Nigeria's NDPC Ties AI to Compliance Audits | TLY

AI Regulation Tracker  /  Regulator action

Nigeria's NDPC makes its data-protection audit the test for responsible AI use

Nigeria's data regulator joined 60 other authorities in a global statement on AI-generated imagery, and it says Compliance Audit Returns under the Nigeria Data Protection Act will be the benchmark for whether AI processing is responsible. Controllers of major importance must now show it.

Nigeria's NDPC makes its data-protection audit the test for responsible AI use regulation briefing
The Leveraged Years AI Regulation Tracker

The Nigeria Data Protection Commission has placed responsible use of artificial intelligence inside a compliance mechanism it already runs. On February 23, 2026, the Commission joined roughly 60 other data protection authorities in signing the Joint Statement on AI-Generated Imagery and the Protection of Privacy, coordinated through the Global Privacy Assembly's international enforcement cooperation work. The statement itself addresses AI systems that generate realistic images and video of identifiable people without consent. What matters for Nigerian organizations is the enforcement posture the Commission attached to it.

Audits become the benchmark

According to the Commission and contemporaneous reporting, National Commissioner and Chief Executive Dr. Vincent Olatunji indicated that Compliance Audit Returns under the Nigeria Data Protection Act will serve as the benchmark for assessing the responsible use of AI in data processing. This is a practical choice rather than a new statute. The audit return is an established filing that data controllers and processors of major importance already submit. Rather than build a separate AI approval regime, the Commission is folding AI accountability into the document organizations are already obliged to produce.

The immediate consequence is evidentiary. Controllers and processors of major importance are expected to demonstrate, through their audit submissions, that AI-driven processing adheres to the provisions of the Nigeria Data Protection Act. An organization that cannot point to where AI sits in its return, and how that processing satisfies lawful-basis, transparency, and data-subject-rights obligations, is exposed on the record it files itself.

That shift also changes the timing of scrutiny. Because the audit return is periodic, responsible-AI evidence has to exist at the moment of filing, not be reconstructed after a complaint or an incident. The burden of proof sits with the organization rather than with the regulator, and it is discharged in a document the organization signs. For teams used to treating AI oversight as an internal policy matter, the practical difference is that the Commission can now read the organization's own account of its AI processing and hold it to that account.

GAID sets the design standard

The Commission also pointed to the General Application and Implementation Directive, or GAID, which it issued in 2025. The GAID, among other things, calls for privacy by design and privacy by default in the development and deployment of AI tools. Read together with the audit-benchmark step, the message is that privacy controls are expected to be built into AI systems from the start, and that the audit return is where an organization proves it. Design obligations and reporting obligations now point at the same evidence.

What this does not do

The joint statement is not a new binding instrument, and the audit-benchmark step is guidance on how existing law will be assessed rather than a fresh penalty regime. It does not ban AI-generated imagery outright, nor does it create AI-specific offenses beyond the Nigeria Data Protection Act. It applies most directly to controllers and processors of major importance, the tier already subject to registration and audit duties, rather than to every small business. Organizations below that threshold are governed by the Act, but the audit-return benchmark is aimed at the entities that file returns.

Who has to act

The practical burden falls on compliance officers, data protection officers, and the AI and data teams that build or buy the models in question. Their task is to translate AI use into the language of the audit return, mapping each processing activity to a lawful basis, a retention position, a transparency notice, and the privacy-by-design controls GAID contemplates. Vendors matter here too, because processing carried out by third-party AI providers still has to be accounted for in the controller's own submission.

For a United States reader, the cross-border angle is concrete. A US company processing Nigerian personal data at scale can qualify as a controller or processor of major importance and can be drawn into the same audit-return expectations. Beyond that, Nigeria is signaling a model other regulators may copy, using an existing periodic filing as the instrument for AI oversight rather than waiting for standalone AI legislation. Firms that already maintain audit-ready records will find that approach familiar. Those that treat AI governance as a slide deck rather than a filing will not.

Frequently Asked Questions

What did the NDPC actually change?

It did not pass a new law. The Commission joined the February 23, 2026 joint statement on AI-generated imagery and indicated that Compliance Audit Returns under the Nigeria Data Protection Act will be the benchmark for assessing responsible AI use. AI accountability now runs through an existing filing rather than a separate process.

Who is affected?

Data controllers and processors classified as of major importance under the Nigeria Data Protection Act, and the compliance officers, data protection officers, and AI teams responsible for their audit submissions. Organizations processing Nigerian data at scale from abroad can fall into the same category.

What is a Compliance Audit Return and where does AI fit in?

It is the periodic audit filing that controllers and processors of major importance already make to the NDPC. Under the Commission's stated approach, that return is where an organization must demonstrate that its AI-driven processing complies with the Act and with privacy-by-design and privacy-by-default expectations.

What does GAID require for AI?

The General Application and Implementation Directive, issued in 2025, calls for privacy by design and privacy by default in the development and deployment of AI tools, among other requirements. It sets the design standard that the audit return is then used to verify.

What is the single most important step to take now?

Review your last Compliance Audit Return, identify every AI-driven processing activity, and document how each one meets Nigeria Data Protection Act obligations and privacy-by-design controls, so the evidence is ready before your next filing rather than assembled under pressure.

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.