Audit Season Has Arrived

Audit season is not coming, it is here. Every business that processes personal data must submit their Compliance Audit Report (CAR) or register their business before the 31st of March.

For many businesses, this period triggers stress and uncertainty because it involves strict regulatory requirements, detailed documentation, and the risk of penalties, but with proper preparation, it does not have to be.

Whether your business is classified as Major Data Processing Ultra High Level (MDP UHL), Extra High Level (MDP EHL), or Ordinary High Level (MDP OHL), there are clear regulatory requirements you must meet. Missing the deadline can result in penalties, operational disruption, and reputational risk.

This guide breaks down exactly what organizations need to know, not based on theory, but on real insights from a DPCO that supports businesses through audits, CAR submissions, registrations, and implementation. By understanding your obligations, recognizing common compliance gaps, and following proven steps, you can enter audit season with confidence rather than anxiety.

Are You Required to Submit a CAR?

Before you panic, let's answer the most important question first: Do you need to submit a Compliance Audit Report this year?

The answer depends entirely on which tier your organization is classified as. Think of it like tax brackets, where you fall determines what is required of you.

Here's the breakdown:

What the NDPC Actually Audits

Now that you know whether you need to file a CAR, let’s look at what the NDPC is evaluating when you submit one. The new General Application and Implementation Directive (GAID 2025) and its Compliance Audit Return schedule provide practical guidance on the core areas the Commission expects to see evidence of compliance.

1. People and Governance: This part focuses on whether data protection is treated as a real responsibility or just an afterthought. The NDPC looks at who is responsible for data protection in your organization and how compliance is managed day to day. They check that a properly appointed Data Protection Officer is in place and meets the minimum requirements, including valid registration details, relevant credentials, and evidence of appropriate training or certification. They also look for clear responsibilities, regular staff training, and policies that are followed, not documents created only for audit season.

2. Technology (Data Security Controls and Standards): This looks at how well personal data is protected in your systems. The focus here is not on fancy tools but on whether reasonable and appropriate security measures are in place such as access controls, security measures, incident response plans, and whether there is real evidence that data security is taken seriously.

3. Accountability and Basic Risk Evaluation: This examines if you understand the risks created by your data processing activities. The NDPC expects to see that data protection risks are identified, documented, assessed, monitored, and mitigated, especially where processing could affect individuals in meaningful ways. It simply shows whether your organization takes responsibility for the consequences of how it uses personal data.

4. Cross Border Data Transfer: If your organization sends personal data outside Nigeria, the NDPC wants to know where it goes, why it is transferred, and what safeguards are in place to protect such data.8 Many organizations overlook this area, especially when using cloud platforms and international tools.

5. Data Processors: Finally, the NDPC reviews how you manage third parties that process personal data on your behalf. This includes having proper agreements in place and ensuring vendors meet required data protection standards. Responsibility does not end when data is shared with a processor. You remain accountable.

Together, these five parts form the backbone of the CAR under the GAID. It is designed to answer one core question: Is data protection built into how your organization operates, or is it just something you talk about once a year? Each of these five parts works together to give the NDPC a full picture of your people, systems, risks, and third-party relationships.

This is why preparation matters. When these areas are addressed early, CAR submission becomes straightforward. When they are ignored, audit season becomes stressful very quickly.

Compliance Gaps We See in Most Organizations

After reviewing CAR submissions year after year, certain issues keep coming up and most organizations simply underestimate them.

1. Many organizations have policies on paper, but they are not followed in practice. Staff often do not know where these policies are stored or how to apply them in their day-to-day work, making compliance more of a formality than a living process.

2. The Data Protection Officer role exists in name only in some companies. Responsibilities are unclear; decisions are not documented, and data protection is treated as an IT issue rather than an organization-wide responsibility. Semi-annual internal audits or checks are rarely performed, leaving gaps unaddressed until an audit forces action.

3. Security measures are implemented inconsistently and often without documentation, so their effectiveness cannot be verified. Incident response plans exist but are rarely tested or updated, putting organizations at risk if a breach occurs. Risk assessments and Data Protection Impact Assessments (DPIAs) are frequently skipped before launching new projects or products, leaving potential privacy risks unchecked.

4. No Records of Processing Activities (ROPA) or are incomplete in many organizations. Lawful bases for processing personal data are also often unclear or undocumented, which can raise serious compliance concerns during an audit.

5. Third-party management is another common gap. Vendors and cloud providers are trusted without verification; contracts with processors are incomplete or missing, and oversight of third-party compliance is inconsistent or absent.

6. Cross-border data transfers are often overlooked. Personal data may be sent or stored outside Nigeria without proper safeguards, written agreements, or documented legal justification, exposing organizations to regulatory scrutiny.

Conclusion: Get Ready and Stay Compliant

Audit season doesn’t have to be stressful, but it does require preparation and a clear understanding of what the law and the NDPC expect. Whether you’re figuring out if you need to submit a CAR or register, preparing documentation, or strengthening internal practices, the earlier you start, the smoother the process will be.

We are a licensed Data Protection Compliance Organization (DPCO), and we are here to help every step of the way.10 From registrations and CAR submissions to implementing your compliance programs, we will hold your hand through your entire data protection journey so you can navigate audit season with confidence and peace of mind. Contact us today at tcs@prioclen.cc to get started and ensure your organization is fully audit ready.

Download the full PDF article with complete references.