO conducting the audit.

  1. What happens where I do not have all the documents or information required?

In cases where you have not fully developed all the required documents or do not have the required information, the DPCO will make some recommendations on the documents to be developed or updated by you.

Please note however that you will incur no penalties where these documents are not available, although the NDPC would expect to see improvements in your data protection practices at the next audit.

  1. How long does the audit process take?

The audit process typically takes about 3 weeks if you have and promptly furnish the DPCO with all the required documents and information.

  1. What happens if I fail to fulfill the requirements before the March 2024 deadline?

The NDPC stipulates that failure to file CAR within the March 2024 deadline will result in a default fee of 50% of the filling fee being imposed on the data controller/processor.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.