Pamela Victor-Ibutamuno, Associate
The deadline for filing Data Compliance Audit Returns for the year ended 2022 in Nigeria has been extended to 30 June 2023 by the Nigeria Data Protection Bureau (the “NDPB”). This means Data Controllers and Data Processors who have not filed their returns before the regular and statutory deadline of 15 March of every year now have ample time to do so. The deadline extension notice was issued to data protection compliance organizations (DPCOs) on Wednesday 15 March 2023 by the NDPB.
The obligation to file the Data Compliance Audit Returns is by virtue of Article 4.1(7) of the Nigerian Data Protection Regulation 2019 (the “NDPR”).
Statutory Obligation to file annual Data Compliance Audit Returns applies to both Data Controllers and Data Processors or Data Administrators
“Data Controller” is a person who either alone, jointly with other persons, or statutory body, determines the purposes for and manner in which personal data is processed or to be processed. This is as defined under Article 1.3(x) of the NDPR. In relation to a Data Controller, a “Data Administrator” is a person or organization that processes data. A person who either alone, jointly with other persons or statutory body, determines the purposes for and manner in which personal data is processed or to be processed.
Although the NDPR does not expressly define a “data processor”, a data processor is used interchangeably with “data administrator” under Article 2.4(b) and 4.1(3) of the NDPR.
Therefore, the scope of the NDPR—and by implication the obligation to file the annual Data Compliance Audit Returns—applies to both Data Controllers and Data Administrators or processors.
What the Data Compliance Audit Returns means and why it is vital
Data Compliance Audit Returns is a legal standard and an obligation imposed on all Data Controllers regardless of the number of data subjects whose personal data are processed. According to Article 4.1(5) of the NDPR, it is “a systematic investigation or examination of the records, processes and procedures of Data Controllers and Processors, to ensure that they are in compliance with the requirements of the NDPR and their data protection policies”.
It is vital that Data Controllers conduct a data protection audit in order to enable the Data Controller achieve the following goals as outlined in the NDPR:
- Assess the level of compliance with the NDPR;
- Evaluate compliance with the organization’s own data protection policy;
- Identify potential gaps and weaknesses in organization’s processes; and
- Give requisite advise and/or implement remedial actions for identified gaps
Amongst other reasons, conducting a data protection audit is vital for Data Controllers in order to avoid the risk of being caught unawares or wanting. For instance, the NDPR gives NITDA or other relevant regulatory authority the power to conduct scheduled audits, on-the-spot checks, or special audits. This is to ascertain compliance or identify breaches. So it is best for a Data Controller to be prepared.
Essentially, whenever and wherever proof of NDPR compliance is required by relevant authorities (and even interested parties), the data protection audit serves as the first certifiable public document with probative value.
Sanctions for failure to file Data Compliance Audit Returns
A Data Controller who fails to file Data Compliance Audit Returns as required under the NDPR faces the risk of being sanctioned. Failure to comply is considered a threat to the fundamental right to privacy as enshrined in section 37 of the Constitution of the Federal Republic of Nigeria, 1999 (as amended).
Sanctions may include fines and prosecution by the relevant authority. A defaulting Data Controller may also face legal actions by data subjects for certain breaches.
Consult a law firm or data protection compliance expert for guidance.
Therefore, with NDPB’s extension, Data Controllers and Data Processors must take immediate steps—if they haven’t already started doing so—to conduct their data compliance audit. The Data Compliance Audit Returns must be submitted before the expiration of the new deadline, 30 June 2023. By this extension, the NDPB has provided organizations in Nigeria who come within the scope of the NDPR the opportunity to comply with the applicable regulations.
Effectively, organizations now have additional 90 days to file their returns. Once returns are filed and approved by the NDPB, the relevant Data Controller or Data Processor will have its name included in the National Data Protection Adequacy Program (NaDPAP) whitelist. Data Controllers and Data Processors should consult qualified experts for necessary assistance.
To conduct a data compliance audit for your organization and prepare relevant documentation for the purpose of filing your Data Compliance Audit Returns, consult a law firm or data protection compliance experts—an area we are happy to be of help—for professional guidance and assistance today.