The Nigerian Data Protection Commission (the “Commission”) recently published a Guidance Notice (the “Notice”) with respect to the mandatory filing of data protection compliance audit returns (“CARs”) in Nigeria.
CARs are compliance tools used for the purpose of promoting accountability and transparency in the processing of personal data and to also foster a culture of respect for the privacy of data subjects.
It is imperative to note that prior to the enactment of the Nigerian Data Protection Act (the “Act”) in 2023, the Nigerian Data Protection Regulations (NDPR) 2019 (the “Regulations”) was the key legislation in force , and it formed the basis for CARs as an obligation for all companies and entities regarded as Data Controllers and Data Processors to maintain full compliance.
The Commission, desiring to give Data Controllers and Data Processors the opportunity to demonstrate accountability and be included on the National Data Protection Program (NaDPAP) whitelist has provided the guidance via the Notice. It should be noted that inclusion in the NaDPAP whitelist is sufficient proof that an organization/entity deemed to be a Data Controller or Data Processor is in compliance with the relevant Data Protection legislations and standards in Nigeria.
The guidance focuses on six main points which are outlined as follows:
- Reliance on the Regulation for filing of CAR:
The Notice provides much-needed clarity on whether the Regulations still subsist. It provides that Data Controllers and Data Processors should continue to rely on the Regulations, specifically the provisions of Articles 4.1(5) and (7) in order to file CAR with the Commission.
It should be noted that a new cycle of filing CAR will commence in 2024 under the Act and its General Application and Implementation Directive (“GAID”).
- Role of Data Protection Compliance Organisations (DPCOs):
The Notice advises DPCOs to facilitate the filing of CAR with the Commission. This affirms the understanding that all CAR-related filings are required to be made on behalf of Data Controllers and Data Processors by DPCOs to the Commission. This will also serve as a viable opportunity to conduct practical training for Data Protection Officers (DPOs) on behalf of their respective DPCOs as evidence of such will entitle DPOs to Continuous Professional Development (CPD) Credit which is an essential audit parameter under the GAID scheduled to be issued by the 1st Quarter of 2024.
- CAR Focus Area
- Compliance Memorandum
The Notice also provides guidance on the generation of a compliance memorandum. In complying with the Act, Data Controllers and Data Processors may outline a time-bound intention (not be later than 31st, March 2024) to regularize their processing activities in the form of an internal memorandum. This memorandum should also contain the CAR focus areas, the entity’s compliance mechanism, signed by the data protection officer of the Data Controller or Processor, and should be sent to the Commission as part of its CAR compliance.
- Free Induction Training for DPOs:
All DPOs must participate in an induction training to be organized by the Commission in January 2024. Clearly, this again underscores the need for all entities/organizations who are Data Controllers and Data Processors to have a Data Protection Officer (DPO). The training will focus on data subject rights and compliance obligations for Data Controllers and Processors under the Act.
- Default Fee:
The Notice states that the deadline for filing 2022 CAR is the 15th of March 2023 and the default fee of 50% of the filing fee will apply to any organization which fails to meet the deadline. Thus, it can be implied that the current CAR filing is for 2022 and not for 2023 and organizations that have not yet filed 2022 CAR shall be liable to pay the default fee as stipulated in the Notice.
EFFECT OF NON-COMPLIANCE
Non-compliance with this Guidance Notice may result in the contravention of the Act and where it relates to specific provisions of the Act, the liability for the violation of the Act will apply. The defaulting company/entity and its Directors/Officers may be held liable for failure to maintain compliance, and such penalty may include monetary fines and prosecution, as appropriate.
All companies and corporate entities that process data and can be regarded as Data Controllers and Data Processors are advised to ensure strict adherence to the Notice as compliance is not only a legal requirement, but also a proactive step towards ensuring the security and integrity of data processing activities. This will ensure that such companies and entities are not punished for failing to maintain compliance with the provisions of the law as required. It will also strengthen the corporate governance frameworks of such corporate entities and their corporate good standing.
Should you have any questions or require clarification in connection with the foregoing, please contact your Chris Ogunbanjo LP contact.