Following the introduction of the General Application and Implementation Directives (GAID) 2025 by the National Data Protection Commission (NDPC or “the Commission”), certain entities are required to submit Compliance Audit Returns (CAR) annually to demonstrate adherence to Nigeria’s data protection framework. Under the Directives, Data Controllers of Major Importance (DCMI) and Data Processors of Major Importance (DPMI) must file compliance audit returns with the Commission.
Entities established before the 12th of June 2023 are required to submit their CAR on or before the 31st of March yearly. Entities established after that date must submit their first CAR within fifteen (15) months of establishment and subsequently submit it annually. This requirement aims to ensure that organisations processing personal data provide verifiable operational evidence that they comply with the Nigeria Data Protection Act 2023 and have implemented appropriate technical and organisational safeguards to protect personal data.
This newsletter highlights the organisations required to file Compliance Audit Returns, outlines key compliance requirements, and explains the consequences of non-compliance.
Businesses Required to File Compliance Audit Returns
The Commission classifies DCMI’s and DPMI’s into three major categories, based on the scale of personal data processing:
. Ultra High Level (UHL)
This category includes entities processing the personal data of more than 5,000 data subjects within six months. This includes Commercial banks, Fintechs, Oil and Gas companies, and Multinational companies, etc.
- Extra High Level (EHL)
This category includes entities processing the personal data of more than 1,000 but fewer than 5,000 data subjects within six months. This includes Government MDAs, Universities, and Microfinance Banks.
- Ordinary High Level (OHL)
This category includes entities processing the personal data of more than 200 but fewer than 1,000 data subjects within six months. This includes Primary and Secondary Schools, Hotels and Guest Houses with fewer than 50 suites.
In line with Article 10 (14) of the directives, except otherwise stated, only businesses within the categories of UHL and EHL shall file CAR through a Data Protection Compliance Organisation (DPCO) licensed by the Commission in accordance with the provisions of the NDPA.
Filing Requirements
Pursuant to Article 10(14) of the GAID 2025, organisations classified within the Ultra-High Level (UHL) and Extra-High Level (EHL) categories are required to file their Compliance Audit Returns through a licensed Data Protection Compliance Organisation (DPCO).
| S/N | DCMI/DPMI | TIER | FEE (₦) |
| 1. | Ultra-High Level – UHL | 50,000 data subjects and above | 1,000,000 |
| 25,000-49,999 data subjects | 750,000 | ||
| Below 25,000 data subjects | 500,000 | ||
| 2. | Extra-High Level – EHL | 10,000 data subjects and above | 250,000 |
| 5,000-2500 data subjects | 200,000 | ||
| Below 2,500 data subjects | 100,000 |
The CAR must:
- Be prepared using the template provided in Schedule 2 of the Directives or any format subsequently prescribed by the Commission.
- Be submitted through a DPCO duly licensed by the NDPC.
- Be filed through the NDPC’s designated electronic platform or portal.
Upon satisfactory review, the Commission may issue a Compliance Audit Returns Certificate to the filing organisation.
Exempt Organisations
It is also pertinent to note that certain types of DCMI’s and DPMI’s are exempted from making the required filings, as provided in section 44(6) of the NDPA. They are;
- Faith-Based Organisations
- Community-Based Associations
- Foreign Embassies and High Commissions
- Judicial establishments or bodies carrying out adjudicatory functions
- Multigovernmental Organisations
Filing Timelines
The filing timelines are as follows:
For organisations established before 12 June 2023:
- CAR must be filed on or before 31 March each year.
For organisations established after 12 June 2023:
- First CAR must be filed within fifteen (15) months of establishment, and annually thereafter.
Failure to comply with these timelines may expose organisations to regulatory penalties.
Effect of Non-Compliance
Failure to comply with the CAR filing requirement may attract sanctions under the NDPA. These include:
For late filing
- Payment of the applicable filing fee; and
- An additional administrative penalty of up to 50% of the filing fee.
For failure to file
- Administrative fines of up to ₦10,000,000 or 2% of the organisation’s annual gross revenue for the preceding financial year, whichever is higher.
Compliance Benefits
Organisations that complete the filing process may be listed on the National Data Protection Adequacy Programme Whitelist (NDPAP) maintained by the Commission.
Add your first comment to this post