NDPC Compliance Audit Return (CAR) Filing: Complete Guide for 2026

If you process personal data of Nigerian residents, the Nigeria Data Protection Commission wants to hear from you. Every year.

The Compliance Audit Return (CAR) is how NDPC tracks who's processing what data, and whether they're doing it properly. It's not optional. The March 31 deadline for 2026 is coming up fast — if you haven't started, you need to act now.

Here's everything you need to know about the CAR filing process, who needs to file, and what happens if you don't.

What is the Compliance Audit Return?

The CAR is an annual filing mandated by the Nigeria Data Protection Commission under the Nigeria Data Protection Act 2023 (NDPA). Think of it as your organisation's annual privacy health check — a structured report on how you handle personal data.

It covers:

What personal data you collect and process
Your lawful basis for processing
Data protection measures in place
Whether you've had any breaches
Your data retention policies
Whether you've appointed a Data Protection Officer
Details of any cross-border data transfers

The CAR replaced the older compliance audit framework from the NDPR era. Same concept, updated requirements under the NDPA.

Who needs to file?

The short answer: any organisation that qualifies as a "data controller or processor of major importance."

In practice, this means:

You process data of more than 2,000 data subjects — if you have a customer database, a user base, an employee roster, or any other dataset with more than 2,000 Nigerian individuals, you likely qualify
You process sensitive personal data — health records, biometric data, financial data, children's data
You're in a regulated sector — financial services, healthcare, telecommunications, education
Annual turnover exceeds certain thresholds — varies by sector

If you're a fintech with more than 2,000 users? You file. If you're running an AI system that processes customer data? You file. If you're a bank, insurance company, or payment processor? Definitely file.

When is it due?

The CAR filing deadline for 2026 is March 31, 2026 — covering your 2025 data processing activities.

This applies to all data controllers and processors of major importance (DCMIs/DPMIs), categorised as Ultra-High Level (UHL) and Extra-High Level (EHL).

If you miss the deadline: file anyway. Late filers pay an additional administrative fee of up to 50% of the applicable filing fee. Non-filing entirely can attract fines of up to 2% of annual gross revenue or ₦10 million, whichever is greater.

What you need to include

The CAR requires detailed information across several categories. Here's what to prepare before you start:

1. Organisation details

Legal name, registration number, and contact information
Name and contact details of your Data Protection Officer (or reason for not appointing one)
Industry sector and approximate number of data subjects

2. Data processing inventory

This is where most organisations stumble. You need a clear picture of:

Categories of personal data you process (names, emails, financial records, biometrics, location data, etc.)
Categories of data subjects (customers, employees, website visitors, app users)
Processing purposes for each category (service delivery, marketing, fraud detection, HR management)
Lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)

If you're running AI systems, include them. An AI credit scoring model processes personal data. An AI chatbot processes conversation data. A fraud detection system processes transaction data. All of it goes in the CAR.

3. Data protection measures

What are you doing to protect the data you hold?

Technical measures (encryption, access controls, pseudonymisation)
Organisational measures (training, policies, incident response procedures)
Data Protection Impact Assessments conducted
Data breach history and response

4. Cross-border transfers

If you send personal data outside Nigeria — to cloud providers, API services, analytics platforms — you need to document:

Where the data goes (country and entity)
What safeguards are in place (adequacy decisions, standard contractual clauses, binding corporate rules)
The lawful basis for the transfer

This is particularly relevant if you use AI APIs from providers like OpenAI, Anthropic, or Google. Those API calls typically send data to servers outside Nigeria.

5. Data subject rights

How do you handle requests from individuals to access, correct, or delete their data? NDPC wants to see that you have:

A process for receiving and responding to data subject requests
Records of requests received and how they were handled
Response timeframes (the NDPA gives you 30 days)

How to file

The CAR is filed through the NDPC's online portal. The process:

Register on the NDPC compliance portal if you haven't already
Engage a licensed DPCO — CARs must be filed through a licensed Data Protection Compliance Organisation acting on your behalf
Complete the CAR form — it's a structured questionnaire, not a free-form document
Attach supporting documents — your data protection policy, DPIA reports, breach notification records
Pay the filing fee — fees vary by organisation size and sector
Submit and retain your confirmation — keep the submission receipt

Important: CARs must be filed through a licensed DPCO, not directly by the organisation. If you don't have a DPCO relationship, that's the first thing to sort out.

What happens if you don't file?

NDPC has enforcement powers under the NDPA. Non-filing can lead to:

Late filing fee — up to 50% of the applicable filing fee on top of the standard fee
Non-filing fines — up to 2% of annual gross revenue or ₦10,000,000, whichever is greater
Compliance orders — mandatory audits and remediation directives
Reputational damage — NDPC publishes enforcement actions
Increased scrutiny — organisations that don't file get flagged for deeper investigation

The NDPC has been increasingly active since the NDPA came into force. They're building enforcement capacity, hiring investigators, and making examples. The era of "nobody's watching" is over.

If you use AI systems

AI systems add specific complications to the CAR:

Automated decision-making: If your AI makes decisions about individuals (credit scoring, fraud flags, insurance pricing), you need to disclose this and explain the logic involved.

Training data: If you used personal data to train models, that's processing. It needs a lawful basis and should be documented.

Third-party AI providers: If you use external AI APIs, the data flows to those providers. Document the transfer, the safeguards, and the DPA you have in place with each provider.

Profiling: AI-driven customer segmentation, behavioural analysis, or risk scoring all constitute profiling under the NDPA. Report it.

We've written a detailed guide on NDPA compliance for Nigerian fintechs using AI systems that covers these requirements in depth.

What to do right now

If you haven't filed your 2026 CAR:

Audit your data processing activities — build a processing inventory if you don't have one
Appoint a DPO (or engage an outsourced one) — you'll need a named DPO for the filing
Complete the CAR form — don't wait for perfection, file with what you have
Set a calendar reminder — for next year's filing deadline
Get help if needed — if the data mapping feels overwhelming, that's what we're here for

The CAR isn't just a regulatory checkbox. Done properly, it forces you to understand what data you hold, why you hold it, and whether you're protecting it. That understanding is the foundation of any compliance programme.

Need help with your CAR filing or NDPA compliance? We help Nigerian organisations map their data processing, build compliance programmes, and file their annual returns. Talk to us.