The March 31 NDPA Deadline: A Board-Level Compliance Risk

Every organisation processing personal data above the statutory threshold must file a Compliance Audit Return with the Nigeria Data Protection Commission by March 31, 2026.

Failure triggers a 50% administrative surcharge. Escalation exposes the institution to penalties of up to 2% of annual gross revenue or ₦10 million, whichever is higher.

This is governance exposure, not paperwork.

What Leadership Should Understand

1. The Filing Is Mandatory

Under the Nigeria Data Protection Act 2023 and the 2025 General Application and Implementation Directive, Data Controllers and Processors of Major Importance must file annually.

The threshold is broad. Most financial, telecom, health, education, and fintech institutions qualify.

2. The 2026 Template Is New

The September 2025 Directive introduced a revised audit format requiring documented Data Protection Impact Assessments and updated processing records.

Last year’s filing cannot be reused.

3. Filing Must Be Through an Accredited Auditor

Submissions must go through a licensed Data Protection Compliance Organisation. Capacity constraints intensify in the final weeks before the deadline.

Late preparation creates execution risk.

4. Enforcement Is Active

The Commission fined Multichoice Nigeria ₦766.2 million in July 2025 and issued compliance notices to over 1,300 organisations in August.

Enforcement is operational, not theoretical.

5. Breach Notification Is Already Live

Section 40 mandates 72-hour breach reporting and a maintained Personal Data Breach Register.

Technical systems must support governance requirements.

Strategic Implication

The Compliance Audit Return is a technical evidence exercise.

Institutions without:

• Documented data inventories
• Access control mapping
• Retention logic
• DPIA documentation

will struggle to file accurately.

Regulatory exposure compounds quickly when governance trails architecture.