Foundation Year: Building Your Compliance Framework
The first year focuses on establishing the foundational elements of your data protection compliance programme, including initial registration, appointing key personnel, and conducting your first Compliance Audit Report (CAR).
Section 29 of the NDP Act requires data controllers and processors of major importance to conduct compliance audits and submit annual Compliance Audit Reports to the Commission.
GAID Regulation specifies that entities established after 12th June 2023 must file their first CAR not later than fifteen (15) months after establishment, then annually thereafter. Entities established before 12th June 2023 must file their CAR not later than 31st March each year.
Year 1 Compliance Checklist
NDPC Registration
Register your organisation with the National Data Protection Commission. Determine your classification level (UHL, EHL, or OHL) based on the type of organisation and volume of data subjects processed.
Appoint a Data Protection Officer (DPO)
Under Section 31 of the NDP Act, certain organisations must appoint a DPO. The DPO is responsible for monitoring compliance, providing advice, and serving as the contact point with the NDPC.
Develop Data Protection Policies
Create foundational policies including Privacy Policy, Data Retention Policy, Data Breach Response Plan, and Data Subject Rights Procedures. These form the backbone of your compliance programme.
Conduct Data Mapping and Inventory
Identify and document all personal data processing activities, including what data you collect, why you collect it, how it is stored, who has access, and how long it is retained. This is essential for your first CAR.
First Compliance Audit and CAR Filing
Engage a licensed Data Protection Compliance Organisation (DPCO) to conduct your first audit. For entities established before 12th June 2023, the CAR must be filed by 31st March each year. For entities established after 12th June 2023, file within 15 months of establishment.
Year 1 Filing Deadline
For entities established after 12th June 2023: File first CAR within 15 months of establishment, then by 31st March annually. For entities established before 12th June 2023: File by 31st March each year.