Newsletters

M.J. Numa & Partners LLP Regulatory Notice

COMPLIANCE ALERT: NDPA EXTENDS COMPLIANCE DEADLINE

What Your Organisation Must Do Before May 30th, 2026
A notice to all data controllers and processors operating under the Nigeria Data Protection Act 2023.

The Nigeria Data Protection Commission (NDPC) has approved a 60-day extension for the filing of Compliance Audit Returns (CARs) under the Nigeria Data Protection Act 2023 (NDPA). The new deadline is 30th May 2026. If your organisation missed the original 31st March 2026 deadline, this extension is your last clear opportunity to regularise your compliance status before the Commission's full enforcement machinery is brought to bear.

This grace period is not to be taken lightly. The NDPC has, over the past year, demonstrated a decisive shift from advisory engagement to active enforcement, including investigations, compliance orders, and formal administrative penalties issued to organisations across multiple sectors. The extension reflects the Commission's commitment to broader compliance, not a softening of its regulatory resolve.

Who Must File?
Under the NDPA and the General Application and Implementation Directive (GAID) 2025, organisations classified as Data Controllers or Data Processors of Major Importance, specifically those designated as Ultra-High Level (UHL) or Extra-High Level (EHL), are required to file annual CARs with the NDPC. If your organisation processes the personal data of a significant number of individuals, or handles sensitive categories of data, there is a strong likelihood that this obligation applies to you. When in doubt, assume it does and seek confirmation immediately.

What Happens If You Do Not File?
• Penalties for Non-Compliance
• Late Filing Fee
• Up to 50% of the applicable CAR filing fee
• Non-Filing Fine
• 2% of annual gross revenue or ₦10,000,000 — whichever is higher

Additional Exposure
• Regulatory investigation & corrective orders
• Reputational Risk
• Public regulatory action & commercial impact

Beyond the financial penalties, the NDPC has the power to restrict your organisation’s data processing activities, mandate extensive remedial measures, and publish enforcement actions, all of which carry significant reputational and commercial consequences. Regulatory scrutiny, once triggered, rarely ends at the first fine.

What Does Filing Involve?
A CAR is not merely a paperwork exercise. The audit assesses your organisation’s substantive compliance with the core data protection principles under Section 24 of the NDPA, covering lawfulness of processing, purpose limitation, data minimisation, security safeguards, privacy policies, consent management, and grievance redress mechanisms, among other matters. The return must be filed through a licensed Data Protection Compliance Organisation (DPCO) acting on your behalf via the NDPC's compliance portal. CARs cannot be self-filed.

Steps to Take Right Now
1. Determine whether your organisation qualifies as a Data Controller or Processor of Major Importance (UHL or EHL classification) under the NDPA and GAID 2025.
2. Register with the NDPC if you have not already done so. Registration is a prerequisite for filing.
3. Engage a licensed DPCO immediately to conduct your compliance audit and prepare your CAR for submission.
4. Ensure all data processing activities, privacy policies, and security measures are documented and ready for review during the audit process.
5. File your CAR through the NDPC's compliance portal before 30 May 2026. Do not wait until the final days; processing delays with your DPCO can be costly.

A Word on Proactive Compliance
Organisations that file early and maintain a consistent record of compliance are far better positioned in the event of a data breach, a third-party complaint, or a regulatory inquiry. The NDPC's National Data Protection Adequacy Programme (NaDPAP) Whitelist publicly recognises organisations that demonstrate strong data governance practices, a mark that increasingly carries weight with clients, partners, and investors. Compliance is no longer simply a legal obligation; it is a trust signal in the data-driven economy.

How We Can Help
M.J. Numa & Partners LLP advises organisations on their obligations under the Nigeria Data Protection Act 2023 and the GAID 2025, including CAR filing preparation, DPCO coordination, data protection officer support, and regulatory engagement with the NDPC. If you are unsure of your compliance status or need guidance on meeting the 30th May 2026 deadline, please reach out to our team.

________________________________________ This notice is issued for informational purposes and does not constitute formal legal advice. Organisations are encouraged to seek specific legal counsel regarding their individual compliance obligations.