Background

As a licensed Data Protection Compliance Organization (DPCO), we are fully equipped to monitor, audit, report, and offer comprehensive data protection compliance services to organizations across various industries. 

We have prepared a set of FAQs to help you better understand our new role and how we can support your organization’s data protection needs and audit compliance.

FAQs on Data Protection Audit and Compliance

1. Who is a DPCO?

A DPCO is an entity licensed by the Nigeria Data Protection Commission (NDPC or the Commission) to train, audit, consult, and render services and products to ensure compliance with the Nigeria Data Protection Act (NDPA or the Act), National Data Protection Regulation, 2019 (NDPR), and any foreign data protection law and regulation having effect in Nigeria. (see Article 1.3 (xiii) of the NDPR and Section 33 of the NDPA).

2. What services do we provide as a licensed DPCO?

As a licensed DPCO, Credence now offers a range of data protection services, including data protection audits, NDPC registration, compliance training, gap analysis, policy development, and advisory services, to help organizations in different industries comply with the NDPA and other relevant data protection requirements and laws. (Section 33 of the NDPA).

Part A: Registering with the NDPC as a Data Controller/Processor

3. What is NDPC Data Controller/Processor Registration?

Nigeria Data Protection Commission registration is the process by which data controllers and data processors of major importance, register with the NDPC, per the requirements of the NDPA. This registration is a one-time process according to Section 44 (1) of the Act.

4. Who needs to register with the NDPC?

Any organization domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than 200 data subjects who are within Nigeria, as the NDPC may prescribe, or such other class of data controller or processor that is processing personal data of particular value or significance to the economy, society or security of Nigeria as the Commission may designate, is required to register with the NDPC.  (Sections 2, 5(d), 32 (1), and 65 of the NDPA).

5. What qualifies as ‘Major Importance’? 

An entity qualifies as a data controller or processor of major importance if it processes large volumes of personal data (over 200 data subjects in six months) or handles data critical to the economy, society, or security. This includes organizations in key sectors like finance, telecommunications, education, electric power, aviation, tourism, healthcare, insurance, oil and gas, and ICT service providers. Entities processing these types of personal data must follow strict data protection standards due to their significant impact on national security, the economy, and society. (See Sub-paragraph 1(1) a-c, Guidance Notice on Registration of Data Controllers and Data Processors of Major Importance NDPC/HQ/GN/VOL.02/24, dated 14 February 2024 (“Guidance Notice”).  [1][2]

6. Who is a Data Controller and Data Processor? 

A data controller is an individual, private entity, public commission, agency, or any other organization that determines, either alone or in collaboration with others, the purposes and methods of processing personal data. The data controller is responsible for ensuring that personal data is collected, handled, and used in compliance with applicable data protection laws. A data processor, on the other hand, is an individual, organization, public body, or entity that handles personal data under the instructions of a data controller or another data processor.  (Section 65 of the NDPA).

7. Do I still need to register if we use/leverage a third-party provider to process data?

Yes, your organization is still required to register with the NDPC even if you use a third-party provider to process data. If your organization determines the purposes and means of processing personal data, you are considered a data controller under the NDPA, and data controllers are responsible for ensuring that personal data is processed in compliance with data protection laws, even when processing activities are outsourced to third-party providers (data processors).

8. What is Personal Data?

This covers any information that directly or indirectly relates to an identified or identifiable natural person, including names, contact details, identification numbers, and more. (Section 65 of the NDPA).

9. When is the NDPC registration due?

The NDPC registration is due within six months after the commencement of the Act or upon becoming a data controller or data processor of major importance, whichever is applicable. All existing data controllers and processors in existence before June 12, 2024, were required to register with the NDPC by October 31, 2024.[3] Failure to register by the due date will be considered a default under the NDPA and subject to penalties. Consequently, all companies that have not registered and engaged a DPCO are expected to do so immediately to ensure compliance.  (Section 44(1) (2) a-h of the NDPA and sub-paragraph 3(2)-(3) of the Guidance Notice).

10. Can my organization still register with the NDPC even if we already missed the October 31, 2024, deadline?

Yes, you can still register, however, there is a penalty fee of 50% of the required registration fee, which you are required to pay in addition to the required registration fee.

11. What are the applicable fees payable to the Commission to register as a Data Controller or Processor of Major Importance?

The NDPA grants the NDPC authority to prescribe regulatory fees or levies for data controllers and data processors of major importance. In its Guidance Notice, the NDPC outlines the applicable fees based on several factors, including the volume of data processed and the industry in which the data controller or processor operates. Currently, fees range from NGN10,000 to NGN250,000, depending on the classification of the entity. These fees are subject to change at the discretion of the NDPC and do not include the costs associated with engaging a DPCO for compliance purposes. (Section 45 of the NDPA Sub-paragraph 3(1) (a, c& e) of the Guidance Notice).

12. Why are Data Controllers and Processors classified, and what are the different categories?

Data controllers and processors are classified to ensure that they meet the appropriate level of data protection standards based on the volume and sensitivity of personal data they handle. The classification helps tailor the regulatory requirements and obligations according to the potential risk and impact of data breaches. The NDPC classifies data controllers and processors into three categories: (x) Ultra High Level (MDP-UHL): these are organizations processing over 5,000 data subjects’ personal data, such as banks, telecoms, tertiary institutions, social media app developers, multinationals etc., required to abide by global and highest attainable standards; (y) Extra High Level (MDP-EHL): entities processing over 1,000 data subjects’ data, including government agencies, hospitals etc., which are generally expected to abide by global best practices of data protection; and (z) Ordinary High Level (MDP-OHL): entities processing over 200 data subjects’ data, like and schools, which are expected to abide by global best practices of data protection. (sub-paragraph 3 of the Guidance Notice).

Part B: Data Protection Audit

13. What is a Data Protection Audit?

This a comprehensive assessment conducted by a licensed DPCO (like Credence) to evaluate an organization’s data processing risks and activities, including how personal data is collected, processed, and shared to ensure that the organization complies with the provisions of the NDPR and other applicable data protection laws. (Section 33 of the NDPR).

14. Is the NDPR registration different from the Data Protection Audit?

Yes, the NDPR registration is simply a registration requirement applicable to any organization that processes or collects a minimum of 200 personal data as further described in Part A above.  However, in addition to the registration, organizations that process more than 2000 Personal Data are required to carry out the audit. (Section 4.1(6) of the NDPR).

15. When should my organization carry out a Data Protection Audit?

The NDPR requires organizations to conduct a detailed audit of their privacy and data protection practices at inception and thereafter on an annual basis on or before March 15 where they process personal data of Nigerian citizens and residents utilizing the services of a licensed DPCO (like Credence). Where a Data Controller processes the Personal Data of more than 2,000 Data Subjects within 12 months, such organization is required to, not later than the 15th of March of the following year, submit a summary of its data protection audit to the NDPC. (Section 4.1(7) of the NDPR).

16. Can our in-house personnel conduct the Data Audit?

No, your in-house audit personnel cannot conduct the NDPR compliance audit; this must be conducted by licensed DPCOs. Your in-house personnel can assist with preparatory work (e.g., gathering data, identifying gaps, or conducting internal assessments), but the official audit must be performed by a licensed DPCO (Section 33 of the NDPA).

17. How can my organization register with the NDPC or prepare for an NDPR Data Protection Audit?  

To satisfy the provisions of the NDPA and prepare for an NPDC audit, organizations should consult a DPCO (like Credence) to register and review their data protection policies and ensure all data protection activities comply with the data protection laws. (Section 32 of the NDPA).

18. Will my company be fined if a Data Protection Audit identifies compliance gaps?

The Commission reserves its power to address any compliance gaps arising from an audit. However, the NDPC may require the organization to work with its DPCO to develop and implement corrective action plans to address any identified gaps or risks and ensure full compliance. The purpose of the audit is to highlight areas for improvement. However, if the gaps are significant and pose risks to data subjects, or if the organization fails to take corrective action after the audit, then penalties and fines may be imposed. The NDPC allows organizations to correct issues before enforcing actions, such as fines. The fines and penalties come into play when (x) non-compliance persists, and no steps are taken to resolve the issues; (y) data breaches occur due to negligence, and no preventive measures have been implemented; and (z) intentional non-compliance is discovered, or there is a refusal to engage with the auditing or regulatory process. (Section 48 of the NDPA).

19. What is the fee payable to file the audit with the Commission?

The filing fee for the NDPR audit is based on the number of data subjects an organization processes. Organizations handling fewer than 2,000 data subjects are required to pay a fee of N10,000, while those processing 2,000 or more data subjects are required to pay N20,000. (See Art.6.3 of the Nigeria Data Protection Regulation 2019: Implementation Framework).

Part C: Data Protection Impact Assessments

20. What is a Data Protection Impact Assessment (DPIA)?

A DPIA is a process designed to identify and evaluate the risks and potential impacts of an organization’s planned processing of personal data. It includes a systematic description of the data processing activities, an assessment of their necessity and proportionality, an analysis of risks to the rights and freedoms of data subjects, and the implementation of measures to mitigate these risks. It helps ensure that personal data is processed in a way that respects an individual’s privacy rights. Simply a structured process used to identify, assess, and mitigate risks associated with the processing of personal data. (Section 28 of the NDPA).

21. Which organizations are required to conduct a DPIA?

Data controllers involved in processing activities that may likely result in a high risk to the rights and freedoms of data subjects are required to conduct a DPIA. This includes processing based on its nature, scope, context, or purposes including organizations launching new projects, apps, or systems involving personal data or handling sensitive data (e.g., health, financial, or children’s data).

22. When should a DPIA be conducted?

A DPIA should be conducted before the processing of personal data if the processing is likely to result in high risks to the rights and freedoms of data subjects. This must be done before starting the data processing activities to identify and mitigate potential risks at the earliest stage. (Section 28 of the NDPA).

23. How do I assess whether my organization needs to conduct a DPIA?

A DPIA needs to consult a DPCO to evaluate if the purpose or nature of data protection activities is likely to result in high risks to individuals’ rights and freedoms of a data subject. (Section 28 of the NDPA).

24. Why does my business need to comply with data protection laws?

It is a regulatory requirement that a data controller implements appropriate measures to ensure the security of personal data in its possession. When a company complies with the regulatory requirements, it safeguards the fundamental rights of data subjects, fulfills its responsibility to protect its customers’ information, and avoids legal penalties. It also ensures that an organization operates within the requirements of the law.

25. Are there consequences of non-compliance with NDPA?

Non-compliance with the NDPA can result in penalties, including up to 2% percentage of the organization’s annual revenue or 10 million naira (whichever is greater), in addition to any civil liability action that may be brought by any individual whose personal data the company processes. Non-compliance may also lead to criminal liability. Additionally, non-compliance can damage an organization’s reputation and lead to loss of customer trust. (Section 48 of the NDPA).

For more information, contact lawyers@credence-law.com. 

[2]We note that on 22 November 2024, the Federal High Court delivered a judgment in the case of Frank Ijege (trading under the name and style of Springfield Law Practice) v. Nigeria Data Protection Commission (Suit No: FHC/KD/CS/34/2024). The Court’s ruling nullified certain provisions of the Guidance Notice on the registration of data controllers and data processors of major importance, we are placing our client on notice pending any potential review of the Guidance Notice or an appeal by the NDPC. We will continue to monitor developments and provide updates as necessary

[3] National Data Protection Commission (2024), NDPC Extends the Deadline for the Registration of DCPMIS and restricts DCPMIS from Engaging Unregistered Data Processors.