INTRODUCTION
In exercise of its powers to issue guidelines on compliance with the Nigerian Data Protection Act 2023 (NDPA) the Nigerian Data Protection Commission (NDPC) issued a Guidance Notice on the filing of Data Privacy Compliance Audit Returns (CAR). This notice was issued given the new cycle of CAR filing that commenced in 2024 under the NDPA and its General Application and Implementation Directive (GAID). The notice is aimed at enhancing transparency, accountability, and the safeguarding of data subjects within the operations of data controllers and processors during the processing of personal data.
The Guidance Notice pertinently lays out the audit compliance obligations for data controllers and processors which is underscored by the relevant provisions of the subsisting Nigeria Data Protection Regulation (NDPR), requiring data protection audits from data processing organizations. Under the NDPR, the minimum coverage of the audits must include the personal information collected from employees and the public and the purpose for such collection, data collection notices, access given to individuals to manage their information, consent procedures, and the organization’s policies and practices for data security.
This article examines the key points from this notice as follows:
1. LEGAL REQUIREMENT TO FILE CAR
The obligation for data controllers and processors to file CAR derives from the provisions of the Nigeria Data Protection Regulation 2019 which subsists subject to any overriding provisions of the NDPA, or instruments issued pursuant to the NDPA. In determining the data processing threshold for data controllers mandated to comply with the audit requirements, the NDPR provides that a data controller processing the personal data of more than 1,000 data subjects within 6 months or 2,000 data subjects within 12 months will fall under the category of organizations required to submit annual data protection audits. The filing of CAR must be done on an annual basis and submitted to the Commission before the March 15th of every year. Failure to file within the March 15th deadline will incur default fees worth 50% of the filing fees for the year of non-compliance.
In filing the CAR, data controllers and processors are required to focus on some of the following areas, awareness, capacity Building, privacy policy, availability of Data Protection Officers, technical measures for ensuring confidentiality, integrity, and availability of Personal Data (with a focus on privacy by design and by default), amongst others.
2. ROLES OF DATA PROTECTION COMPLIANCE ORGANIZATIONS (DPCOS)
The role of Data Protection Compliance Organizations (DPCOs) is multifaceted and pivotal in ensuring streamlined compliance with data protection regulations. The collaborative role they play in facilitating compliance is underlined by the NDPA, which provides for the licensing of entities with data protection expertise to serve as DPCOs. Their roles under the notice include.
Facilitating Compliance: DPCOs are required to ease the process of filing CAR with the Commission, reducing financial burdens for Data Controllers and Data Processors.
Corporate Social Responsibility: In specific cases, DPCOs may extend their services as a Corporate Social Responsibility (CSR), particularly aiding start-ups, not-for-profit organizations, and low-revenue entities, fostering a culture of voluntary compliance.
Training Opportunity: DPCOs are to treat CARs as a valuable avenue for the practical training of designated Data Protection Officers (DPOs) and other staff members, enhancing their proficiency in compliance practices.
Information Dissemination: DPCOs are tasked with disseminating the Guidance Notice to their clients or potential clients, ensuring awareness and understanding of compliance expectations.
The roles of a DPCO are essential and their services must be employed to comply with the mandatory requirements of the notice.
3. COMPLIANCE MEMORANDUM
The Compliance Memorandum serves as a formal declaration by a data controller or processor, outlining a time-bound commitment to align their data processing practices with the NDPA. The memorandum, which is signed by the designated Data Protection Officer (DPO), must encompass the CAR focus areas and be included as part of the CAR filed with the Commission.
4. COMPLIANCE METRICS FOR NATIONAL DATA PROTECTION ADEQUACY PROGRAMME (NADPAP) WHITELIST INCLUSION
The NDPC by this notice desires to afford data controllers and processors the opportunity to exhibit accountability and transparency and be included in the NaDPAP Whitelist in line with the set-out compliance metrics which a data controller or processor must satisfy. Some of the metrics include;
I. Verifiable evidence of conformity with data protection principles and lawful basis
II. Accountability and prompt responsiveness regulatory processes
III. Sensitization of data subjects on their rights
IV. Appointment of a verifiably competent DPO
V. Engagement of a DPCO
VI. Data privacy impact assessment
It is noteworthy that the Whitelist only creates a rebuttable presumption that those on the list are dedicated to implementing sufficient technical and organizational measures to protect data subjects’ rights. It does not constitute immunity against data subjects’ complaints, and penalties imposed for the violation of its obligations under the NDPA or breach of data subjects’ rights.
5. EFFECT OF NON-COMPLIANCE
Complementing the enforcement powers of the Commission under the NDPA, the notice cites the liabilities against violators for non-compliance with the notice as captured in Section 48 of the NDPA. Under the provision, the Commission is empowered to issue enforcement orders or impose sanctions against defaulting data controllers and processors including an order to compensate a data subject who has suffered loss due to the violation, rendering of accounts on profits made on the violation, payment of penalty or remedial fee, among others.
CONCLUSION
Adhering to the stipulations outlined in this recently issued notice is crucial as failure may to dos attracts heavy penalties such as payment of the late filing penalty fees which organizations filing as of today will be liable to pay. We recognize the complexities associated with CAR, and we commit to keeping you informed of any forthcoming updates. Should you have any inquiries or require further clarification, please do not hesitate to contact us through the provided key contacts below:
CONTACT PERSONS
Temiloluwa Dosumu (CIPP/E)
Senior Associate
Temiloluwa.dosumu@famsvillesolicitors.com
Rachael Olayemi (CIPP/E)
Associate
Rachael.olayemi@famsvillesolicitors.com
