You can't file your Compliance Audit Return with NDPC on your own. You need a licensed Data Protection Compliance Organisation to do it for you.
If that sounds like a racket, it isn't — though the system has its problems. Here's what DPCOs do, why the requirement exists, and how to choose one that actually helps your business.
What is a DPCO?
A Data Protection Compliance Organisation is a company licensed by the Nigeria Data Protection Commission to conduct data protection audits and file Compliance Audit Returns on behalf of data controllers and processors.
Think of them as the data protection equivalent of an external auditor. Your business processes personal data. The NDPC wants independent verification that you're doing it properly. A licensed DPCO provides that verification.
The DPCO framework was established under the old NDPR and carried forward into the NDPA 2023. It's Nigeria's approach to scaling data protection oversight across thousands of organisations without NDPC having to audit each one directly.
What DPCOs actually do
Conduct compliance audits. The DPCO reviews your data processing activities — what data you collect, how you store it, who you share it with, what security measures you have in place. They assess this against NDPA requirements.
File your CAR. The Compliance Audit Return must be filed through a licensed DPCO. They prepare the return based on their audit findings and submit it to NDPC through the compliance portal.
Issue compliance reports. After their audit, the DPCO produces a report detailing your compliance status, identified gaps, and recommendations for remediation.
Provide compliance guidance. Most DPCOs also offer advisory services — helping you fix the gaps they find, develop data protection policies, and improve your compliance posture.
Why you can't just file the CAR yourself
The mandatory DPCO requirement exists for a few reasons:
Independence. NDPC wants an independent assessment, not a self-assessment. A company auditing its own data protection practices has obvious conflicts of interest.
Quality assurance. Licensed DPCOs must meet NDPC's standards for data protection expertise. This (in theory) ensures a baseline quality of compliance audits.
Scalability. Nigeria has thousands of organisations processing personal data. NDPC can't audit all of them. Licensing DPCOs distributes the oversight load.
The tradeoff: it adds cost. You're paying a third party for a service that, in other jurisdictions, you could handle internally.
How much DPCOs charge
DPCO fees vary based on your organisation's size and complexity:
| Organisation Size | Typical Annual Fee | Includes |
|---|---|---|
| Small (under 5,000 data subjects) | ₦500,000 – ₦1,500,000 | Audit + CAR filing |
| Medium (5,000–50,000) | ₦1,500,000 – ₦4,000,000 | Audit + CAR + remediation guidance |
| Large (50,000+) | ₦4,000,000 – ₦10,000,000+ | Comprehensive audit programme |
These are annual costs — you need a DPCO engagement every year for CAR filing. Some DPCOs bundle ongoing advisory and monitoring into the fee. Others charge separately.
On top of the DPCO fee, there's the NDPC filing fee itself, which varies by organisation classification.
What to look for in a DPCO
Not all DPCOs are created equal. The licensing ensures a minimum standard, but the quality of service varies significantly.
They understand your sector. A DPCO that specialises in fintech compliance will give you better value than a generalist if you're a fintech building AI systems. They know the sector-specific risks, the CBN intersection, and the common compliance patterns.
They understand technology. This matters enormously if you're running AI systems. Your fraud detection pipeline, credit scoring model, or AML automation system processes data in ways that a non-technical auditor might not fully understand. A DPCO that can engage with your technical architecture gives you a more accurate audit.
They don't just audit — they help you fix things. The best DPCOs identify gaps AND help you close them. If they find your AI system lacks a proper DPIA, they should be able to help you produce one, not just note the deficiency.
They file on time. The March 31 CAR deadline matters. Late filing attracts penalties of up to 50% of the filing fee. Make sure your DPCO starts the audit process early enough to file on time.
They communicate clearly. You should understand what the DPCO found, what it means for your business, and what you need to do about it. A 100-page report in regulatory jargon isn't helpful if you can't act on it.
DPCO vs DPO: what's the difference?
These are often confused:
DPO (Data Protection Officer) — an internal or outsourced role responsible for your ongoing data protection compliance. They monitor your day-to-day processing, handle data subject requests, and advise on new projects. The DPO is embedded in your organisation.
DPCO (Data Protection Compliance Organisation) — an external, NDPC-licensed entity that audits your compliance and files your CAR. The DPCO engagement is periodic (typically annual), not ongoing.
You might need both. Your DPO manages compliance day-to-day. Your DPCO audits that compliance annually and files the CAR.
Some organisations offer both services — acting as your outsourced DPO and your DPCO. This can work well for SMEs that want a single point of contact for all data protection matters. Just be aware of the independence question: if the same firm is your DPO (advising on compliance) and your DPCO (auditing compliance), there's a potential conflict.
If you're building AI systems
AI systems add specific requirements to the DPCO audit:
Automated decision-making disclosure. Your CAR needs to document any AI systems that make or assist decisions about individuals. The DPCO should assess whether these systems meet NDPA requirements for transparency and human oversight.
Cross-border data transfers. If your AI uses APIs from providers outside Nigeria, the DPCO should verify that appropriate safeguards are in place for international data transfers.
Training data. If you've used personal data to train AI models, that's processing. It needs a lawful basis and should be documented in the audit.
Third-party AI providers. Data Processing Agreements with every AI provider need to be in place and reviewed. The DPCO should check these during the audit.
A DPCO that doesn't understand how AI systems process data will either miss these issues or flag them incorrectly. Choose one with technical capability.
Getting started
If you need a DPCO:
- Check if you're a DCMI/DPMI — if you are, CAR filing (and therefore a DPCO) is mandatory
- Start early — don't wait until March to engage a DPCO for the March 31 deadline. Start the audit process at least 8 weeks before the filing date
- Get quotes from at least two — compare scope, fees, and whether advisory services are included
- Ask about AI capability — if you're running AI systems, make sure the DPCO can assess them properly
- Confirm the timeline — get a written commitment on when the audit will be completed and the CAR filed
Need help with NDPC compliance, CAR filing, or choosing a DPCO? We help Nigerian businesses build compliant AI systems and manage their data protection obligations. Talk to us.
Need help with this?
We build compliant AI systems and handle the documentation. Tell us what you need.
Get in TouchRelated Articles
Nigeria
Data Breach Notification in Nigeria: The NDPA Process
What to do when personal data is breached in Nigeria. NDPC notification requirements, timelines, assessment criteria, and how to prepare before an incident happens.
Nigeria
Data Protection Officer Nigeria: Do You Need One and What Do They Do?
Who needs a Data Protection Officer in Nigeria, what the role involves under the NDPA, and how outsourced DPO-as-a-Service works for Nigerian businesses building AI systems.
Nigeria
Data Subject Rights Under the NDPA: A Practical Guide for Nigerian Businesses
How to handle data subject rights requests under the Nigeria Data Protection Act 2023. Access, rectification, deletion, objection — with practical implementation steps and response templates.