In compliance with the Nigeria Data Protection Act (“NDPA”), the Nigeria Data Protection Commission (“NDPC/Commission”) on 15th of November 2023 published its Guidance Notice (Notice) on the Filing of Data Protection Compliance Audit Returns (CAR) which is set to take effect from 1st January 2024. This notice sets out procedure to be adhered to by Data Processors and controllers when filing their mandatory annual Compliance Audit Report with the Commission emphasizing the Commission’s commitment to tighten the oversight role in the protection and enforcement of Data Subject rights on the one hand and to engender data usage trust within Nigeria’s burgeoning digital ecosystem.
The Guidance Notice highlights the requirements for inclusion in the Commission’s National Data Protection Adequacy Programme (NaDPAP) Whitelist to be published by the Commission on Data Controllers and Data Processors who demonstrate commitment to safeguarding Data Subjects Rights and prioritize compliance with NDPR.
- NDPR Remains the Primary Regulation Governing Annual CAR Filings in Nigeria
The Guidance Notice lays to rest any doubt about the continued applicability of the NDPR following the enactment of the Nigeria Data Protection Act by recognizing it as the primary regulation governing the filing of the mandatory Compliance Audit Report. Data Controllers and Data Processors who have processed personal data of more than 2000 data subjects within the preceding 12 months are by law, mandated to file their Data Protection Compliance Audit Report with the Commission, in accordance with Articles 4.1 (5 & 7) of the NDPR.
It is noteworthy to mention that this is consistent with Section 64(2)(f) of the NDPA, which states that the provisions of NDPR remains in full force and effect except to the extent that any of its provisions is overridden by or conflicts with any provision of the Act.
- Vital Role of Data Protection Compliance Organizations
The Notice emphasizes the crucial role of Data Protection Compliance Organizations (DPCOs) in the implementation of Nigeria’s Data Protection framework by supporting Data Controllers and Data Processors to developing self-guided compliance strategies that demonstrate transparent and accountable reporting in line with the NDPR. Specifically, the Guidance Notice identifies the underlisted as the key responsibilities of DPCOs:
i. Facilitating the filing of CAR with the Commission:
DPCOs support Data Controllers and Processors with the conduct of Audits and submission of Reports with the Commission in line with the NDPR. The Notice emphasizes the need to ensure that DPCO’s services are priced in a manner that guarantees minimal financial burden on Data Controllers and Processors.
ii. Engaging in Non-Fee-Paying CAR Work:
DPCOs are encouraged to occasionally provide audit support service to start-ups, not for profit organizations and businesses who are unable to pay for the mandatory audit service as part of their Corporate Social Responsibility (CSR) to foster inclusive compliance.
iii. Knowledge Transfer for DPOs during Audit Exercise:
DPCOs are required to use the Audit exercise as an opportunity to provide practical training for DPOs and other personnel in the Client Organizations they serve. Evidence of such practical training embedded in the audit exercise will entitle the participating DPOs to Continuous Professional Development (CPD) Credit, which will be an essential audit parameter under the soon to be published NDPA General Application and Implementation Directive (GAID).
- Getting Listed on the NaDPAP Whitelist
The Notice outlines the compliance metrics for inclusion in the National Data Protection Adequacy Programme (“NaDPAP”) which include verifiable compliance with Data Protection Principles and Lawful Basis such as Privacy Policies and Notices, Consent forms; regular filing of CAR, sensitization of data subjects on data subjects’ rights, appointment of DPO, engagement of a DPCO, training and capacity building for Staff amongst others.
Successful filing of the CAR entitles Data Controllers/Processors to be listed in the National Data Protection Adequacy Programme (NaDPAP) Whitelist. It is worthy to note that failure of a data controller or processor to file CAR as legally required is a ground for disqualification from being listed on the NADPAP Whitelist irrespective of whether such Data Controller or Processor has proven data privacy compliance policies and framework that comply with the prescribed requirement of the NDPA and NDPR.
Whilst being listed in the NaDPAP Whitelist establishes a presumption of compliance and a demonstration of the data controller/processors commitment to safeguarding data-subjects rights; it does not confer immunity or protection against Data Subject claims or liabilities.
- Mandatory Induction Training for DPOs
All designated DPOs are required to participate in the free induction training that will be organized by the Commission in January 2024. The training is expected to re-enforce the rights of data subjects and compliance obligations outlined in the NDPA and the GAID.
- Minimum Information Requirement for inclusion in a Compliance Audit Report
The notice highlights the key focus areas for any CAR to be filed with the Commission. Each Report accompanying the NDPC audit questionnaire shall at the minimum cover the underlisted:
i. Evidence of the Data Controller/Processor’s awareness of the provisions of the NDPR, as contained in the internal data privacy framework of the organization.
ii. Evidence of Capacity Building and Continuous Training of Staff, Contractors, Licensees on their obligations as data administrators under the NDPA.
iv. Clear and detailed compliance directives communicated to all individuals involved in data processing, emphasizing adherence to the NDPR.
v. Appointment and availability of Data Protection Officers overseeing and ensuring compliance with the NDPR.
vi. An inventory of the categories of personal data being processed and maintained by the Data Controller or Data Processor, specifying the principles and lawful basis for processing each category.
vii. Technical Measures implemented to ensure Confidentiality, Integrity, and Availability of Personal Data guided by the principles of Privacy by Design and by Default.
vii. The institutionalization of a robust mechanism for addressing grievances related to data protection.
viii. A comprehensive list of all agents or contractors engaged in data processing, along with details of their training programs and overall compliance with the NDPA.
- Default and Non-Compliance with filing CAR
Non – Compliance with CAR filing on or before the deadline which is set for March 2024 attracts a default fee of an additional 50% of the filing fee. Additionally, non-compliance with the Notice may amount to a violation of the NDPA, which attracts penalty as prescribed under the NDPA.
It is imperative for Data Controllers and Data Processors to prioritize timely and efficient filing of the yearly mandatory Data Privacy Compliance Audit Report in accordance with the NDPA and this not only signifies adherence to regulatory standards but also underscores a collective responsibility to fortify data privacy measures, ensuring a safe and secure digital ecosystem for all stakeholders.
This Article is written by DealHQ’s Technovation and Data Governance Practice Team.
DealHQ is a licensed Data Protection Compliance Organization (DPCO). We understand the importance of safeguarding sensitive data and complying with local and foreign data protection laws applicable to your business to protect your organization’s reputation and mitigate potential cybersecurity or data violation risks which can have significant financial, legal, and systemic implications for your Business. Our service niche includes (1) Data Protection/Governance Advisory (2) Data Protection Compliance Support (3) Data Protection Audit Services and (4) Outsourcing of Data Protection Officers.
*The content of this Article is not intended to replace professional legal advice. It merely provides general information to the public on the subject matter.*
To know more about our Data Privacy Services? Please contact our team:
Email: email@example.com; firstname.lastname@example.org
Telephone: +234 1 4536427 or +234 9087107575