The March 31 deadline has passed. If you haven't filed your Compliance Audit Return, you're already late — but filing late is still better than not filing at all.
I keep seeing the same confusion from Nigerian businesses about this filing. So let me walk through what the CAR actually is, who has to file it, and what you're supposed to put in it. No filler.
What the CAR is
The NDPC requires an annual filing from organisations that process personal data at scale. They call it the Compliance Audit Return. It's basically your organisation telling the regulator: here's what data we hold, here's why we hold it, here's how we protect it.
It replaced the old NDPR audit framework. Same idea, updated for the Nigeria Data Protection Act 2023.
You can't file it yourself. It goes through a licensed Data Protection Compliance Organisation (DPCO). That's a mandatory intermediary — think of them as your compliance auditor for this specific filing.
Do you need to file?
Probably. The threshold is lower than most people think.
You qualify as a "data controller or processor of major importance" if you process data of more than 2,000 individuals. That's it. Two thousand. If you run a fintech app, an e-commerce platform, a payroll system, or basically any digital business with a Nigerian customer base — you're over that line.
Also caught: anyone processing sensitive data (health, biometrics, financials, children's data), anyone in a regulated sector (banking, telecoms, healthcare), and anyone above certain revenue thresholds.
The question isn't really whether you need to file. It's whether the NDPC has noticed you haven't.
The deadline situation
The 2026 filing covered your 2025 processing activities. Deadline was March 31, 2026.
If you missed it: late filers pay up to 50% extra on the filing fee. Not filing at all can cost you up to 2% of annual gross revenue or ₦10 million — whichever is higher. Those numbers come directly from the NDPA.
My advice if you're late: file anyway. The penalty for late filing is manageable. The penalty for non-filing is not.
What goes into the CAR
This is where organisations waste time, because they try to make it perfect instead of making it accurate. The CAR is a structured questionnaire, not a whitepaper. Here's what you're actually filling in:
Your organisation details. Legal name, registration, sector, rough number of data subjects, and your DPO's name and contact info. If you don't have a DPO appointed, that's a problem you need to fix before filing.
Your data processing inventory. This trips people up. You need to list what personal data you collect (names, emails, financial records, biometrics, location — all of it), who you collect it from (customers, employees, app users), why you collect it (service delivery, marketing, fraud detection), and your legal basis for each one (consent, contract, legitimate interest, legal obligation).
If you run AI systems, those go in here too. Your credit scoring model processes personal data. Your chatbot processes conversation data. Your fraud detection system processes transaction data. Don't pretend these don't exist — the NDPC knows what fintechs are building.
Your security measures. What are you actually doing to protect this data? Encryption, access controls, staff training, incident response plans. They also want to know about any DPIAs you've done and any breaches you've had.
Your cross-border transfers. If data leaves Nigeria — and it almost certainly does if you use any cloud provider, SaaS tool, or AI API — you need to document where it goes, what safeguards are in place, and why the transfer is lawful. Every OpenAI API call sends data to the US. Every AWS instance might sit in Ireland. Document it.
Your data subject rights process. How do people request access to their data? How do they ask you to delete it? The NDPA gives you 30 days to respond. You need a process, and you need records showing you've used it.
How filing actually works
- Register on the NDPC compliance portal if you haven't
- Engage a licensed DPCO — they prepare and submit the CAR on your behalf
- Complete the structured questionnaire
- Attach your supporting docs — data protection policy, DPIA reports, breach records
- Pay the filing fee (varies by org size and sector)
- Keep your confirmation receipt
The DPCO piece is non-negotiable. You can't just submit this yourself. If you don't have a DPCO relationship, start there — we've written a guide on choosing one.
What the NDPC does if you ignore this
They fine you. They've been clear about this.
The enforcement capacity at NDPC has grown significantly since the NDPA passed. They're hiring, they're investigating, and they're building a track record of enforcement. The days of assuming nobody's watching are winding down.
Beyond fines: non-filers get flagged for deeper scrutiny. That means mandatory audits, compliance orders, and the kind of regulatory attention that makes your legal team nervous. Plus the NDPC publishes enforcement actions — so your clients, partners, and competitors can see it.
If you're running AI
AI systems create specific wrinkles in the CAR that a lot of businesses try to gloss over:
Automated decisions. If your AI decides things about people — credit approvals, fraud flags, insurance pricing — you have to disclose the logic. Not the source code. The logic. "We use a model trained on transaction history to predict default probability" is the kind of explanation they're looking for.
Training data. If you trained models on personal data, that's processing. It needs a lawful basis. And yes, it should show up in the CAR.
Third-party AI providers. Data flows to OpenAI, Anthropic, Google — wherever your API calls go. That's a cross-border transfer. Document the safeguard (usually a Data Processing Agreement with Standard Contractual Clauses), and name the provider.
We've written more about this in our guide on NDPA compliance for Nigerian fintechs using AI.
What I'd do if I were you
If you've filed: good. Set a reminder for next year and keep your processing inventory updated as things change.
If you haven't filed: file late. The late fee stings less than the non-filing fine. Get a DPCO engaged this week. Build a processing inventory — even a rough one is better than nothing. Appoint a DPO if you haven't. And file.
If this feels overwhelming: that's normal. Most businesses don't have a clean data inventory sitting around. The first year is always the hardest. After that, it's an update, not a rebuild.
Need help with your CAR filing or NDPA compliance? Our NDPA Fintech Compliance Programme covers data mapping, policy development, DPO support, and CAR preparation — from ₦3,500,000. Not sure where you stand? Start with an NDPA Readiness Diagnostic — ₦500,000.
Start with an NDPA Readiness Diagnostic
If you need NDPA compliance advice or a compliant AI build, the first step is a written diagnostic. You get a real assessment, not a vague intro call.
Related Articles
Nigeria
Data Protection for Nigerian Banks Using AI: NDPA, CBN, and GDPR in One Framework
How Nigerian banks and financial institutions handle data protection across three regulatory layers when deploying AI. NDPA obligations, CBN requirements, and GDPR extraterritorial reach.
Nigeria
Cross-Border Data Transfers Nigeria: NDPA Rules for Cloud, AI & SaaS
Using AWS, OpenAI, or any cloud service from Nigeria? Your data is leaving the country. Here are the NDPA transfer rules, what safeguards you need, and what happens if you get it wrong.
Nigeria
NDPR Breach Notification Timeline (Nigeria): The 72-Hour Rule
Nigeria's NDPR & NDPA require breach notification within 72 hours of awareness. When the clock starts, what to send the NDPC, what happens if you miss.