Understanding the Data Protection Audit Report: A Guide for Companies.

We hope you had a great start to the new year! Over here at Acelera Law, January has been nothing short of amazing. And guess what the highlight of our month is? We turned 5! ??.

It has been five incredible years of growth, hard work, success stories, dedication, and even more work. Over the years, we have evolved into a trusted legal partner for companies, businesses, startups, and individuals. We are deeply grateful for our dedicated team whose commitment drives our success, and our valued clients who continue to place their trust in us. As we celebrate this milestone, we look forward to the next chapter, one filled with even more growth, impact, and success stories.

Speaking of looking forward, the annual data protection audit deadline is fast approaching! If you’ve been a consistent reader of our newsletters, you know how much we emphasize the importance of compliance, and as always, we’re here to keep you informed well in advance. In this edition, we’ll answer all your questions about the annual data audit, why it matters, and everything else you need to ensure a smooth and compliant data protection audit.

Understanding the Data Protection Audit Report.

A data protection audit is a systematic and independent assessment of an organisation's data processing activities (records, processes, and procedures) to determine if it complies with data protection laws, regulations, industry standards, and data policies. The Nigerian Data Protection Act (NDPA) 2023 and the Nigerian Data Protection Regulation (NDPR) 2019 direct data controllers and data processors to conduct the compliance audit within eighteen (18) months of the commencement of business, and thereafter on an annual basis. The audit requirement applies to all organizations that collect and process the personal data of Nigerians.

Who Should File a Data Protection Audit Report?

Any organsiation that processes the personal data of at least 1000 Nigerian citizens or residents within six (6) months or two thousand (2000) Nigerian citizens or residents within a year is required to carry out a data protection audit and file the audit report with the Nigeria Data Protection Commission (NDPC). It is worthy and imperative to note that the NDPC website clearly states that a data protection audit is mandatory for all Data Controllers regardless of the number of data subjects processed.

When Should the Audit be Conducted?

Data controllers and data processors are required to conduct the compliance audit within twelve (12) months of incorporation. All subsequent audits should be conducted annually, not later than March 15th.

Who Should Conduct a Data Protection Audit?

Only Data Protection Compliance Organisations (DPCOs) are authorised to conduct data protection audits. DPCOs are entities licensed by the NDPC to provide training, auditing, consulting, and other services that ensure compliance with Nigeria’s data protection laws and regulations. Organizations required to conduct a data protection audit must engage a DPCO, which will guide them through the process and facilitate the filing.

What Happens if an Organisation Fails to File the Report Before the Deadline?

The NDPC stipulates that failure to file CAR within the March 2024 deadline will result in a default fee of 50% of the filling fee being imposed on the data controller/processor.

Conclusion.

The annual data protection audit ensures that organizations remain accountable for their data practices, identify potential risks, and implement safeguards to enhance security. Failure to comply with data protection requirements can result in severe financial penalties, reputational damage, and legal consequences. More importantly, it can erode public trust, which is invaluable in today’s digital world. By staying ahead of compliance obligations and engaging a licensed Data Protection Compliance Organisation (DPCO), companies can navigate this regulatory requirement with ease.