Deadline Looms: The Importance of Data Protection Audits and The Cost of Non-Compliance

Deadline Looms The Importance of Data Protection Audits and The Cost of Non Compliance

Unlocking Data Protection Compliance by 30th June 2023

The Nigeria Data Protection Regulation 2019 (NDPR) provides that organisations processing personal data must engage the services of a Data Protection Compliance Organisation (DPCO) such as Olisa Agbakoba Legal (OAL) to audit its operations and processes and assess its compliance with the NDPR for the period. Further to this, the Nigeria Data Protection Bureau (NDPB) extended the timeline for filing the 2023 Data Protection audit report from the statutory deadline of 15th March to 30th June 2023. This article emphasises the importance of conducting a data protection audit and achieving compliance by the deadline, 30th of June 2023.

Generally, organisations are apprehensive about audits. However, audits need not be perceived as daunting or intimidating in any way. Neither should it be put off until the very last minute. If approached with ease, it can be effectively managed. Data protection audits, like other audits, allow an organisation to assess their level of compliance and identify any areas which may require improvement. They are also an excellent opportunity to determine the suitability of the existing processes and procedures of the company and ensure compliance with data protection regulations and safeguard the privacy and security of personal data. Other than the foregoing, it is crucial to bear in mind that neglecting to conduct an audit can expose the organisation to financial and operational penalties.

In the context of the Nigeria Data Protection Regulation 2019 (NDPR), below are some of the reasons why conducting a data protection audit is of significant importance:

  1. Regulatory Compliance:

    A data protection audit helps organisations assess their compliance with the NDPR. It allows them to identify any gaps or areas of non-compliance and take appropriate measures to rectify them. Demonstrating compliance with data protection regulations is essential to avoid penalties and maintain the trust of customers and stakeholders.

  1. Assessment of risks and internal controls:

    Conducting an audit helps organisations evaluate the effectiveness of their data security measures and identify any vulnerabilities or risks associated with their data processing activities. By examining data protection practices, including data storage, access controls, encryption, and incident response procedures, organisations can ensure that personal data is adequately protected against unauthorised access, loss, or theft and also mitigate potential financial and reputational damages.

  1. Data Inventory:

    A data protection audit involves creating a comprehensive inventory of personal data held by an organisation. This inventory helps organisations understand what personal data they collect, the purpose of collection, how they process it, and with whom they share it. This knowledge is essential for implementing appropriate data protection measures and complying with the NDPR’s data minimisation and purpose limitation principles.

  1. Data Subject Rights:

    An audit allows organisations to assess their processes for handling data subject rights, such as the right to access, rectification, erasure, and objection. It ensures that mechanisms are in place to address data subject requests promptly and in compliance with the NDPR’s requirements. Effective management of data subject rights also contributes to building trust and transparency with individuals whose data is being processed.

  1. Areas of improvement:

    Data audits help an organisation identify any areas in the data processing procedures which may require improvement. The audit also reveals the relevant documents and processes required to reduce the potential risk of data breaches. Some of these documents and processes are data protection policy, data breach notification procedure, subject access request forms, Data Protection Impact Assessments (DPIAs), Privacy notices and data consent forms.


Also read; Why SMEs need Data Protection Compliance Organisation (DPCO)



So what happens if you do not conduct a data audit as mandated by the NDPR?

Failure to conduct the annual data protection audit or file the audit report with the NDPB amounts to a breach of the provisions of the NDPR. Penalties for non-compliance with the NDPR can be severe. The NDPB is empowered to  impose a penalty for breach and non-compliance at a fine of 1% of annual gross revenue of the preceding year or #2,000,000 (Two Million Naira) or 2% or 10,000,000 (Ten Million Naira), whichever is greater depending on the number of data subjects. 

Summarily, the benefits of an audit include but are not limited to the following: helping to raise awareness of data protection within the organisation, improving an organisation’s efficiency in managing personal data, demonstrating an organisation’s commitment to the importance of data protection and privacy rights of their data subjects.

As data breaches and privacy concerns continue to make headlines, the global appetite for data protection and corporate governance has grown significantly. This trend is driven by increased awareness of the importance of safeguarding data, complying with regulations, building trust, mitigating risks, and positioning organisations as responsible stewards of data in the digital age. Organisations seeking to play in the global field must prioritise compliance with the NDPR and adapt their processes to align with the highest standards of security and privacy in the world. Moreover, foreign businesses demonstrate a distinct preference towards forging partnerships with organisations that diligently adhere to data compliance standards.

Olisa Agbakoba Legal is a licensed DPCO and can assist your organisation with conducting a data protection audit and filing the report with the NDPB as well as render other data protection compliance services.


Yvonne Ezekiel
Esther Odunze