Data Protection Audit: What to File, When to File, and Who to File

Data Protection Audit

In today’s digital economy, data is not just a business asset; it can become a liability if mishandled.

Nigerian organizations are becoming aware that data protection is not just about locking files; it is about proving compliance. Under the Nigeria Data Protection Act, organizations must now file annual audits showing how they manage personal data.

A Data Protection Audit is a systematic investigation or examination of the privacy and data protection practices, processes, and procedures of Data Controllers and Processors to ensure compliance with the Nigeria Data Protection Regulation (NDPR) and the organization’s own data protection policies.

The Nigeria Data Protection Regulations 2019 (NDPR) requires organizations processing the personal data of Nigerian citizens and residents to conduct a detailed audit of their privacy and data protection practices at inception and thereafter on an annual basis.

This article explains the essentials of the Data Protection Audit in Nigeria, including what needs to be filed, when it must be filed, and who is responsible for compliance.

Table of contents

Content of a Data Protection Audit

The NDPR, in its Regulation 4.1(5), prescribes that a detailed data protection audit shall include the following:

  1. Personal Data Collection: Types of personally identifiable information collected from employees and the public.
  2. Data Purpose and Notice: Purposes for collecting personal data and notices provided to individuals about data collection and use.
  3. Individual Access and Control: Mechanisms for individuals to review, amend, correct, supplement, or delete their personal data.
  4. Consent and Opt-out: Methods for obtaining consent and allowing individuals to opt-out of data collection, use, transfer, or disclosure.
  5. Data Security: Policies and practices for protecting personal data.
  6. Data Use and Handling: Policies and practices for proper use and handling of personal data.
  7. Privacy and Data Protection Policies: Organization-wide policies and procedures for privacy and data protection.
  8. Monitoring and Reporting: Procedures for monitoring and reporting violations of privacy and data protection policies.
  9. Technology Impact Assessment: Policies and procedures for assessing the impact of new technologies on privacy and security policies.

Organizations Required to File Data Protection Audit and When to File

Regulation 4.1 (6 & 7) of the NDPR provides that:

  • A Data Controller processing the personal data of more than 1,000 individuals in six months, or more than 2,000 individuals in twelve months, must submit a summary of its data protection audit to the Nigeria Data Protection Bureau (NDPB) by 15th March of the following year.
  • Only Data Protection Compliance Organizations (DPCOs) licensed by the NDPB are permitted to carry out data protection audits on behalf of data controllers.

Penalties for Failure to File

Failure to file a data protection audit incurs the following penalties:

  1. Data Controllers dealing with more than 10,000 Data Subjects: Pay 2% of annual gross revenue of the preceding year or ₦10 million, whichever is greater.
  2. Data Controllers dealing with less than 10,000 Data Subjects: Pay 1% of annual gross revenue of the preceding year or ₦2 million, whichever is greater.

Conclusion

Conducting a Data Protection Audit is not only a regulatory requirement but also a key practice in fostering accountability and transparency in data management.

By ensuring compliance with established data protection standards, organizations can minimize risks, enhance their data security frameworks, and avoid penalties.

Filing Timeframe: The Data Protection Audit must be filed no later than 15th March every year.

Do You Need an Expert in Conducting Your Data Protection Audit?

Conducting a Data Protection Audit requires expert guidance. With years of experience in data privacy, regulatory compliance, and audit reporting, we make the process seamless so you can focus on managing your business.

Visit: www.tcorporatelegaladvisory.com
Email: info@tcorporatelegaladvisory.com
Tel: 08062348867, 09080119975, 09080119980
There is a WhatsApp button at the bottom right. Chat with us instantly.

Disclaimer

This publication has been prepared for general guidance on matters of interest only and does not constitute professional advice. You should not act upon the information without obtaining specific professional advice. For specific legal advice, contact us.

WRITTEN BY:
OGHENEYOMA E. IBUJE LL.B, BL, ACIS
NWOKOCHA ANNASTECIA CHIDINMA, LL.B
TCORPORATE LEGAL ADVISORY

akujobinoble@gmail.com
akujobinoble@gmail.com
Articles: 11

Related Posts

We take away the burden of the legal aspect of running an organization/company, protect our clients’ organization/company, and ensure that they comply with the law.

Quick Sitemap
Office Address
  • Lagos Office
    Workbay, Lagos City Mall, Onikan, Lagos Island, Lagos
  • 9 Victor L. Masi Close, Jabi, AMAC 900108, Federal Capital Territory
Contact Details

© 2025 TCorporate Legal Advisory. All rights reserved.