NDPC Issues Guidance Notice for Data Protection Compliance Audit Returns Filing

The Nigeria Data Protection Commission (“NDPC/the Commission”) has published a Guidance Notice prescribing the formalities for the data protection compliance audit returns (“CAR”) filing and other pertinent compliance requirements for data controllers moving forward (the “Notice”). The key points for data controllers and processors to take note of are summarized below: 

CAR Filing

The Notice provides clarification regarding the modalities for the 2022/2023 CAR filing cycle, which will be governed by the Nigeria Data Protection Act (“NDPA”) and the soon to be issued General Application and Implementation Directive ("GAID"). The prescribed procedures for this cycle are as outlined in the Nigeria Data Protection Regulation ("NDPR") which subsists and supplements the NDPA subject to any overriding provisions of the NDPA or regulatory instruments made pursuant to same.  

As a reminder, under the NDPR, all data controllers and administrators in Nigeria are mandated to conduct annual data protection compliance audits. When a data controller reaches the statutory data processing threshold of one thousand (1,000) data subjects within six (6) months and two thousand (2,000) data subjects within twelve (12) months, it is obligated to file its audit report with the NDPC by the deadline of March 15, 2024, in accordance with Article 4.1(6) and (7) of the NDPR. The filing process is facilitated by licensed Data Protection Compliance Organizations (“DPCO”), with Templars being one such licensed entities.

Free Training and Induction for Designated DPOs 

The Guidance Note further specifies that all designated data protection officers (“DPOs”) must partake in an induction training to be organized by the Commission in January 2024. This training will specifically address data subject rights and compliance obligations pertinent to data controllers and processors under the NDPA and its GAID.  

NaDPAP Whitelist  

The Notice also outlines the compliance metrics essential for inclusion in the National Data Protection Adequacy Programme (NaDPAP) Whitelist (the “Whitelist”) which was first announced by the Nigeria Data Protection Bureau, now the NDPC in its 2022 Compliance Notice. The Notice sets specific criteria for organizations to be part of the Whitelist which is to serve as a reference point for local and international establishments when conducting relevant proceedings and transactions. The highlighted metrics in the Notice include verifiable evidence of adherence to data protection principles and lawful bases, such as privacy policies and notices, timely CAR filing, engagement of a DPCO, capacity building for employees, and the appointment of a verifiably competent DPO, among others. We anticipate that following the issuance of these compliance metrics, the NDPC will publish the NaDPAP Whitelist sometime early next year.

Effect of Non-compliance 

The Notice also provides for penalties for violations of any part of the notice that relates to a specific provision of the NDPA/NDPA (e.g CAR filing). These liabilities include the NDPC directing the data controller/processor to:

1. remedy the violation;
2. pay compensation to a data subject, who has suffered injury, loss, or harm as a result of a violation;
3. account for the profits realised from the violation; or
4. pay a penalty or remedial fee. The penalty for a DCMI/DPMI is a fine of Ten Million Naira (N10,000,000) or 2% of the controller/processor's annual gross revenue in the previous financial year, whichever is higher. Where the data controller/processor is not a DCMI/DPMI, a fine of Two Million Naira (N2,000,000) or 2% of the controller/processor's annual gross revenue in the previous financial year, whichever is higher may be imposed. We anticipate that the parameters for the DCMI/DPMI categorization would have been prescribed (potentially through the GAID) to fully activate this penalty.  

--

Read the original publication at Templars.