Contact Us: : +2349022514760
How To File Your Data Protection Compliance Audit Returns in Nigeria
In accordance with the Nigeria Data Protection Act (NDP Act) 2023, the filing of Data Protection Compliance Audit Returns (CAR) is a mandatory obligation for both data controllers and data processors, as stipulated in the Nigeria Data Protection Regulation (NDPR) 2019. This comprehensive guide aims to provide a step-by-step approach for filing these returns, promoting transparency, and ensuring accountability in the processing of personal data.
1. Reliance on NDPR for Filing of CAR
Data Controllers and Data Processors are advised to rely on Articles 4.1(5) and (7) of the NDPR to submit CAR to the Nigeria Data Protection Commission (the Commission). It is crucial to note that the NDPR remains applicable, subject to any overriding provisions of the NDP Act or regulatory instruments issued pursuant to it.
2. The Role of Data Protection Compliance Organizations (DPCOs)
a) DPCOs are instrumental in facilitating the filing of CAR with the Commission, minimizing financial constraints for Data Controllers and Data Processors. b) DPCOs may, under certain circumstances, engage in CAR work as a Corporate Social Responsibility (CSR), particularly for start-ups, non-profit organizations, and low-revenue entities, emphasizing the promotion of voluntary compliance. c) CAR serves as an opportunity for practical training of designated Data Protection Officers (DPOs) and staff members, with evidence of training earning CPD credits. d) DPCOs are responsible for disseminating this Guidance Notice to their clients or prospective clients.
3. CAR Focus Areas
a) The audit report should emphasize the following: i. Awareness ii. Capacity Building iii. Privacy Policy iv. Compliance Directives to Employees, Contractors, Agents, etc. v. Availability of Data Protection Officers vi. Categories of Personal Data being processed vii. Technical Measures for ensuring Confidentiality, Integrity, and Availability of Personal Data viii. Grievances Redress Mechanism ix. List of agents or contractors engaged for data processing and their compliance with the NDP Act.
b) For the year 2022, agents or contractors should provide details of their Technical and Organizational Measures (TOM) for data protection in the Digital TOM form provided by the Commission.
4. Compliance Memorandum
a) Data controllers or processors may outline a time-bound intention to regularize data processing activities in line with the NDP Act in a Memorandum. b) The Memorandum, signed by the designated DPO, should be submitted to the Commission as part of the CAR, with a time-bound intention not later than March 31, 2024.
5. Free Induction Training for Designated DPOs
a) Designated DPOs are required to participate in an induction training organized by the Commission in January 2024. b) The training will focus on data subjects’ rights and compliance obligations of data controllers and processors under the NDP Act and its General Application and Implementation Directive (GAID).
6. Default Fee
The deadline for filing under the NDP Act and the NDPR is March. The applicable date for the 2022 CAR under this Guidance is March 15, 2023. A default fee, amounting to 50% of the filing fee, applies if a data controller fails to file on or before the deadline.
Effect of Non-Compliance
Failure to comply with this Guidance Notice may lead to enforcement orders or sanctions under the NDP Act, including penalties or remedial fees, depending on the severity of the violation.
For detailed liabilities and enforcement procedures, refer to Sections 48 and 32 of the Nigeria Data Protection Act.
Rating Compliance Metrics in the National Data Protection Programme (NaDPAP) Whitelist
S/N | METRICS | NDP ACT SECTIONS | POINT |
1 | Verifiable Evidence of Conformity with Data Protection Principles and Lawful Basis. (Privacy Policies and Notices, Consent forms, Visitors Book, audio visual evidence of compliant data processing, etc may be used) | 24 & 25 | 15 |
2 | Accountability and Prompt Responsiveness to Regulatory Processes. (Timely filing of CAR, Resolution of Complaints, Registration and Data Subjects Access Request are focal areas) | 24, 6(d), 24(3) & 61(2) (g) | 15 |
3 | Sensitization of Data Subjects on Data Subjects Rights | 27 & 34-38 | 10 |
4 | Appointment of A Verifiably Competent DPO | 32 | 5 |
5 | Engagement of a DPCO | 33 | 5 |
6 | Filing of Compliance Audit Returns | 6(d) & 61(2)(g) | 10 |
7 | Data Privacy Impact Assessment | 28 | 10 |
8 | Accessible and Functional Internal Remediation Mechanism | 40(8) | 10 |
9 | Globally Acceptable Information Security Certifications. Privacy by design is pivotal. | 24(2) & 39 | 10 |
10 | Continuous Awareness / Capacity Building Programme for Staff, Contractors, Licensees, etc (This in furtherance of the overall objectives of the Act | 1 | 10 |
TOTAL | 100 |
Clarification on NaDPAP Whitelist: A Tool for Accountability
The NaDPAP Whitelist serves as a vital instrument for accountability, distinguishing itself from an immunity list or a shield against data subject complaints.
- Not an Immunity List or Shield: The Whitelist should not be misconstrued as conferring immunity or acting as a shield against data subject complaints.
- Functional Data Repository: It functions as a comprehensive repository of data controllers and processors, providing a clear overview of entities involved in data processing activities.
- Rebuttable Presumption of Commitment: Inclusion in the Whitelist creates a rebuttable presumption. It is understood that a data controller or processor on the list is committed to implementing robust technical and organizational measures to safeguard the rights of data subjects.
Data compliance audit returns Nigeria Data compliance audit returns Nigeria
Simplified Approach to Solving the New Code of Corporate Governance for Banks in Nigeria — Disclosures, Returns, Sanctions, Conflict of Interests, Code of Conduct Sustainability and Investor Relations
Prior approval and No Objection from the CBN should be sought and obtained before acquiring shares of a bank that would result in an equity holding of five percent (5%) and above by any investor.
Simplified Approach to Solving the New Code of Corporate Governance for Banks in Nigeria —Board Committees, Evaluation and Meetings
Every Director is required to attend all meetings of the Board and its Committees that they are a member of. To qualify for reappointment, a Director must have attended at least two-thirds of all Board and its Committee meetings.
Simplified Approach to Solving the New Code of Corporate Governance for Banks in Nigeria — Board Dynamics, Compliance and Audit
Not more than two members of an extended family, which includes director’s spouse, parents, children, siblings, cousins, uncles, aunts, nephews, nieces, in-laws, and any other construed relationship, as determined by the CBN, can be on the Board of a bank.
Simplified Approach to Solving the New Code of Corporate Governance for Financial Holding Companies in Nigeria
If a director intends to resign from the Board, they must submit a written notice of resignation to the Chairman of the Board ninety (90) days before the effective date of resignation. In the case of an Independent Non-Executive Director (INED), if their resignation would result in non-compliance with the minimum required number of INEDs, the Board must appoint a replacement within the notice period. Resigning directors can submit a written statement of concerns to the Chairman, and a copy must be forwarded to the CBN. If a Non-Executive Director resigns and the resignation results in a majority of Non-Executive Directors not being present, a replacement must be appointed within ninety (90) days. If the Chairman of the Board intends to resign, the notices of resignation should be forwarded to the Chairman of the Board Nomination and Governance Committee (BNGC) and circulated to the Board and the CBN within seven days.
Pro-rated Payment: How Nigerian Law Calculates Salary upon Termination of Employment
These salary disputes often find their way into the Nigerian courts, where the law is applied to determine the rights and obligations of the parties involved. This article examines a specific case in Nigeria — Mr. Abe Adewunmi Babalola v. Equinox International Resources Ltd. — decided recently by the National Industrial Court of Nigeria, where the issue of pro-rated or full monthly payment upon termination of employment was contested.
Practical Steps: How to Give Consent and Control Your Personal Data under Nigeria Data Protection Act 2023
Consent plays a crucial role in the processing of personal data under the Act. Data subjects have the right to control their personal data and must give their consent freely and intentionally. It is important to note that silence or inactivity cannot be considered as consent. To give valid consent, data subjects should follow these practical steps…
Nigeria New Data Protection Act, 2023: An In-depth Look into Key Provisions
The Act outlines the principles and lawful basis for processing personal data. Personal data must be processed in a fair, lawful, and transparent manner. It should be collected for specified, legitimate purposes and not further processed in a manner incompatible with those purposes. The processing should be limited to the minimum necessary data and retained for a duration aligned with the lawful bases for processing. Accuracy, completeness, and relevance of personal data must be maintained, and appropriate security measures should be implemented to protect against unauthorized or unlawful processing, access, loss, destruction, or data breaches…
Unveiling the New Education Loan Law in Nigeria: A Closer Look at its Provisions and Implications
To be eligible for a loan under this Act, students must have secured admission into a recognized Nigerian university, polytechnic, college of education, or vocational school. The annual income of the applicant or their family must be less than N500,000. The applicant must provide at least two guarantors who meet specific criteria.
The law establishes the Nigerian Education Bank as a body corporate with the functions and powers to implement the Act. The bank is responsible for receiving loan applications, screening applicants, approving and disbursing loans, monitoring loan accounts, and ensuring compliance with repayment.
Fintech License Costs and Processing Time in Nigeria
In 2020, the Central Bank of Nigeria (CBN) introduced a new set of rules that affected fintech companies operating under a broad payment service license. The CBN released a circular stating that it had approved new license categorizations for payment systems. These new rules aimed to streamline fintech startups according to their capabilities and limitations, effectively assigning them to specific fields of operation. As a result, four new groups were established: switching and processing payment service providers, payment service providers involved in mobile money (MMOs), payment service providers involved in payment solutions (PSSs), and payment service providers under the regulatory sandbox.