Here's something that trips up every Nigerian business the first time they try to file a Compliance Audit Return: you can't do it yourself. The NDPC requires you to go through a licensed Data Protection Compliance Organisation. A DPCO.
It feels like an unnecessary middleman. But there's logic to it, and choosing the right one matters more than most businesses realise.
What a DPCO actually is
A DPCO is a company licensed by the Nigeria Data Protection Commission to audit your data protection practices and file your CAR on your behalf. Think of them as an external auditor — but specifically for privacy.
The system works like this: you process personal data, the NDPA says you need to prove you're doing it properly, and the NDPC trusts licensed DPCOs to verify that rather than trying to inspect every organisation in Nigeria directly.
The framework dates back to the NDPR era and carried forward into the NDPA 2023. It's how Nigeria scales data protection oversight without the NDPC needing ten thousand auditors on staff.
What they do
The core job is simple: audit your data processing and file the annual return.
In practice, that means they review what data you collect, how you store it, who has access, what security you have in place, and whether your processing activities have a lawful basis. They check whether you've done your DPIAs, whether your privacy notices exist and are accurate, whether you have DPAs with your processors, and whether your data subject rights process actually functions.
Then they compile everything into the CAR and submit it through the NDPC portal.
Better DPCOs don't stop at identifying gaps — they help you close them. Policy drafting, DPIA support, remediation guidance. If they find your AI system lacks proper documentation, a good DPCO helps you build that documentation, not just writes "non-compliant" in their report.
Why you can't just self-file
The obvious question. Three reasons:
Independence. NDPC doesn't want you grading your own homework. Fair enough.
Quality baseline. Licensed DPCOs meet NDPC's minimum standards for data protection expertise. In theory, this means every audit meets a certain quality floor. In practice, quality varies — more on that below.
Scale. Nigeria has thousands of organisations processing personal data. The DPCO model distributes the audit workload across the private sector instead of loading it all onto a government agency.
The tradeoff is cost. You're paying a third party for something that, in other jurisdictions, you might handle internally. But it's the system we have.
What they charge
Ballpark, annually:
Small organisations (under 5,000 data subjects): ₦500,000–₦1,500,000 for audit and CAR filing.
Medium (5,000–50,000): ₦1,500,000–₦4,000,000, usually including some remediation guidance.
Large (50,000+): ₦4,000,000–₦10,000,000+. Comprehensive audit programme, potentially multi-site.
That's the DPCO fee. You also pay the NDPC filing fee on top, which varies by your organisation's classification. And this is every year — the CAR is annual.
Some DPCOs bundle ongoing advisory into the fee. Others charge the audit separately and bill advisory by the hour. Ask upfront so you're not surprised.
How to choose
This is where I've seen businesses waste money. They pick the cheapest DPCO, get a generic audit that misses half their actual risks, and then wonder why they're scrambling when the NDPC comes asking questions.
Sector knowledge matters. A DPCO that works with fintechs understands the CBN intersection, the AML data retention requirements, the cross-border transfer patterns with payment processors. A generalist will miss this context.
Technical capability matters even more — especially if you run AI. Your fraud detection pipeline processes data differently from a customer database. Your credit scoring model has explainability requirements that a non-technical auditor won't know to check. If the DPCO can't have a meaningful conversation about your tech stack, their audit will be surface-level.
Filing discipline. The March 31 deadline is the deadline. Late filing attracts up to 50% in additional fees. Some DPCOs start audit work in January and file comfortably by mid-March. Others scramble in the last two weeks. Ask when they'll start and when they commit to filing. Get it in writing.
Clear communication. A 100-page audit report in regulatory jargon is useless if you can't act on it. The report should tell you, in plain language, what's wrong, how serious it is, and what to do about it.
DPCO vs DPO — they're different roles
People confuse these constantly.
Your DPO (Data Protection Officer) handles compliance day-to-day. They manage data subject requests, review new processing activities, oversee breach response, liaise with NDPC on an ongoing basis. The DPO is embedded in your operations.
Your DPCO is an external auditor. They come in once a year (sometimes quarterly for larger organisations), audit your compliance, and file the CAR. The engagement is periodic, not continuous.
You likely need both. The DPO keeps you compliant. The DPCO verifies that compliance independently.
Can the same firm do both? Yes — and for smaller businesses, having one provider act as outsourced DPO and DPCO can be efficient. One relationship, one firm that knows your business. Just be aware that there's an inherent tension: the same people advising you on compliance are also auditing that compliance. It works for SMEs. Larger organisations should probably separate the roles.
If you're running AI systems
AI creates specific audit requirements that most DPCOs are still catching up on:
Your CAR needs to document automated decision-making. If AI makes or influences decisions about individuals, the DPCO should verify you have transparency disclosures, explainability mechanisms, and human review processes in place.
Cross-border transfers through AI APIs need documented safeguards. Every API call to OpenAI, Anthropic, or Google sends data outside Nigeria. The DPCO should check your DPAs and transfer documentation.
Training data usage is processing. If you used personal data to train models, the DPCO should verify the lawful basis and documentation.
A DPCO that doesn't understand AI will either miss these or flag them incorrectly. Both outcomes cost you — either in compliance risk or in unnecessary remediation work.
When to engage
Don't wait until February to find a DPCO for a March 31 filing. Start in December or January. The audit takes time, especially the first year when everything needs to be documented from scratch.
Get quotes from at least two DPCOs. Compare scope, not just price. Ask specifically about AI audit capability, sector experience, and included advisory services. And confirm the filing timeline in writing.
Need help with NDPC compliance and CAR filing? Our NDPA Fintech Compliance Programme covers the full compliance lifecycle — from ₦3,500,000. Not sure where you stand? Start with an NDPA Readiness Diagnostic — ₦500,000.
Start with an NDPA Readiness Diagnostic
If you need NDPA compliance advice or a compliant AI build, the first step is a written diagnostic. You get a real assessment, not a vague intro call.
Related Articles
Nigeria
Building a Compliant AI Lending Platform in Nigeria: End-to-End Guide
How to build an AI-powered lending platform in Nigeria that meets NDPA, CBN, and GDPR requirements. Credit scoring, automated decisions, data protection, and regulatory compliance from architecture to deployment.
Nigeria
NDPR Breach Notification Timeline (Nigeria): The 72-Hour Rule
Nigeria's NDPR & NDPA require breach notification within 72 hours of awareness. When the clock starts, what to send the NDPC, what happens if you miss.
Nigeria
Data Protection Officer Nigeria: Do You Need One?
If you process data of more than 2,000 Nigerian residents, the NDPA requires a DPO. Who qualifies, what the role involves, and why outsourced DPO-as-a-Service makes sense for most fintechs.