Did You Know That A Dcpmi Must File Its Data Protection Compliance Audiт Returns By 31 March Each Year?

• Article 10 of the General Application and Implementation Directive 2025 ("GAID") requires data controllers and data processors to conduct periodic, risk-based compliance audits of their data processing activities, with a view to mitigating the risk of personal data breaches through appropriate technical and organisational measures aligned with global best practices.
  
  The audits should identify areas of risk across people, processes, and technology, with the audit techniques and frequency determined by the level of risk and subject to any directives issued by the Nigeria Data Protection Commission ("NDPC"). Where personal data is accessible through online systems, audits are expected to be conducted as frequently as possible, given heightened cybersecurity risks.

• Data controllers and data processors of major importance ("DCPMI") are required to file Data Protection Compliance Audit Returns annually with the NDPC on or before 31 March each year, using the NDPC's prescribed template and automated filing platform. Entities established after 12 June 2023 are required to file their first audit return within fifteen (15) months of establishment, and annually thereafter.
  
  A DCPMI is a data controller or data processor that operates in Nigeria and processes (or plans to process) personal data of more than 200 Nigerian data subjects), or carries out commercial ICT services on any digital device that has storage capacity for personal data and belongs to another individual, or handles personal data of significant economic, social, or security importance to Nigeria.
• The applicable filing fees, based on the classification of DCPMIs, were recently reviewed upwards by the NDPC.
• Filing the audit after 31 March attracts an administrative penalty of 50% of the applicable filing fee, in addition to the standard filing fee.
• Failure to file the audit by the due date is a breach of the Nigerian Data Protection Act and may attract enforcement actions, including remedial orders and financial penalties up to the higher of ₦10 million or 2% of annual gross revenue for major data controllers, and ₦2 million or 2% for others.
• Defaulting data controllers and data processors are also exposed to the risk of reputational damage.
• After filing the audit returns, the NDPC may request additional information. It will issue a Compliance Audit Returns Certificate upon a successful filing. Unless otherwise approved by the Commission, entities classified as Ultra-High Level and Extra-High Level are required to file through a licensed Data Protection Compliance Organisation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.