What You Should Know About The New Data Protection Compliance Audit Regime In Nigeria

Nigeria's data protection landscape has entered a more robust and enforcement-driven phase. Following the issuance of the Nigeria Data Protection Act (NDPA) General Application and Implementation Directive (GAID) in September 2025, organisations classified as Data Controllers and Data Processors of Major Importance are now subject to a revised and more detailed annual Data Protection Compliance Audit ("DPCA") regime.

The new framework introduces enhanced reporting obligations, stricter timelines, and clearer consequences for default. As the statutory deadline approaches, it is critical for affected organisations to understand what has changed, who is affected, and how to prepare.

THE NEW COMPLIANCE FRAMEWORK UNDER THE GAID

The GAID, which came into force in September 2025, significantly updates the process for conducting and filing annual Data Protection Compliance Audit Returns. Beyond a change in form, the Directive reflects the Nigeria Data Protection Commission's (NDPC) intention to deepen accountability, transparency, and verifiable compliance across sectors.

Under the new regime, audits are no longer treated as a box-ticking exercise. Organisations are expected to demonstrate operational, technical, and governance-level compliance with the NDPA.

WHO IS REQUIRED TO FILE ANNUAL COMPLIANCE AUDIT RETURNS?

The obligation to file annual audit returns applies to Data Controllers and Processors of Major Importance (DCPMIs), particularly those categorised as:

• Ultra-High Level DCPMIs, and
• Extra-High Level DCPMIs.

In practical terms, this includes organisations that process large volumes of personal data within a six-month period, as well as entities operating in regulated or sensitive sectors such as telecommunications, financial services, insurance, fintech, oil and gas, healthcare, tertiary education, government institutions, digital platforms, and multinational companies. 

Classification is determined in line with NDPC guidance, taking into account data volume, sector, risk exposure, and processing activities.

WHO IS NOT REQUIRED TO FILE ANNUAL COMPLIANCE AUDIT RETURNS?

While the GAID has expanded and strengthened the compliance audit regime, it is equally important for organisations to understand where the obligation does not apply. Not all data controllers or processors are required to conduct and file annual Data Protection Compliance Audit Returns.

A. Ordinary High-Level DCPMIs

Under the current regulatory framework, Ordinary High-Level Data Controllers and Processors of Major Importance are no longer required to file annual compliance audit returns.

Instead, entities within this category are required to:

• Renew their DCPMI registration or licence with the Nigeria Data Protection Commission (NDPC), and
• Maintain internal data protection practices that are consistent with the Nigeria Data Protection Act and applicable guidelines.

This distinction reflects a risk-based regulatory approach, reserving mandatory audit filings for entities with higher data volumes, sectoral risk, or processing complexity.

B. Organisations That Do Not Qualify as DCPMIs

Entities that do not meet the threshold for classification as Data Controllers or Data Processors of Major Importance are not required to: 

• File annual compliance audit returns, or
• Renew a DCPMI licence.

However, such organisations are not exempt from complying with the provisions of the Nigeria Data Protection Act (NDPA). They are required to implement and maintain what the NDPC describes as reasonable data protection practices, proportionate to the nature, scale, and sensitivity of their data processing activities.

❖ Examples of Organisations Typically Below DCPMI Threshold

Subject to factual assessment and actual processing activities, the following categories of organisations may generally fall below DCPMI status, provided they process less than 200 personal data:

• Small and medium-sized enterprises with limited customer or employee data
• Sole proprietorships and professional service providers with minimal personal data processing
• Small retail businesses operating offline or with basic online presence
• Local consulting firms and startups processing low volumes of personal data
• Small logistics operators without large-scale digital tracking systems
• Event-based or short-term data collectors with limited retention periods
• NGOs, community-based organisations, and associations with small membership bases
• Early-stage technology startups without significant user traction

The determining factor is not merely business size, but the volume of data processed, the frequency of processing, the sensitivity of the data, and the level of risk posed to data subjects.

❖ Ongoing Obligations for Non-DCPMI Organisations

Even where audit filing or licence renewal is not required, organisations must still:

• Process personal data lawfully and transparently
• Implement basic technical and organisational security measures
• Appoint a Data Protection Officer where appropriate
• Respect data subject rights
• Ensure lawful engagement of third-party processors

Failure to maintain reasonable data protection practices may still expose organisations to regulatory investigations, enforcement actions, and penalties under the NDPA.

WHAT IS NEW ABOUT THE FILING FEE?

The GAID introduces a new filing fee for the audit as follows:

New NDPA Compliance Audit Returns Filing Fee

WHAT IS NEW ABOUT THE COMPLIANCE AUDIT TEMPLATE?

The GAID marks a shift from passive policy reviews to rigorous operational verification. Data Protection Compliance Organisations must now actively audit a broader range of criteria, including DPO certifications, legitimate interest assessments, DPIA records, and governance for emerging technologies like AI. By requiring evidence of cross-border transfer mechanisms and third-party oversight, the NDPC emphasizes demonstrable compliance over mere documentation. Advocaat Law Practice is available to provide tailored guidance to ensure your organization meets these expanded regulatory expectations.

FILING PROCESS AND ROLE OF THE DPCO

Audit returns must be filed through the NDPC's online portal and can only be submitted by a licensed Data Protection Compliance Organisation on behalf of the audited entity. This makes early engagement with a DPCO essential, particularly given the depth of documentation and verification now required.

As a licensed DPCO, Advocaat Law Practice supports organisations through:

• Pre-audit readiness assessments
• Full compliance audits aligned with the GAID template
• Remediation advisory and implementation support
• Filing and liaison with the NDPC
• Ongoing compliance and regulatory support

Statutory Deadline

The deadline for filing annual Data Protection Compliance Audit Returns is 31 March of each year. Organisations are encouraged to commence the audit process well in advance to avoid last-minute regulatory exposure. 

Consequences of Non-Compliance

Failure to comply with the audit filing obligations carries significant regulatory and financial risks.

• Late filing attracts an administrative penalty which is 50% of the filing fee in addition to the prescribed filing fee.
• Non-filing may result in enforcement actions by the NDPC, including compliance orders and monetary penalties.

For DCPMIs, financial sanctions may extend to up to ₦10 million or 2% of annual gross revenue, whichever is higher, alongside reputational and operational implications.

HOW ADVOCAAT LAW PRACTICE CAN SUPPORT

As a licensed DPCO, we are well positioned to guide clients through the new audit regime, mitigate regulatory risk, and embed practical privacy governance frameworks.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.