The deadline was March 31, 2026.
If your organisation processes the personal data of more than 1,000 people and you have not filed your annual Compliance Audit Return with the Nigeria Data Protection Commission, you are already in default. The penalty for late filing is a 50% administrative surcharge on top of the base fine. And that is before the NDPC decides whether to escalate to an enforcement order.
This is not a distant risk. In January 2026, the NDPC publicly tightened its audit enforcement posture. In August 2025, it sent compliance notices to 1,369 Nigerian organisations â banks, insurance companies, pension funds, gaming operators â and gave them 21 days to prove compliance or face fines, enforcement orders, and criminal prosecution. Multichoice Nigeria received a bill for â¦766.2 million in July 2025. Fidelity Bank’s bill in 2024 exceeded â¦500 million.
Neither of those organisations set out to violate the law. They simply had not built what the law now requires.
The legal framework: NDPA 2023 and GAID 2025
Two instruments now govern data protection in Nigeria.
The Nigeria Data Protection Act 2023 (NDPA) came into force on 12 June 2023. It established the legal principles: lawful basis for processing, data subject rights, breach notification, and penalties.
The General Application and Implementation Directive 2025 (GAID), issued by the NDPC on 20 March 2025 and effective from 19 September 2025, is where the practical obligations live. The GAID replaced the old NDPR and NDPR Implementation Framework entirely. It introduced registration tiers, annual compliance filings, certified DPO requirements, and structured timelines.
If your compliance programme was built on the NDPR, it is now outdated.
The registration framework every employer must understand
The GAID classifies every data controller and data processor into one of three tiers based on the number of data subjects processed within any six-month period.
Ultra-High Level (UHL): Organisations processing the personal data of more than 5,000 individuals in six months. This category covers banks, telecoms companies, multinationals, and large employers. Registration fee: â¦500,000 to â¦1,000,000.
Extra-High Level (EHL): Organisations processing data of between 1,000 and 4,999 individuals in six months. This category includes government agencies, microfinance banks, mid-size employers, insurers, and most professional service firms. Registration fee: â¦100,000 to â¦250,000.
Ordinary-High Level (OHL): Organisations processing data of between 200 and 999 individuals in six months. Schools, health centres, and smaller employers fall here. OHL entities renew registration annually but do not file a separate Compliance Audit Return.
Most Nigerian employers with a workforce of any meaningful size will fall into UHL or EHL. If you have not assessed your tier, you have not started your GAID compliance.
What Nigerian employers now owe the NDPC
1. Registration
Every data controller and processor at UHL, EHL, or OHL level must register with the NDPC. Registration is not optional and is not satisfied by simply being aware of the law. It is a formal process with applicable fees and documentation.
2. The Compliance Audit Return (CAR)
UHL and EHL organisations must file an annual CAR with the NDPC by March 31 of each year. The filing must be made through a NDPC-licensed Data Protection Compliance Organisation (DPCO), not directly. The CAR documents your processing activities, the lawful bases you rely on, your security measures, your breach history, and your data governance structure.
The March 31, 2026 deadline has passed. If you are UHL or EHL and have not filed, the 50% administrative penalty applies. The time to act is now, not next quarter.
3. The Data Protection Officer
UHL and EHL organisations must appoint a Data Protection Officer. Under the GAID, the DPO is no longer just a person with a title. The NDPC now requires evidence of data protection certification through its annual credential assessment. A DPO who cannot demonstrate expertise and is not reporting to senior management is not a compliant DPO®
4. A lawful basis for every processing activity involving employees
Every time you collect, store, use, share, or delete employee data, you need a documented lawful basis. For employment contexts, the three most commonly applicable are: a contractual provision in the employment agreement; the legitimate interests of the business; or the employee’s freely given, informed consent.
Blanket consent clauses buried in employment contracts will not hold. Consent obtained under the power dynamics of an employment relationship requires careful handling. The NDPC will look at whether consent was genuinely free, specific, and informed.
5. A data privacy notice that actually informs
Every employee must receive a standalone privacy notice in plain, accessible language, telling them: what data you collect, why you collect it, the legal basis for collection, how long you keep it, who you share it with, and what rights they have. This is not the same as a confidentiality clause. It is a separate, prominent document.
6. Disclosed monitoring only
Tracking attendance with biometric devices, reviewing CCTV footage of staff, monitoring email activity on company systems, or using GPS on company vehicles: each of these is a processing activity under the NDPA. The GAID requires that any monitoring be disclosed to employees in advance. Covert monitoring is impermissible. A sentence in the staff handbook stating that the company reserves the right to monitor does not meet the standard.
7. A Data Protection Impact Assessment for high-risk processing
Where your data processing activities carry significant risk, the GAID requires a formal Data Protection Impact Assessment (DPIA) before the processing begins. Many employers running HR technology platforms have never conducted one.
8. Documented staff training
The GAID requires that staff who handle personal data receive regular, documented training.
9. The 72-hour breach notification window
If your payroll system is compromised or HR data is accessed without authorisation, the NDPC must be notified within 72 hours. The GAID adds the requirement to have a documented breach response procedure in place before any breach occurs.
10. Data retention limits
Personal data must be deleted or anonymised once the purpose for which it was collected is fulfilled. Former employee records, rolling recruitment data, and historical payroll files all need a documented retention schedule.
The penalty structure in 2026
For UHL and EHL organisations, non-compliance fines can reach â¦10 million or 2% of annual gross revenue, whichever is higher. For OHL organisations, the cap is â¦2 million or 2% of annual gross revenue. Late CAR filing attracts an automatic 50% administrative surcharge.
Three steps to take this week
First, determine your tier. Count the number of individuals whose personal data your organisation processes across all categories. If that number exceeds 200, the GAID applies to you.
Second, engage a DPCO. Late filing with the surcharge is far less costly than an enforcement action.
Third, commission a data audit. Map every category of personal data you hold, the lawful basis for each activity, who has access, and how long you are keeping it.
Marturion Legal advises businesses on NDPA and GAID 2025 compliance, employment data obligations, and DPO structuring. Visit marturionlegal.com.