Sections 44-45 of the NDPA establish a unique compliance mechanism: organisations processing data of major importance must register with the NDPC and file annual Compliance Audit Returns (CARs).
DCPMI Classification
Organisations are classified based on the volume and sensitivity of personal data they process:
- Ultra-High Level (UHL) — Processing data of the highest volume/sensitivity
- Extra-High Level (EHL) — Significant data processing operations
- Ordinary-High Level (OHL) — Standard high-volume processing
Licensed DPCOs
Compliance audits must be conducted by licensed Data Protection Compliance Organisations (DPCOs). Track the DPCO name and licence number for each audit.
Compliance Ratings
- Fully Compliant — All NDPA requirements met
- Substantially Compliant — Minor gaps with remediation plans
- Partially Compliant — Significant gaps requiring attention
- Non-Compliant — Major failures in data protection
Audit Workflow
- Draft — Planning and scoping the audit
- In Progress — Audit being conducted by DPCO
- Completed — Audit finished, findings documented
- Submitted — CAR filed with the NDPC