Data Protection Audit for 2020 Financial Year – How Compliant is Your Organisation?

KPMG NG Regulatory Alert: Issue No. 1.8 | January 2021

Data Protection Audit for 2020 Financial Year – How Compliant is Your Organisation?

Regulatory Alert

On 25 January 2019, the National Information Technology Development Agency (NITDA or “the Agency”) issued the Nigeria Data Protection Regulation (NDPR or “the Regulation”) which provides guidelines for the use of personal data collected and/or processed by organizations. Specifically, the NDPR requires all public and private organizations in Nigeria that control data of natural persons to publicise their respective Data Protection Policies. In addition, all Data Controllers and Processors who collect and process more than 2,000 data subjects within a 12-month period must conduct an independent Data Protection Audit (DPA) and file their DPA reports with the Agency, not later than 15 March of the following year.

Based on the above, companies who collected and/or processed data from January to December 2020 have until 15 March 2021 to submit their DPA reports to the NITDA. Failure to file the DPA report within the statutory timeline may attract a fine of up to 2% of a company’s annual gross revenue for the preceding year.

Only licensed Data Protection Compliance Organizations (“DPCO”) can perform the independent DPA, in line with the provisions of the Regulation. The DPA will, amongst other things, assess an organisation’s compliance with the requirements of the NDPR across various areas, including data protection governance, policies and processes, information systems security and controls over personal data.

The following compliance steps are recommended for Data Controllers who have:

  • filed their initial Data Protection Audit Report
  1. Assess remediation status of compliance gaps noted from initial audit
  2. Develop roadmap for remediation of existing compliance gaps and execute accordingly
  3. Perform annual data audit and file report with NITDA before 15 March 2021
  • not filed their initial Data Protection Audit Report
  1. Immediately engage a DPCO to commence initial Data Protection Audit
  2. Remediate quick-wins to improve compliance posture
  3. File annual report with NITDA before 15 March 2021

KPMG is licensed by NITDA as a DPCO, and can assist your organization to achieve compliance with the NDPR through the following services:

• Compliance audit and report filing
• Remediation support
• Training and capacity development
• Data Protection Impact Assessment
• Implementation of technology solutions to improve your maturity in privacy management

For further enquiries on the above, please contact:

Ajibola Olomola John Anyanwu
Partner, Tax Regulatory & People Services Partner, Technology Advisory
T: +234 803 402 1039    T: +234 803 975 4061
E:   E:

© 2023 KPMG Professional Services, a partnership registered in Nigeria and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit

Connect with us