Every major business processing Nigerian personal data has 18 days to file its mandatory annual compliance audit return with the Nigeria Data Protection Commission. The deadline is non-negotiable. The precedent for what happens when you miss it is on the record.
On March 31, 2026, the Nigeria Data Protection Commission (NDPC) closes the window for Data Controllers and Processors of Major Importance — known as DCPMIs — to file their 2026 Compliance Audit Returns (CARs). Miss the deadline and a company faces a 50 percent surcharge on its filing fees. Fail to file at all and the exposure climbs sharply: ₦10 million or two percent of annual gross revenue from the preceding financial year, whichever is greater.
For a mid-size Nigerian fintech generating ₦2 billion in annual revenue, two percent means ₦40 million in potential liability. For a multinational bank or telecoms group, the arithmetic is considerably worse.
What Is a Compliance Audit Return?
The CAR requirement derives from Section 44 of the Nigeria Data Protection Act (NDPA) 2023, operationalised through the NDPC’s General Application and Implementation Directive (GAID), issued in mid-2025. Together, they create a structured annual compliance cycle for organisations that process the personal data of Nigerian residents at scale.
The NDPC classifies DCPMIs into two filing tiers under the GAID 2025:
Ultra-High Level (UHL): Organisations operating in strategically designated sectors — including banking, telecommunications, insurance, oil and gas, fintech, and payment gateway operators. UHL classification is sector-driven, though annual fees are graduated by data subject volume.
Extra-High Level (EHL): Organisations that process the personal data of more than 1,000 data subjects within any six-month period, regardless of sector. EHL is the volume-based tier and captures a wide range of digital businesses that may not fall within the UHL strategic-sector list.
Both tiers must file by March 31, 2026. The CAR must be submitted through the NDPC’s online compliance portal — and critically, it cannot be filed directly by the organisation itself. It must go through a licensed Data Protection Compliance Organisation (DPCO), a class of accredited intermediary created under the NDPA framework.
The Fee Schedule
The NDPC introduced a revised fee structure for the 2026 audit cycle. Companies that have not yet retained a licensed DPCO and budgeted for filing fees are running out of time.
UHL filing fees:
- 50,000+ data subjects: ₦1,000,000
- 25,000–49,999 data subjects: ₦750,000
- Below 25,000 data subjects: ₦500,000
EHL filing fees:
- 10,000+ data subjects: ₦250,000
- 2,500–9,999 data subjects: ₦200,000
- Below 2,500 data subjects: ₦100,000
Late filing — meaning submission after March 31 — triggers an administrative surcharge of up to 50 percent of the applicable filing fee, on top of the base amount.
The MultiChoice Signal
Businesses tempted to treat data protection compliance as a low-priority checkbox should revisit July 2025. The NDPC levied a ₦766.2 million fine on MultiChoice Nigeria — the operator of DStv and GOtv — following an investigation that found the company had conducted illegal cross-border transfers of Nigerian subscriber data and engaged in data processing the Commission described as “intrusive, unfair, unnecessary and disproportionate.”
The investigation began in Q2 2024. MultiChoice’s proposed remedial measures were rejected as unsatisfactory. The Commission then directed an investigation into every data collection channel the company operates in Nigeria.
The MultiChoice case established three things. First, the NDPC will investigate. Second, it will fine. Third, remedial measures submitted after the fact do not automatically reduce exposure — the Commission makes its own assessment of their adequacy.
The NDPC has now concluded 246 investigations into data protection and privacy breaches across multiple sectors. The 2026 audit season, the Commission has made clear, will bring stricter oversight and more rigorous enforcement than prior cycles.
AI Processing Is Now In Scope
In a development with direct relevance to the CAR filing, the NDPC joined 60 global data protection authorities on March 4, 2026 in endorsing a joint statement on AI-generated imagery and the protection of privacy. More substantively, the NDPC’s National Commissioner has directed that Compliance Audit Returns will now serve as a benchmark for assessing the responsible use of artificial intelligence in data processing activities.
This means DCPMIs deploying AI systems — automated loan decisioning, facial recognition, predictive analytics, personalised advertising — must demonstrate within their CAR submissions that those systems comply with the NDPA’s data minimisation, purpose limitation, and consent requirements.
The directive effectively extends the CAR from a retrospective compliance document into a forward-looking AI governance instrument. Companies using third-party AI tools to process Nigerian data need to audit those integrations before filing.
Who Must File — and Who Thinks They Don’t Have To
The DCPMI designation catches a wide range of organisations:
- Financial services: Banks, microfinance institutions, insurance companies, payment service providers, fintechs, crypto asset service providers
- Telecoms: Mobile network operators, internet service providers
- Digital platforms: E-commerce marketplaces, social media platforms, streaming services, ride-hailing apps
- Healthcare: Hospital groups, health insurance platforms, healthtech firms
- Human resources: Payroll processors, recruitment platforms, workforce management systems
Crucially, the NDPA has extraterritorial reach. Any organisation, wherever incorporated, that processes the personal data of persons resident in Nigeria falls within the Act’s scope — subject to a proportionality test based on the scale and nature of processing. Non-Nigerian companies operating digital services in the Nigerian market should not assume the March 31 deadline does not apply to them.
Nigeria’s Data Protection Economy
The scale of what the NDPC is now overseeing is significant. The Commission confirmed in February 2026 that Nigeria’s data protection compliance industry is now valued at ₦16.2 billion — a figure that encompasses licensed DPCOs, legal advisory practices, and compliance technology providers.
That number reflects both the size of the regulatory compliance burden and the commercial infrastructure that has grown up around it. For businesses that have not yet engaged a licensed DPCO, the pool of available providers is deep — but lead times are tightening as the March 31 deadline approaches.
Five Steps Before March 31
1. Confirm your DCPMI classification. Determine whether your organisation meets the UHL or EHL threshold. If you process data for a Nigerian user base at any meaningful scale, you likely qualify.
2. Retain a licensed DPCO. The filing cannot be submitted without one. The NDPC publishes a registry of licensed DPCOs on its website. Begin engagement immediately — demand is high as the deadline approaches.
3. Conduct or update your internal data audit. A CAR requires an accurate inventory of data categories processed, legal bases relied upon, data retention schedules, and cross-border transfer arrangements.
4. Document AI data processing. If your organisation uses AI or automated systems to process personal data, prepare documentation showing that those systems comply with NDPA principles. This is now an explicit component of the compliance assessment.
5. File by March 28. Build a three-day buffer before the formal deadline. Portal congestion typically spikes in the final 48 hours of a major compliance window.
The Broader Context
Nigeria’s NDPC is three years into the enforcement lifecycle that began with the enactment of the NDPA 2023 — and it is now operating with the institutional confidence that comes from having concluded hundreds of investigations and levied significant penalties. The 2026 audit cycle is not the beginning of Nigeria’s data protection enforcement era. It is, by the Commission’s own signals, an escalation of it.
For businesses operating in what is already the continent’s largest consumer market, the March 31 deadline is not a soft administrative target. It is a hard compliance threshold with real financial consequences.
The clock is running.
BETAR.africa covers technology policy and regulation across all 54 African nations. This article is for business intelligence purposes and does not constitute legal advice. Companies should seek guidance from a licensed DPCO or qualified legal counsel.
UphivaBETAR
