Understanding the Data Protection Audit: A Guide for Companies

As Nigeria’s digital economy expands, data protection has become a core compliance and governance priority. The Nigerian Data Protection Act (NDPA) 2023 and the Nigerian Data Protection Regulation (NDPR) 2019 require organisations to not only handle personal data responsibly but also demonstrate compliance through periodic data protection audits.

A data protection audit is a mandatory assessment of an organisation’s data processing practices, serving both as a regulatory requirement and a tool for identifying risks and strengthening internal controls. This article outlines the key aspects of the audit framework in Nigeria, including who must file, applicable timelines, the role of Data Protection Compliance Organisations (DPCOs), and the consequences of non-compliance.

Understanding the Data Protection Audit

A data protection audit is a systematic and independent assessment of an organisation's data processing activities (records, processes, and procedures) to determine if it complies with data protection laws, regulations, industry standards, and data policies. The Nigerian Data Protection Act (NDPA) 2023 and the Nigerian Data Protection Regulation (NDPR) 2019 direct data controllers and data processors to conduct the compliance audit within eighteen (18) months of the commencement of business, and thereafter on an annual basis. The audit requirement applies to all organizations that collect and process the personal data of Nigerians.

Who Should File a Data Protection Audit?

Any organsiation that processes the personal data of at least 1000 Nigerian citizens or residents within six (6) months or two thousand (2000) Nigerian citizens or residents within a year is required to carry out a data protection audit and file the audit report with the Nigeria Data Protection Commission (NDPC). It is worthy and imperative to note that the NDPC website however states that a data protection audit is mandatory for all Data Controllers regardless of the number of data subjects processed.

When Should the Audit be Conducted?

Data controllers and data processors are required to conduct the compliance audit within twelve (12) months of incorporation. All subsequent audits should be conducted annually, not later than 15 March.

Who Should Conduct a Data Protection Audit

Only Data Protection Compliance Organisations (DPCOs) are authorised to conduct data protection audits. DPCOs are entities licensed by the NDPC to provide training, auditing, consulting, and other services that ensure compliance with Nigeria’s data protection laws and regulations. Organisations required to conduct a data protection audit must engage a DPCO, that will guide them through the process and facilitate the filing.

What Happens if an Organisation Fails to File the Report Before the Deadline?

According to the NDPA, a data processor or controller that fails to file its data audit report before the deadline attracts penalties of up to 2% of the annual gross revenue of the erring organization or the N10,000,000 (whichever is greater); and/or risk of a civil action brought by individuals whose personal data a company processes, criminal or other administrative sanctions.

Conclusion

The annual data protection audit ensures that organizations remain accountable for their data practices, identify potential risks, and implement safeguards to enhance security. Failure to comply with data protection requirements can result in severe financial penalties, reputational damage, and legal consequences. More importantly, it can erode public trust, which is invaluable in today’s digital world. By staying ahead of compliance obligations and engaging a licensed Data Protection Compliance Organisation (DPCO), companies can navigate this regulatory requirement with ease.