Introduction
Over the past 5 years, Africa has witnessed an intensified shift towards the adoption and enforcement of data protection legislation. As of 2024, 39 out of 55 African nations have implemented data protection laws, with 34 established Data Protection Authorities (DPAs) tasked with overseeing compliance, investigating breaches, and guiding organisations on data protection obligations. 33% of data protection laws across the continent were passed between 2021 and 2026, reflecting an acceleration that is no longer theoretical, but operational, carrying non compliance consequences.
Critically, the data protection landscape shifted from passive oversight to active enforcement. Mandatory compliance audit cycles have emerged as the primary mechanism through which regulators hold organisations to account. In Nigeria, the Nigeria Data Protection Commission (NDPC) intensified its compliance drive by issuing notices to over 1,300 organisations across the banking, insurance, pensions, and gaming sectors. In Kenya, the Office of the Data Protection Commission (ODPC) received over 6,817 data protection complaints, issued 195 determinations and 100 enforcement notices in 2025 alone.
This resolve was most notably punctuated by the USD 32,800,000 fine levied against META in Nigeria for unauthorised behavioural advertising and discriminatory data practices, the largest data protection fine recorded on the continent to date [1]. South Africa’s Information Regulator has demonstrated equal resolve: it issued its first administrative fine of ZAR 5 million (USD 291,950) against the Department of Justice and Constitutional Development for failing to comply with an enforcement notice following a security compromise that resulted in the loss of over 1,200 files containing personal information. In Angola, the Data Protection Authority imposed a USD 175,000 fine on an airline for failing to implement appropriate technical safeguards and obtain authorisation before processing personal data, signalling that enforcement appetite extends well beyond the continent’s largest economies. In Uganda, the Personal Data Protection Office (PDPO) found Google LLC in breach of the Data Protection and Privacy Act, 2019 for operating without registration and for failing to demonstrate adequate safeguards for the cross-border transfer of personal data belonging to Ugandan data subjects, a ruling Google ultimately accepted without appeal.
These cases, spanning Nigeria, South Africa, and Uganda, signal a continental-wide shift: data protection regulators in Africa are no longer issuing guidance notes. They are issuing fines, enforcement notices, and investigation orders irrespective of the sector and organisation size.
This article outlines the essential obligations and procedural steps required to navigate mandatory audit cycles, meet timelines for ensuring audit compliance, and next steps following audit filings. Nigeria’s GAID framework will be leveraged as a detailed case study, parallel regulatory requirements drawn from Kenya, South Africa and Uganda.
Obligations of data controllers and processors when navigating mandatory audit cycles
Compliance audit readiness does not begin when an audit deadline approaches. Regulators across the continent expect organisations to have embedded ongoing, documented data governance practices well in advance of any formal submission. In Ghana, organisations must perform a gap analysis audit to identify areas of non-compliance, submit a compliance assessment report as part of the 2-year registration renewal process, and remain available for ad hoc audits by the Data Protection Commission. Audit readiness therefore requires the maintenance of up-to-date and accurate documentation of data protection measures at all times.
In South Africa, the Information Regulator holds equivalent standing powers under POPIA to conduct compliance assessments with or without prior notice. The following foundational obligations apply across these jurisdictions and must be treated as continuous operational requirements instead of pre-filing checklists.
In Nigeria, the GAID requires every organisation to conduct periodic compliance audits of their data processing activities as a standing obligation, not merely as a precursor to an annual return. However in Côte d’Ivoire, organisations are required to submit annual self-assessment audit reports to the regulator (ARTCI), detailing in-depth processing activities, responsible parties, transparency requirements and more.
In Kenya, entities processing personal data must register with the ODPC, appoint a Data Protection Officer, and conduct Data Protection Impact Assessments for high-risk processing; obligations that must be continuously operationalised, not assembled at the point of filing. The following foundational obligations therefore apply across these jurisdictions, and must be treated as repeatable operational requirements.
1. Identification of risk
The requirement for data controllers and processors to identify and manage risks is critical to compliance with applicable law. Data controllers and processors must adopt a risk-based approach, taking into account the people, processes and technologies involved in their data processing value chain [2]. Identifying risk in this regard would involve the following:
Mapping out data flows: To effectively identify and mitigate data processing risks, an organisation must first establish a comprehensive Data Flow Map. This entails making a detailed list or schedule of points where personal data of individuals is collected, stored, used, or shared, both within the organisation and amongst third parties. Without this granular visibility into the data’s lifecycle, identifying potential vulnerabilities or compliance gaps under data protection law becomes challenging.
Conducting data protection impact assessments (DPIAs): This is a primary tool for identifying risks to data subjects, the organisation and data subjects. More specifically as it regards high-risk processing, such as large-scale, automated, or sensitive data processing. DPIAs help analyse the necessity, proportionality, and potential impact of data processing. Certain laws, such as Nigeria’s General Application and Implementation Directive (GAID), provide specific circumstances under which a DPIA is required. Be sure to check provisions under the law to understand potential DPIA triggers.
Risk analysis: categorising risk appropriately based on their proposed level of impact, whether high, medium or low, and assigning risk treatment controls as needed.
2. Implement audit controls
Accountability is a principle embedded in data protection law across the region that requires more than good intentions. Organisations must implement technical and organisational measures that enable continuous monitoring of data flows, execute data processing agreements and maintain a written schedule for the periodic review of all data processing platforms and practices.
The GAID codifies this explicitly: failure to define and adhere to internal audit frequencies may constitute a breach of the duty to implement appropriate technical and organisational measures. Organisations that maintain rigorous internal audit controls throughout the year will find that the documentation required for a formal Compliance Audit Return is already in place
3. Periodic risk assessments
Data controllers and processors should follow a written schedule to review data processing platforms and practices. These are commonly known as periodic risk assessments. They help identify supply chain, data protection and information security risks that threaten the confidentiality, integrity, availability and privacy in both IT assets and processing activities. Identified risks should then be assigned to risk owners, with mitigating controls mapped to timelines for remediation to reduce inherent risk to an acceptable level. In jurisdictions such as Nigeria and Kenya, the absence of a documented review schedule is itself treated as evidence of non-compliance. Regulators do not simply penalise breaches after the fact; they penalise the failure to build robust systems capable of detecting them.
Under the purview of periodic risk assessment also comes the obligation to conduct mandatory data protection impact assessment (DPIAs), where processing of the data of data subjects may result in high risks to the rights and freedoms of a data subject. This obligation exists under the provisions of the Nigeria Data Protection Act 2023, the Kenyan Data Protection Act 2019, the Tanzania Personal Data Protection Act 2022, the Malawi Data Protection Act 2024, and Botswana’s Data Protection Act 2024, while introduced through implementing regulations or regulatory guidelines in South Africa, Angola, and Uganda.
4. Appointment of a Data Protection Officer
Nigeria’s GAID is explicit: Data Controllers and Processors falling within the Ultra High Level (UHL) and Extra High Level (EHL) classifications must file mandatory Compliance Audit Returns through a certified Data Protection Officer (DPO) or accredited Data Protection Compliance Organisation (DPCO). Kenya’s ODPC similarly requires the appointment of a DPO for organisations processing sensitive data or data at scale and has published an accreditation register of approved compliance audit firms. South Africa’s Information Regulator requires all Data Protection Officers to register through the online portal, showing accountability. Most African data protection legislation mandates the appointment of a DPO as an accountability and governance mechanism.
5. Security awareness training
To institutionalise the Accountability principle, the organisation is mandated to conduct recurring capacity-building sessions to ensure all stakeholders understand their statutory data obligations. To validate the effectiveness of this training, the GAID requires the use of mandatory privacy checklists for all data-processing activities, ensuring that risk identification is a core competency for both staff and contractors.
Case study: Nigeria – Compliance Audit Returns (CAR)
1. Timeline of Audit Compliance
The GAID formalises a dual-track timeline for Compliance Audit Returns (CAR), ensuring all organisations of major importance transition into a synchronised cycle of annual accountability.
- Legacy Entities: Organisations established before June 12, 2023, must meet a fixed annual deadline of March 31st
- New Entrants: Entities established after June 12, 2023, are granted an initial 15-month window for their first filing, after which they join the standard annual cycle
This framework ensures that regardless of an organisation’s age, recurring oversight remains the definitive standard for data protection in Nigeria [3].
A pertinent question in this regard would be: who qualifies as a data controller or processor of major importance? The NDPC classifies data controllers and data processors into three (3) levels or categories: Ultra High Level (i.e data processors or controllers processing the sensitive data of over 5000 data subjects), Extra High Level (i.e data processors or controllers processing the sensitive data of over 1000 data subjects), and the Ordinary High Level (i.e data processors or controllers processing the sensitive data of over 200 data subjects) [4].
2. After filing: What Next?
The completion of a Compliance Audit Return (CAR) filing is not the end of the regulatory journey, but rather the beginning of a verification phase. Under the GAID, this transition from submission to certification is marked by two potential regulatory paths:
- The Mark of Compliance: Upon successful review, the Commission will issue an official Compliance Audit Returns Certificate. For organisations, this certificate serves as a vital seal of regulatory health, signaling to stakeholders and partners that data processing practices meet national regulatory standards.
- The Power of Inquiry: filing does not grant immediate immunity. The Commission retains the authority to dig deeper, requesting additional information from the controller, the processor, or any associated parties. This “right to inquire” ensures that the audit is a substantive reflection of the organisation’s data ecosystem rather than a mere box-ticking exercise.
Ultimately, the post-filing period is one of active oversight, where the Commission balances the issuance of credentials with a commitment to granular verification.
3. Consequence for non-compliance
The financial stakes of data governance have become increasingly tangible under the NDP Act. Far from a mere administrative lapse, the failure to file a Compliance Audit Return (CAR) on schedule now triggers immediate fiscal repercussions.
Beyond the standard filing fees, non-compliant organisations face a mandatory administrative penalty equivalent to 50% of the filing cost. For controllers or processors of major importance, these fees often reach into the millions of naira; a “compliance surcharge” representing a significant and avoidable drain on corporate resources. This penalty structure serves as a clear signal from the NDPC: in the new regulatory landscape, the cost of non-compliance far exceeds the cost of transparency [5].
Conclusion
Ultimately, Data Protection Authorities in Africa view mandatory compliance audits as more than just a filing requirement; they are a vital risk-proofing toolkit designed to enforce a culture of accountability and transparency. Through mandatory compliance audits, the lifecycle of personal data remains under constant and verifiable checks and balances.
For organisations, the stakes extend beyond simple regulatory adherence. In an era where trust is a primary currency, the threat of sanctions and significant fines poses a dual risk: a direct hit to the balance sheet and a potentially irreparable blow to brand reputation. Taking a rigorous approach to compliance is no longer a legal formality, but a strategic necessity for any organisation looking to safeguard its future in the digital economy.
Regulatory compliance audits do not serve to create fear but as a call to action, encouraging organisations to treat data protection compliance as a priority and not as an afterthought. Fines issued for non-compliance do not only water down the trust of stakeholder in the organisation but ultimately disrupt the business of the same.
T-A-A-S Cyber Solutions Ltd is an accredited Data Protection Compliance Organisation (DPCO), qualified to assist organisations in filing Compliance Audit Returns, conducting DPIAs, delivering capacity building and training sessions, and building the data projection and governance framework required to meet the obligations described in this article. We remain available to provide guidance tailored to your organisation’s regulatory exposure across Africa’s leading data protection jurisdictions.
References
[1] Ndidiamaka Ede, “$32.8 million Fine Dispute: Meta settles with Nigerian govt out of court” (Premium Times, November 3, 2025) https://www.premiumtimesng.com/news/headlines/832580-32-8-million-fine-dispute-meta-settles-with-nigerian-govt-out-of-court.html?tztc=1
[2] The NDP Act, General Application and Implementation Directive 2025 – Article 10 NDP-ACT-GAID-2025-MARCH-20TH (2).pdf
[3] The NDP Act, General Application and Implementation Directive 2025 – Article 7 & 10 NDP-ACT-GAID-2025-MARCH-20TH (2).pdf
[4] The NDP Act, General Application and Implementation Directive 2025 – Schedule 7, Guidance Note NDP-ACT-GAID-2025-MARCH-20TH (2).pdf
[5] The NDP Act, General Application and Implementation Directive 2025 – Article 10 NDP-ACT-GAID-2025-MARCH-20TH (2).pdf
Bibliography
Africa Privacy Roundup. (2024). Roundup on data protection in Africa – 2024. https://africaprivacyroundup.com/roundup-on-data-protection-in-africa-2024/
Aluko & Oyebode. (2025, August 26). The Nigeria Data Protection Commission commences sector-by-sector investigation on companies. https://www.aluko-oyebode.com/insights/ndpc-data-protection-compliance-2025/
Bowmans. (2023, July). South Africa: Beware – Information Regulator issues first fine of ZAR 5 million under POPIA. https://bowmanslaw.com/insights/south-africa-beware-information-regulator-issues-first-fine-of-zar-5-million-under-popia/
CIPESA. (2025, July 24). Ugandan regulator finds Google in breach of country’s data protection law, orders local registration. https://cipesa.org/2025/07/ugandan-regulator-finds-google-in-breach-of-countrys-data-protection-law-orders-local-registration/
Federal Competition & Consumer Protection Commission (FCCPC). (2025, April 25). Violations: Tribunal upholds FCCPC’s $220 million fine against Meta/WhatsApp. https://fccpc.gov.ng/violations-tribunal-upholds-fccpcs-220-million-fine-against-meta-whatsapp/
Jones Day. (2025, August). Nigeria launches investigations into noncompliance with Nigeria Data Protection Act 2023. https://www.jonesday.com/en/insights/2025/08/nigeria-launches-investigations-into-noncompliance-with-nigeria-data-protection-act-2023
Nigeria Data Protection Commission (NDPC). General Application and Implementation Directive (GAID), 2025.
Nigeria Data Protection Act, 2023.
Office of the Data Protection Commissioner (ODPC), Kenya. (2024). Draft Data Protection (Conduct of Compliance Audit) Regulations, 2024. https://www.odpc.go.ke/draft-the-data-protection-compliance-audit-regulations-2024/
PwC Kenya. (2025). The next phase of privacy in Kenya. https://www.pwc.com/ke/en/blog/next-phase-of-privacy.html
Techpoint Africa. (2025, October 4). Meta, NDPC agree out-of-court settlement of $32.8 million fine. https://techpoint.africa/news/meta-ndpc-settlement-fine/
Techpoint Africa. (2025, August 25). NDPC cracks down on 1,369 Nigerian firms over data privacy violations. https://techpoint.africa/news/ndpc-targets-1369-companies/