@tantainnovative/ndpr-toolkit 5.1.4 → 5.3.0

package/CHANGELOG.md

@@ -2,6 +2,36 @@
 
 All notable changes to this project will be documented in this file. See [commit-and-tag-version](https://github.com/absolute-version/commit-and-tag-version) for commit guidelines.
 
+## [5.3.0](https://github.com/mr-tanta/ndpr-toolkit/compare/v5.2.0...v5.3.0) (2026-05-30)
+
+
+### Features
+
+* **breach:** add NDPA S.40 / GAID 2025 Article 33 notification completeness checker ([2a6bdf2](https://github.com/mr-tanta/ndpr-toolkit/commit/2a6bdf25af11431c6b4603c0892d3db44f0bf348))
+
+
+### Documentation
+
+* document the breach notification completeness checker ([c05ee84](https://github.com/mr-tanta/ndpr-toolkit/commit/c05ee848afd899ae916b40fa55023886380392ae))
+
+## [5.2.0](https://github.com/mr-tanta/ndpr-toolkit/compare/v5.1.4...v5.2.0) (2026-05-30)
+
+
+### Features
+
+* **car:** add NDPC GAID 2025 Compliance Audit Returns scheduler ([30d399a](https://github.com/mr-tanta/ndpr-toolkit/commit/30d399a38b51632f8a3fdcb01a329f983eb7ca06))
+* **dcpmi:** add NDPC GAID 2025 DCPMI tier classifier ([179a5c1](https://github.com/mr-tanta/ndpr-toolkit/commit/179a5c1d6a7b9a3fba89947ff2d943b2159a142c))
+
+
+### Bug Fixes
+
+* address findings from the A–Z verification pass ([4ede74f](https://github.com/mr-tanta/ndpr-toolkit/commit/4ede74f9aece2c74d8377a91068522d534daa6fc))
+
+
+### Documentation
+
+* document DCPMI classifier and Compliance Audit Returns ([a7fefe1](https://github.com/mr-tanta/ndpr-toolkit/commit/a7fefe1a07b58d1b4d9e6f0a8b20b3a4c8f4fef6))
+
 ## [5.1.4](https://github.com/mr-tanta/ndpr-toolkit/compare/v5.1.3...v5.1.4) (2026-05-28)
 
 

package/README.md

@@ -449,6 +449,91 @@ import { NDPRComplianceDashboard } from '@tantainnovative/ndpr-toolkit/presets';
 
 ---
 
+## DCPMI & Compliance Audit Returns
+
+Two pure utilities for the NDPC **General Application and Implementation Directive (GAID) 2025** registration regime — no React, safe to run server-side or in CI.
+
+`classifyDCPMI()` derives an organisation's **Data Controller/Processor of Major Importance** tier from the number of data subjects processed in a six-month window, with its annual registration fee and filing obligations:
+
+```ts
+import { classifyDCPMI } from '@tantainnovative/ndpr-toolkit/core';
+
+const result = classifyDCPMI({ dataSubjectsInSixMonths: 6200 });
+
+result.tier;                              // "UHL"  (>5,000 → Ultra High Level)
+result.isDCPMI;                           // true
+result.annualFeeNGN;                      // 250000
+result.registration.renewsAnnually;       // false (UHL/EHL register once, file CAR yearly)
+result.compliance.auditReturnsAnnual;     // true
+result.compliance.initialAuditWithinMonths; // 15
+```
+
+| Tier | Data subjects / 6 months | Annual fee (₦) |
+|------|--------------------------|----------------|
+| **UHL** — Ultra High Level | more than 5,000 | 250,000 |
+| **EHL** — Extra High Level | 1,000 – 5,000 | 100,000 |
+| **OHL** — Ordinary High Level | 200 – 999 | 10,000 |
+| below 200 | — | not a DCPMI by volume |
+
+Thresholds and fees are the September 2025 GAID baseline and are configurable (`classifyDCPMI(input, { thresholds, fees })`) since the NDPC revises them. Pass `isDesignated: true` for an organisation the Commission has separately listed — it resolves to the `'listed'` tier regardless of volume.
+
+`generateComplianceAuditReturn()` schedules a DCPMI's **Compliance Audit Returns** — the initial audit due within 15 months of commencement, then the next annual filing deadline (NDPC baseline 31 March, filed via the NDPC Information Management Portal / NIMP):
+
+```ts
+import { generateComplianceAuditReturn } from '@tantainnovative/ndpr-toolkit/core';
+
+const car = generateComplianceAuditReturn({
+  commencementDate: '2025-01-15',
+  asOf: '2026-03-21',
+  tier: 'UHL',
+});
+
+car.schedule.initialAuditDueDate;     // "2026-04-15"  (commencement + 15 months)
+car.schedule.nextFilingDeadline;      // "2026-03-31"
+car.status.daysUntilNextDeadline;     // 10
+car.status.initialAuditDue;           // false
+
+// NDPC deadlines shift — the 2026 filing was extended to 30 May:
+generateComplianceAuditReturn(
+  { commencementDate: '2025-01-15', asOf: '2026-04-01', tier: 'UHL' },
+  { deadlineOverrides: { 2026: '2026-05-30' } },
+).schedule.nextFilingDeadline;        // "2026-05-30"
+```
+
+Both ship as memoised hooks for React UIs — `useDCPMI(input, options?)` and `useComplianceAuditReturn(input, options?)` from `@tantainnovative/ndpr-toolkit/hooks`.
+
+> These utilities compute registration tiers and filing dates from the GAID 2025 baseline; they are not legal advice. The NDPC revises metrics and extends deadlines — verify against current NDPC guidance before relying on them.
+
+---
+
+## Breach Notification Completeness
+
+`assessBreachNotification()` checks a `BreachReport` against the **NDPA 2023 Section 40** breach-notification duty as detailed by **NDPC GAID 2025 Article 33** — the mandated content of the notification to the Commission, the 72-hour deadline from discovery, and the data-subject communication owed when the risk is high.
+
+```ts
+import { assessBreachNotification } from '@tantainnovative/ndpr-toolkit/core';
+
+const result = assessBreachNotification(breachReport, {
+  asOf: Date.now(),
+  assessment: riskAssessment, // optional — high risk triggers the S.40(3) data-subject duty
+});
+
+result.complete;             // false until every mandated item is present
+result.completeness;         // 0–100 across applicable items
+result.missing;              // ["Steps taken to reduce the risk of harm", ...]
+result.timing.deadline;      // discoveredAt + 72h
+result.timing.hoursRemaining;// time left to notify the NDPC (negative once overdue)
+result.timing.overdue;       // true once the 72-hour window has passed
+result.dataSubjectCommunicationRequired; // true on high risk (S.40(3))
+result.recommendations;      // actionable, each citing its provision
+```
+
+The content checklist (`notificationToCommission`) maps each item to its source — **GAID 2025 Art. 33(5)(a)–(h)** for the description, timing, data involved, risk-of-harm, numbers at risk, mitigation, notification steps, and contact point; **NDPA S. 40(2)** for the data-subject categories and record count. Late filings are flagged with `requiresDelayJustification` (the NDPC permits phased reporting where full details aren't yet available). Also available as the memoised `useBreachNotificationAssessment(report, options?)` hook from `/hooks`.
+
+> A documentation-completeness aid, not legal advice — verify against current NDPC guidance.
+
+---
+
 ## Backend Integration
 
 ### CLI scaffolder

package/dist/{chunk-YX7DEHPA.mjs → chunk-6A7M4CGJ.mjs}

@@ -1 +1 @@
-var m=["critical","high","medium","low"];function p(e){let i=new Date(e).getTime();if(isNaN(i))return 1/0;let t=(Date.now()-i)/(1e3*60*60*24*30.44);return Math.max(0,t)}function u(e){if(e.length===0)return 100;let i=e.filter(t=>t.pass).length;return Math.round(i/e.length*100)}function f(e){return [{key:"hasConsentMechanism",label:"Consent collection mechanism",priority:"critical",effort:"high",recommendation:"Implement a clear, affirmative consent collection mechanism before processing personal data.",ndpaSection:"Section 25",pass:e.hasConsentMechanism},{key:"hasPurposeSpecification",label:"Purpose specification at collection",priority:"critical",effort:"medium",recommendation:"Specify and communicate the purpose of data collection at the point of consent.",ndpaSection:"Section 25",pass:e.hasPurposeSpecification},{key:"hasWithdrawalMechanism",label:"Consent withdrawal mechanism",priority:"high",effort:"medium",recommendation:"Provide a simple mechanism for data subjects to withdraw consent at any time.",ndpaSection:"Section 26",pass:e.hasWithdrawalMechanism},{key:"hasMinorProtection",label:"Minor (child) data protection controls",priority:"high",effort:"high",recommendation:"Implement age-verification and parental-consent controls for processing data of minors.",ndpaSection:"Section 31",pass:e.hasMinorProtection},{key:"consentRecordsRetained",label:"Consent records retained",priority:"medium",effort:"low",recommendation:"Retain records of all consents obtained, including what was agreed to and when.",ndpaSection:"Section 25",pass:e.consentRecordsRetained}]}function g(e){let i=e.responseTimelineDays<=30;return [{key:"hasRequestMechanism",label:"DSR submission mechanism",priority:"critical",effort:"high",recommendation:"Implement a formal channel (e.g. a web form or email address) for data subjects to submit requests.",ndpaSection:"Section 34",pass:e.hasRequestMechanism},{key:"supportsAccess",label:"Right of access supported",priority:"high",effort:"medium",recommendation:"Enable data subjects to request and receive a copy of their personal data.",ndpaSection:"Section 34(1)(a)\u2013(b)",pass:e.supportsAccess},{key:"supportsRectification",label:"Right to rectification supported",priority:"high",effort:"medium",recommendation:"Allow data subjects to request correction of inaccurate or incomplete personal data.",ndpaSection:"Section 34(1)(c)",pass:e.supportsRectification},{key:"supportsErasure",label:"Right to erasure supported",priority:"high",effort:"high",recommendation:"Implement processes to delete personal data upon valid erasure requests.",ndpaSection:"Section 34(1)(d), Section 34(2)",pass:e.supportsErasure},{key:"supportsPortability",label:"Right to data portability supported",priority:"medium",effort:"high",recommendation:"Provide personal data in a structured, machine-readable format upon request.",ndpaSection:"Section 38",pass:e.supportsPortability},{key:"supportsObjection",label:"Right to object supported",priority:"medium",effort:"medium",recommendation:"Honour objections to processing where no compelling legitimate grounds override the data subject's interests.",ndpaSection:"Section 36",pass:e.supportsObjection},{key:"responseTimeline",label:"DSR response within 30 days",priority:"high",effort:"medium",recommendation:"Reduce DSR response time to 30 days or less per NDPC guidance (GAID 2025).",ndpaSection:"Section 34 (NDPC GAID 2025 timeline guidance)",pass:i}]}function y(e){return [{key:"conductedForHighRisk",label:"DPIA conducted for high-risk processing",priority:"critical",effort:"high",recommendation:"Conduct a Data Protection Impact Assessment before undertaking high-risk processing activities.",ndpaSection:"Section 28",pass:e.conductedForHighRisk},{key:"documentedRisks",label:"Risks documented in DPIA",priority:"high",effort:"medium",recommendation:"Document identified risks to data subjects' rights and freedoms within the DPIA.",ndpaSection:"Section 28",pass:e.documentedRisks},{key:"mitigationMeasures",label:"Mitigation measures documented",priority:"high",effort:"medium",recommendation:"Document mitigation measures and residual risk acceptance within the DPIA.",ndpaSection:"Section 28",pass:e.mitigationMeasures}]}function b(e){return [{key:"hasNotificationProcess",label:"Breach notification process in place",priority:"critical",effort:"high",recommendation:"Establish a documented breach notification process covering detection, assessment, and reporting.",ndpaSection:"Section 40",pass:e.hasNotificationProcess},{key:"notifiesWithin72Hours",label:"NDPC notified within 72 hours",priority:"critical",effort:"medium",recommendation:"Ensure the NDPC is notified of qualifying breaches within 72 hours of discovery.",ndpaSection:"Section 40",pass:e.notifiesWithin72Hours},{key:"hasRiskAssessment",label:"Breach risk assessment performed",priority:"high",effort:"medium",recommendation:"Perform a risk assessment for every identified breach to determine notification obligations.",ndpaSection:"Section 40",pass:e.hasRiskAssessment},{key:"hasRecordKeeping",label:"Breach records maintained",priority:"medium",effort:"low",recommendation:"Maintain a breach register documenting all incidents, assessments, and actions taken.",ndpaSection:"Section 40",pass:e.hasRecordKeeping}]}function S(e){let t=p(e.lastUpdated)<=13;return [{key:"hasPrivacyPolicy",label:"Privacy policy exists",priority:"critical",effort:"high",recommendation:"Draft and publish a comprehensive privacy policy that satisfies NDPA requirements.",ndpaSection:"Section 27",pass:e.hasPrivacyPolicy},{key:"isPubliclyAccessible",label:"Privacy policy publicly accessible",priority:"high",effort:"low",recommendation:"Make the privacy policy easily accessible to data subjects on your website or app.",ndpaSection:"Section 27",pass:e.isPubliclyAccessible},{key:"policyUpToDate",label:"Privacy policy reviewed within 13 months",priority:"medium",effort:"medium",recommendation:"Review and update the privacy policy at least annually to reflect current practices.",ndpaSection:"Section 27",pass:t},{key:"coversAllSections",label:"Privacy policy covers all required sections",priority:"high",effort:"medium",recommendation:"Ensure the privacy policy addresses all NDPA-mandated disclosures including lawful basis, retention, and subject rights.",ndpaSection:"Section 27",pass:e.coversAllSections}]}function R(e){return [{key:"documentedForAllProcessing",label:"Lawful basis documented for all processing",priority:"critical",effort:"high",recommendation:"Identify and document a valid lawful basis for every processing activity before it begins.",ndpaSection:"Section 25(1)",pass:e.documentedForAllProcessing},{key:"hasLegitimateInterestAssessment",label:"Legitimate interest assessment completed",priority:"medium",effort:"medium",recommendation:"Complete a Legitimate Interest Assessment (LIA) where legitimate interests is the chosen lawful basis.",ndpaSection:"Section 25(1)",pass:e.hasLegitimateInterestAssessment}]}function v(e){return [{key:"hasTransferMechanisms",label:"Transfer mechanisms in place",priority:"critical",effort:"high",recommendation:"Implement appropriate transfer mechanisms (SCCs, BCRs, adequacy decisions, or Section 43 derogations) for all cross-border transfers.",ndpaSection:"Section 41",pass:e.hasTransferMechanisms},{key:"adequacyAssessed",label:"Adequacy of destination country assessed",priority:"high",effort:"medium",recommendation:"Assess whether the destination country provides an adequate level of data protection before transferring.",ndpaSection:"Section 42",pass:e.adequacyAssessed},{key:"ndpcApprovalObtained",label:"NDPC approval obtained where required",priority:"high",effort:"high",recommendation:"Obtain NDPC approval (e.g. for binding corporate rules, codes of conduct, or certification mechanisms) for transfers to countries without adequacy decisions where required.",ndpaSection:"Section 42(5)",pass:e.ndpcApprovalObtained}]}function w(e){let t=p(e.lastReviewed)<=6;return [{key:"maintained",label:"Record of Processing Activities maintained",priority:"critical",effort:"high",recommendation:"Create and maintain a comprehensive Record of Processing Activities (ROPA) as required by the NDPA.",ndpaSection:"Section 29",pass:e.maintained},{key:"includesAllProcessing",label:"ROPA includes all processing activities",priority:"high",effort:"medium",recommendation:"Ensure the ROPA captures every processing activity across all departments and systems.",ndpaSection:"Section 29",pass:e.includesAllProcessing},{key:"ropaUpToDate",label:"ROPA reviewed within 6 months",priority:"medium",effort:"low",recommendation:"Review and update the ROPA at least every six months to reflect changes in processing activities.",ndpaSection:"Section 29",pass:t}]}var k=[{name:"consent",weight:.2,ndpaSections:["Section 25","Section 26"],evaluate:e=>f(e.consent)},{name:"dsr",weight:.15,ndpaSections:["Section 34","Section 35","Section 36","Section 37","Section 38"],evaluate:e=>g(e.dsr)},{name:"breach",weight:.15,ndpaSections:["Section 40"],evaluate:e=>b(e.breach)},{name:"policy",weight:.12,ndpaSections:["Section 27"],evaluate:e=>S(e.policy)},{name:"dpia",weight:.12,ndpaSections:["Section 28"],evaluate:e=>y(e.dpia)},{name:"lawfulBasis",weight:.1,ndpaSections:["Section 25(1)"],evaluate:e=>R(e.lawfulBasis)},{name:"crossBorder",weight:.08,ndpaSections:["Section 41","Section 42","Section 43"],evaluate:e=>v(e.crossBorder)},{name:"ropa",weight:.08,ndpaSections:["Section 29"],evaluate:e=>w(e.ropa)}];function P(e){return e>=90?"excellent":e>=70?"good":e>=40?"needs-work":"critical"}function C(e){let i={},t=[],s=0;for(let o of k){let a=o.evaluate(e),c=u(a),l=c*o.weight;s+=l;let d=[];for(let n of a)n.pass||(d.push(n.label),t.push({module:o.name,key:n.key,label:n.label,priority:n.priority,effort:n.effort,recommendation:n.recommendation,ndpaSection:n.ndpaSection}));i[o.name]={name:o.name,score:c,maxScore:100,weightedScore:Math.round(l*100)/100,ndpaSections:o.ndpaSections,gaps:d};}t.sort((o,a)=>m.indexOf(o.priority)-m.indexOf(a.priority));let r=Math.round(s),h=[{section:"Section 25",title:"Consent and lawful basis for processing"},{section:"Section 26",title:"Withdrawal of consent and minor protection"},{section:"Section 27",title:"Privacy notice requirements"},{section:"Section 28",title:"Data Protection Impact Assessment (including Section 28(2) NDPC consultation)"},{section:"Section 29",title:"Records of processing activities"},{section:"Section 34",title:"Data subject rights (access, rectification, erasure, restriction)"},{section:"Section 35",title:"Right to withdraw consent"},{section:"Section 36",title:"Right to object"},{section:"Section 37",title:"Rights related to automated decision-making"},{section:"Section 38",title:"Right to data portability"},{section:"Section 40",title:"Data breach notification"},{section:"Section 41",title:"Cross-border transfer mechanisms (SCCs / BCRs)"},{section:"Section 42",title:"Cross-border adequacy decisions"},{section:"Section 43",title:"Cross-border transfer derogations"}];return {score:r,rating:P(r),modules:i,recommendations:t,regulatoryReferences:h,generatedAt:new Date().toISOString()}}export{C as a};
+var m=["critical","high","medium","low"];function p(e){let i=new Date(e).getTime();if(isNaN(i))return 1/0;let t=(Date.now()-i)/(1e3*60*60*24*30.44);return Math.max(0,t)}function h(e){if(e.length===0)return 100;let i=e.filter(t=>t.pass).length;return Math.round(i/e.length*100)}function f(e){return [{key:"hasConsentMechanism",label:"Consent collection mechanism",priority:"critical",effort:"high",recommendation:"Implement a clear, affirmative consent collection mechanism before processing personal data.",ndpaSection:"Section 25",pass:e.hasConsentMechanism},{key:"hasPurposeSpecification",label:"Purpose specification at collection",priority:"critical",effort:"medium",recommendation:"Specify and communicate the purpose of data collection at the point of consent.",ndpaSection:"Section 25",pass:e.hasPurposeSpecification},{key:"hasWithdrawalMechanism",label:"Consent withdrawal mechanism",priority:"high",effort:"medium",recommendation:"Provide a simple mechanism for data subjects to withdraw consent at any time.",ndpaSection:"Section 26",pass:e.hasWithdrawalMechanism},{key:"hasMinorProtection",label:"Minor (child) data protection controls",priority:"high",effort:"high",recommendation:"Implement age-verification and parental-consent controls for processing data of minors.",ndpaSection:"Section 31",pass:e.hasMinorProtection},{key:"consentRecordsRetained",label:"Consent records retained",priority:"medium",effort:"low",recommendation:"Retain records of all consents obtained, including what was agreed to and when.",ndpaSection:"Section 25",pass:e.consentRecordsRetained}]}function g(e){let i=e.responseTimelineDays<=30;return [{key:"hasRequestMechanism",label:"DSR submission mechanism",priority:"critical",effort:"high",recommendation:"Implement a formal channel (e.g. a web form or email address) for data subjects to submit requests.",ndpaSection:"Section 34",pass:e.hasRequestMechanism},{key:"supportsAccess",label:"Right of access supported",priority:"high",effort:"medium",recommendation:"Enable data subjects to request and receive a copy of their personal data.",ndpaSection:"Section 34(1)(a)\u2013(b)",pass:e.supportsAccess},{key:"supportsRectification",label:"Right to rectification supported",priority:"high",effort:"medium",recommendation:"Allow data subjects to request correction of inaccurate or incomplete personal data.",ndpaSection:"Section 34(1)(c)",pass:e.supportsRectification},{key:"supportsErasure",label:"Right to erasure supported",priority:"high",effort:"high",recommendation:"Implement processes to delete personal data upon valid erasure requests.",ndpaSection:"Section 34(1)(d), Section 34(2)",pass:e.supportsErasure},{key:"supportsPortability",label:"Right to data portability supported",priority:"medium",effort:"high",recommendation:"Provide personal data in a structured, machine-readable format upon request.",ndpaSection:"Section 38",pass:e.supportsPortability},{key:"supportsObjection",label:"Right to object supported",priority:"medium",effort:"medium",recommendation:"Honour objections to processing where no compelling legitimate grounds override the data subject's interests.",ndpaSection:"Section 36",pass:e.supportsObjection},{key:"responseTimeline",label:"DSR response within 30 days",priority:"high",effort:"medium",recommendation:"Reduce DSR response time to 30 days or less per NDPC guidance (GAID 2025).",ndpaSection:"Section 34 (NDPC GAID 2025 timeline guidance)",pass:i}]}function y(e){return [{key:"conductedForHighRisk",label:"DPIA conducted for high-risk processing",priority:"critical",effort:"high",recommendation:"Conduct a Data Protection Impact Assessment before undertaking high-risk processing activities.",ndpaSection:"Section 28",pass:e.conductedForHighRisk},{key:"documentedRisks",label:"Risks documented in DPIA",priority:"high",effort:"medium",recommendation:"Document identified risks to data subjects' rights and freedoms within the DPIA.",ndpaSection:"Section 28",pass:e.documentedRisks},{key:"mitigationMeasures",label:"Mitigation measures documented",priority:"high",effort:"medium",recommendation:"Document mitigation measures and residual risk acceptance within the DPIA.",ndpaSection:"Section 28",pass:e.mitigationMeasures}]}function b(e){return [{key:"hasNotificationProcess",label:"Breach notification process in place",priority:"critical",effort:"high",recommendation:"Establish a documented breach notification process covering detection, assessment, and reporting.",ndpaSection:"Section 40",pass:e.hasNotificationProcess},{key:"notifiesWithin72Hours",label:"NDPC notified within 72 hours",priority:"critical",effort:"medium",recommendation:"Ensure the NDPC is notified of qualifying breaches within 72 hours of discovery.",ndpaSection:"Section 40",pass:e.notifiesWithin72Hours},{key:"hasRiskAssessment",label:"Breach risk assessment performed",priority:"high",effort:"medium",recommendation:"Perform a risk assessment for every identified breach to determine notification obligations.",ndpaSection:"Section 40",pass:e.hasRiskAssessment},{key:"hasRecordKeeping",label:"Breach records maintained",priority:"medium",effort:"low",recommendation:"Maintain a breach register documenting all incidents, assessments, and actions taken.",ndpaSection:"Section 40",pass:e.hasRecordKeeping}]}function S(e){let t=p(e.lastUpdated)<=13;return [{key:"hasPrivacyPolicy",label:"Privacy policy exists",priority:"critical",effort:"high",recommendation:"Draft and publish a comprehensive privacy policy that satisfies NDPA requirements.",ndpaSection:"Section 27",pass:e.hasPrivacyPolicy},{key:"isPubliclyAccessible",label:"Privacy policy publicly accessible",priority:"high",effort:"low",recommendation:"Make the privacy policy easily accessible to data subjects on your website or app.",ndpaSection:"Section 27",pass:e.isPubliclyAccessible},{key:"policyUpToDate",label:"Privacy policy reviewed within 13 months",priority:"medium",effort:"medium",recommendation:"Review and update the privacy policy at least annually to reflect current practices.",ndpaSection:"Section 27",pass:t},{key:"coversAllSections",label:"Privacy policy covers all required sections",priority:"high",effort:"medium",recommendation:"Ensure the privacy policy addresses all NDPA-mandated disclosures including lawful basis, retention, and subject rights.",ndpaSection:"Section 27",pass:e.coversAllSections}]}function R(e){return [{key:"documentedForAllProcessing",label:"Lawful basis documented for all processing",priority:"critical",effort:"high",recommendation:"Identify and document a valid lawful basis for every processing activity before it begins.",ndpaSection:"Section 25(1)",pass:e.documentedForAllProcessing},{key:"hasLegitimateInterestAssessment",label:"Legitimate interest assessment completed",priority:"medium",effort:"medium",recommendation:"Complete a Legitimate Interest Assessment (LIA) where legitimate interests is the chosen lawful basis.",ndpaSection:"Section 25(1)",pass:e.hasLegitimateInterestAssessment}]}function v(e){return [{key:"hasTransferMechanisms",label:"Transfer mechanisms in place",priority:"critical",effort:"high",recommendation:"Implement appropriate transfer mechanisms (SCCs, BCRs, adequacy decisions, or Section 43 derogations) for all cross-border transfers.",ndpaSection:"Section 41",pass:e.hasTransferMechanisms},{key:"adequacyAssessed",label:"Adequacy of destination country assessed",priority:"high",effort:"medium",recommendation:"Assess whether the destination country provides an adequate level of data protection before transferring.",ndpaSection:"Section 42",pass:e.adequacyAssessed},{key:"ndpcApprovalObtained",label:"NDPC approval obtained where required",priority:"high",effort:"high",recommendation:"Obtain NDPC approval (e.g. for binding corporate rules, codes of conduct, or certification mechanisms) for transfers to countries without adequacy decisions where required.",ndpaSection:"Section 42(5)",pass:e.ndpcApprovalObtained}]}function w(e){let t=p(e.lastReviewed)<=6;return [{key:"maintained",label:"Record of Processing Activities maintained",priority:"critical",effort:"high",recommendation:"Create and maintain a comprehensive Record of Processing Activities (ROPA) as required by the NDPA.",ndpaSection:"Section 29",pass:e.maintained},{key:"includesAllProcessing",label:"ROPA includes all processing activities",priority:"high",effort:"medium",recommendation:"Ensure the ROPA captures every processing activity across all departments and systems.",ndpaSection:"Section 29",pass:e.includesAllProcessing},{key:"ropaUpToDate",label:"ROPA reviewed within 6 months",priority:"medium",effort:"low",recommendation:"Review and update the ROPA at least every six months to reflect changes in processing activities.",ndpaSection:"Section 29",pass:t}]}var k=[{name:"consent",weight:.2,ndpaSections:["Section 25","Section 26"],evaluate:e=>f(e.consent)},{name:"dsr",weight:.15,ndpaSections:["Section 34","Section 35","Section 36","Section 37","Section 38"],evaluate:e=>g(e.dsr)},{name:"breach",weight:.15,ndpaSections:["Section 40"],evaluate:e=>b(e.breach)},{name:"policy",weight:.12,ndpaSections:["Section 27"],evaluate:e=>S(e.policy)},{name:"dpia",weight:.12,ndpaSections:["Section 28"],evaluate:e=>y(e.dpia)},{name:"lawfulBasis",weight:.1,ndpaSections:["Section 25(1)"],evaluate:e=>R(e.lawfulBasis)},{name:"crossBorder",weight:.08,ndpaSections:["Section 41","Section 42","Section 43"],evaluate:e=>v(e.crossBorder)},{name:"ropa",weight:.08,ndpaSections:["Section 29"],evaluate:e=>w(e.ropa)}];function P(e){return e>=90?"excellent":e>=70?"good":e>=40?"needs-work":"critical"}function C(e){let i={},t=[],s=0;for(let o of k){let a=o.evaluate(e),c=h(a),l=c*o.weight;s+=l;let d=[];for(let n of a)n.pass||(d.push(n.label),t.push({module:o.name,key:n.key,label:n.label,priority:n.priority,effort:n.effort,recommendation:n.recommendation,ndpaSection:n.ndpaSection}));i[o.name]={name:o.name,score:c,maxScore:100,weightedScore:Math.round(l*100)/100,ndpaSections:o.ndpaSections,gaps:d};}t.sort((o,a)=>m.indexOf(o.priority)-m.indexOf(a.priority));let r=Math.round(s),u=[{section:"Section 25",title:"Consent and lawful basis for processing"},{section:"Section 26",title:"Consent"},{section:"Section 27",title:"Privacy notice requirements"},{section:"Section 28",title:"Data Protection Impact Assessment (including Section 28(2) NDPC consultation)"},{section:"Section 29",title:"Records of processing activities"},{section:"Section 34",title:"Data subject rights (access, rectification, erasure, restriction)"},{section:"Section 35",title:"Right to withdraw consent"},{section:"Section 36",title:"Right to object"},{section:"Section 37",title:"Rights related to automated decision-making"},{section:"Section 38",title:"Right to data portability"},{section:"Section 40",title:"Data breach notification"},{section:"Section 41",title:"Cross-border transfer mechanisms (SCCs / BCRs)"},{section:"Section 42",title:"Cross-border adequacy decisions"},{section:"Section 43",title:"Cross-border transfer derogations"}];return {score:r,rating:P(r),modules:i,recommendations:t,regulatoryReferences:u,generatedAt:new Date().toISOString()}}export{C as a};

package/dist/{chunk-JVMHWM3I.js → chunk-7TTXS7JX.js}

@@ -1 +1 @@
-'use strict';var m=["critical","high","medium","low"];function p(e){let i=new Date(e).getTime();if(isNaN(i))return 1/0;let t=(Date.now()-i)/(1e3*60*60*24*30.44);return Math.max(0,t)}function u(e){if(e.length===0)return 100;let i=e.filter(t=>t.pass).length;return Math.round(i/e.length*100)}function f(e){return [{key:"hasConsentMechanism",label:"Consent collection mechanism",priority:"critical",effort:"high",recommendation:"Implement a clear, affirmative consent collection mechanism before processing personal data.",ndpaSection:"Section 25",pass:e.hasConsentMechanism},{key:"hasPurposeSpecification",label:"Purpose specification at collection",priority:"critical",effort:"medium",recommendation:"Specify and communicate the purpose of data collection at the point of consent.",ndpaSection:"Section 25",pass:e.hasPurposeSpecification},{key:"hasWithdrawalMechanism",label:"Consent withdrawal mechanism",priority:"high",effort:"medium",recommendation:"Provide a simple mechanism for data subjects to withdraw consent at any time.",ndpaSection:"Section 26",pass:e.hasWithdrawalMechanism},{key:"hasMinorProtection",label:"Minor (child) data protection controls",priority:"high",effort:"high",recommendation:"Implement age-verification and parental-consent controls for processing data of minors.",ndpaSection:"Section 31",pass:e.hasMinorProtection},{key:"consentRecordsRetained",label:"Consent records retained",priority:"medium",effort:"low",recommendation:"Retain records of all consents obtained, including what was agreed to and when.",ndpaSection:"Section 25",pass:e.consentRecordsRetained}]}function g(e){let i=e.responseTimelineDays<=30;return [{key:"hasRequestMechanism",label:"DSR submission mechanism",priority:"critical",effort:"high",recommendation:"Implement a formal channel (e.g. a web form or email address) for data subjects to submit requests.",ndpaSection:"Section 34",pass:e.hasRequestMechanism},{key:"supportsAccess",label:"Right of access supported",priority:"high",effort:"medium",recommendation:"Enable data subjects to request and receive a copy of their personal data.",ndpaSection:"Section 34(1)(a)\u2013(b)",pass:e.supportsAccess},{key:"supportsRectification",label:"Right to rectification supported",priority:"high",effort:"medium",recommendation:"Allow data subjects to request correction of inaccurate or incomplete personal data.",ndpaSection:"Section 34(1)(c)",pass:e.supportsRectification},{key:"supportsErasure",label:"Right to erasure supported",priority:"high",effort:"high",recommendation:"Implement processes to delete personal data upon valid erasure requests.",ndpaSection:"Section 34(1)(d), Section 34(2)",pass:e.supportsErasure},{key:"supportsPortability",label:"Right to data portability supported",priority:"medium",effort:"high",recommendation:"Provide personal data in a structured, machine-readable format upon request.",ndpaSection:"Section 38",pass:e.supportsPortability},{key:"supportsObjection",label:"Right to object supported",priority:"medium",effort:"medium",recommendation:"Honour objections to processing where no compelling legitimate grounds override the data subject's interests.",ndpaSection:"Section 36",pass:e.supportsObjection},{key:"responseTimeline",label:"DSR response within 30 days",priority:"high",effort:"medium",recommendation:"Reduce DSR response time to 30 days or less per NDPC guidance (GAID 2025).",ndpaSection:"Section 34 (NDPC GAID 2025 timeline guidance)",pass:i}]}function y(e){return [{key:"conductedForHighRisk",label:"DPIA conducted for high-risk processing",priority:"critical",effort:"high",recommendation:"Conduct a Data Protection Impact Assessment before undertaking high-risk processing activities.",ndpaSection:"Section 28",pass:e.conductedForHighRisk},{key:"documentedRisks",label:"Risks documented in DPIA",priority:"high",effort:"medium",recommendation:"Document identified risks to data subjects' rights and freedoms within the DPIA.",ndpaSection:"Section 28",pass:e.documentedRisks},{key:"mitigationMeasures",label:"Mitigation measures documented",priority:"high",effort:"medium",recommendation:"Document mitigation measures and residual risk acceptance within the DPIA.",ndpaSection:"Section 28",pass:e.mitigationMeasures}]}function b(e){return [{key:"hasNotificationProcess",label:"Breach notification process in place",priority:"critical",effort:"high",recommendation:"Establish a documented breach notification process covering detection, assessment, and reporting.",ndpaSection:"Section 40",pass:e.hasNotificationProcess},{key:"notifiesWithin72Hours",label:"NDPC notified within 72 hours",priority:"critical",effort:"medium",recommendation:"Ensure the NDPC is notified of qualifying breaches within 72 hours of discovery.",ndpaSection:"Section 40",pass:e.notifiesWithin72Hours},{key:"hasRiskAssessment",label:"Breach risk assessment performed",priority:"high",effort:"medium",recommendation:"Perform a risk assessment for every identified breach to determine notification obligations.",ndpaSection:"Section 40",pass:e.hasRiskAssessment},{key:"hasRecordKeeping",label:"Breach records maintained",priority:"medium",effort:"low",recommendation:"Maintain a breach register documenting all incidents, assessments, and actions taken.",ndpaSection:"Section 40",pass:e.hasRecordKeeping}]}function S(e){let t=p(e.lastUpdated)<=13;return [{key:"hasPrivacyPolicy",label:"Privacy policy exists",priority:"critical",effort:"high",recommendation:"Draft and publish a comprehensive privacy policy that satisfies NDPA requirements.",ndpaSection:"Section 27",pass:e.hasPrivacyPolicy},{key:"isPubliclyAccessible",label:"Privacy policy publicly accessible",priority:"high",effort:"low",recommendation:"Make the privacy policy easily accessible to data subjects on your website or app.",ndpaSection:"Section 27",pass:e.isPubliclyAccessible},{key:"policyUpToDate",label:"Privacy policy reviewed within 13 months",priority:"medium",effort:"medium",recommendation:"Review and update the privacy policy at least annually to reflect current practices.",ndpaSection:"Section 27",pass:t},{key:"coversAllSections",label:"Privacy policy covers all required sections",priority:"high",effort:"medium",recommendation:"Ensure the privacy policy addresses all NDPA-mandated disclosures including lawful basis, retention, and subject rights.",ndpaSection:"Section 27",pass:e.coversAllSections}]}function R(e){return [{key:"documentedForAllProcessing",label:"Lawful basis documented for all processing",priority:"critical",effort:"high",recommendation:"Identify and document a valid lawful basis for every processing activity before it begins.",ndpaSection:"Section 25(1)",pass:e.documentedForAllProcessing},{key:"hasLegitimateInterestAssessment",label:"Legitimate interest assessment completed",priority:"medium",effort:"medium",recommendation:"Complete a Legitimate Interest Assessment (LIA) where legitimate interests is the chosen lawful basis.",ndpaSection:"Section 25(1)",pass:e.hasLegitimateInterestAssessment}]}function v(e){return [{key:"hasTransferMechanisms",label:"Transfer mechanisms in place",priority:"critical",effort:"high",recommendation:"Implement appropriate transfer mechanisms (SCCs, BCRs, adequacy decisions, or Section 43 derogations) for all cross-border transfers.",ndpaSection:"Section 41",pass:e.hasTransferMechanisms},{key:"adequacyAssessed",label:"Adequacy of destination country assessed",priority:"high",effort:"medium",recommendation:"Assess whether the destination country provides an adequate level of data protection before transferring.",ndpaSection:"Section 42",pass:e.adequacyAssessed},{key:"ndpcApprovalObtained",label:"NDPC approval obtained where required",priority:"high",effort:"high",recommendation:"Obtain NDPC approval (e.g. for binding corporate rules, codes of conduct, or certification mechanisms) for transfers to countries without adequacy decisions where required.",ndpaSection:"Section 42(5)",pass:e.ndpcApprovalObtained}]}function w(e){let t=p(e.lastReviewed)<=6;return [{key:"maintained",label:"Record of Processing Activities maintained",priority:"critical",effort:"high",recommendation:"Create and maintain a comprehensive Record of Processing Activities (ROPA) as required by the NDPA.",ndpaSection:"Section 29",pass:e.maintained},{key:"includesAllProcessing",label:"ROPA includes all processing activities",priority:"high",effort:"medium",recommendation:"Ensure the ROPA captures every processing activity across all departments and systems.",ndpaSection:"Section 29",pass:e.includesAllProcessing},{key:"ropaUpToDate",label:"ROPA reviewed within 6 months",priority:"medium",effort:"low",recommendation:"Review and update the ROPA at least every six months to reflect changes in processing activities.",ndpaSection:"Section 29",pass:t}]}var k=[{name:"consent",weight:.2,ndpaSections:["Section 25","Section 26"],evaluate:e=>f(e.consent)},{name:"dsr",weight:.15,ndpaSections:["Section 34","Section 35","Section 36","Section 37","Section 38"],evaluate:e=>g(e.dsr)},{name:"breach",weight:.15,ndpaSections:["Section 40"],evaluate:e=>b(e.breach)},{name:"policy",weight:.12,ndpaSections:["Section 27"],evaluate:e=>S(e.policy)},{name:"dpia",weight:.12,ndpaSections:["Section 28"],evaluate:e=>y(e.dpia)},{name:"lawfulBasis",weight:.1,ndpaSections:["Section 25(1)"],evaluate:e=>R(e.lawfulBasis)},{name:"crossBorder",weight:.08,ndpaSections:["Section 41","Section 42","Section 43"],evaluate:e=>v(e.crossBorder)},{name:"ropa",weight:.08,ndpaSections:["Section 29"],evaluate:e=>w(e.ropa)}];function P(e){return e>=90?"excellent":e>=70?"good":e>=40?"needs-work":"critical"}function C(e){let i={},t=[],s=0;for(let o of k){let a=o.evaluate(e),c=u(a),l=c*o.weight;s+=l;let d=[];for(let n of a)n.pass||(d.push(n.label),t.push({module:o.name,key:n.key,label:n.label,priority:n.priority,effort:n.effort,recommendation:n.recommendation,ndpaSection:n.ndpaSection}));i[o.name]={name:o.name,score:c,maxScore:100,weightedScore:Math.round(l*100)/100,ndpaSections:o.ndpaSections,gaps:d};}t.sort((o,a)=>m.indexOf(o.priority)-m.indexOf(a.priority));let r=Math.round(s),h=[{section:"Section 25",title:"Consent and lawful basis for processing"},{section:"Section 26",title:"Withdrawal of consent and minor protection"},{section:"Section 27",title:"Privacy notice requirements"},{section:"Section 28",title:"Data Protection Impact Assessment (including Section 28(2) NDPC consultation)"},{section:"Section 29",title:"Records of processing activities"},{section:"Section 34",title:"Data subject rights (access, rectification, erasure, restriction)"},{section:"Section 35",title:"Right to withdraw consent"},{section:"Section 36",title:"Right to object"},{section:"Section 37",title:"Rights related to automated decision-making"},{section:"Section 38",title:"Right to data portability"},{section:"Section 40",title:"Data breach notification"},{section:"Section 41",title:"Cross-border transfer mechanisms (SCCs / BCRs)"},{section:"Section 42",title:"Cross-border adequacy decisions"},{section:"Section 43",title:"Cross-border transfer derogations"}];return {score:r,rating:P(r),modules:i,recommendations:t,regulatoryReferences:h,generatedAt:new Date().toISOString()}}exports.a=C;
+'use strict';var m=["critical","high","medium","low"];function p(e){let i=new Date(e).getTime();if(isNaN(i))return 1/0;let t=(Date.now()-i)/(1e3*60*60*24*30.44);return Math.max(0,t)}function h(e){if(e.length===0)return 100;let i=e.filter(t=>t.pass).length;return Math.round(i/e.length*100)}function f(e){return [{key:"hasConsentMechanism",label:"Consent collection mechanism",priority:"critical",effort:"high",recommendation:"Implement a clear, affirmative consent collection mechanism before processing personal data.",ndpaSection:"Section 25",pass:e.hasConsentMechanism},{key:"hasPurposeSpecification",label:"Purpose specification at collection",priority:"critical",effort:"medium",recommendation:"Specify and communicate the purpose of data collection at the point of consent.",ndpaSection:"Section 25",pass:e.hasPurposeSpecification},{key:"hasWithdrawalMechanism",label:"Consent withdrawal mechanism",priority:"high",effort:"medium",recommendation:"Provide a simple mechanism for data subjects to withdraw consent at any time.",ndpaSection:"Section 26",pass:e.hasWithdrawalMechanism},{key:"hasMinorProtection",label:"Minor (child) data protection controls",priority:"high",effort:"high",recommendation:"Implement age-verification and parental-consent controls for processing data of minors.",ndpaSection:"Section 31",pass:e.hasMinorProtection},{key:"consentRecordsRetained",label:"Consent records retained",priority:"medium",effort:"low",recommendation:"Retain records of all consents obtained, including what was agreed to and when.",ndpaSection:"Section 25",pass:e.consentRecordsRetained}]}function g(e){let i=e.responseTimelineDays<=30;return [{key:"hasRequestMechanism",label:"DSR submission mechanism",priority:"critical",effort:"high",recommendation:"Implement a formal channel (e.g. a web form or email address) for data subjects to submit requests.",ndpaSection:"Section 34",pass:e.hasRequestMechanism},{key:"supportsAccess",label:"Right of access supported",priority:"high",effort:"medium",recommendation:"Enable data subjects to request and receive a copy of their personal data.",ndpaSection:"Section 34(1)(a)\u2013(b)",pass:e.supportsAccess},{key:"supportsRectification",label:"Right to rectification supported",priority:"high",effort:"medium",recommendation:"Allow data subjects to request correction of inaccurate or incomplete personal data.",ndpaSection:"Section 34(1)(c)",pass:e.supportsRectification},{key:"supportsErasure",label:"Right to erasure supported",priority:"high",effort:"high",recommendation:"Implement processes to delete personal data upon valid erasure requests.",ndpaSection:"Section 34(1)(d), Section 34(2)",pass:e.supportsErasure},{key:"supportsPortability",label:"Right to data portability supported",priority:"medium",effort:"high",recommendation:"Provide personal data in a structured, machine-readable format upon request.",ndpaSection:"Section 38",pass:e.supportsPortability},{key:"supportsObjection",label:"Right to object supported",priority:"medium",effort:"medium",recommendation:"Honour objections to processing where no compelling legitimate grounds override the data subject's interests.",ndpaSection:"Section 36",pass:e.supportsObjection},{key:"responseTimeline",label:"DSR response within 30 days",priority:"high",effort:"medium",recommendation:"Reduce DSR response time to 30 days or less per NDPC guidance (GAID 2025).",ndpaSection:"Section 34 (NDPC GAID 2025 timeline guidance)",pass:i}]}function y(e){return [{key:"conductedForHighRisk",label:"DPIA conducted for high-risk processing",priority:"critical",effort:"high",recommendation:"Conduct a Data Protection Impact Assessment before undertaking high-risk processing activities.",ndpaSection:"Section 28",pass:e.conductedForHighRisk},{key:"documentedRisks",label:"Risks documented in DPIA",priority:"high",effort:"medium",recommendation:"Document identified risks to data subjects' rights and freedoms within the DPIA.",ndpaSection:"Section 28",pass:e.documentedRisks},{key:"mitigationMeasures",label:"Mitigation measures documented",priority:"high",effort:"medium",recommendation:"Document mitigation measures and residual risk acceptance within the DPIA.",ndpaSection:"Section 28",pass:e.mitigationMeasures}]}function b(e){return [{key:"hasNotificationProcess",label:"Breach notification process in place",priority:"critical",effort:"high",recommendation:"Establish a documented breach notification process covering detection, assessment, and reporting.",ndpaSection:"Section 40",pass:e.hasNotificationProcess},{key:"notifiesWithin72Hours",label:"NDPC notified within 72 hours",priority:"critical",effort:"medium",recommendation:"Ensure the NDPC is notified of qualifying breaches within 72 hours of discovery.",ndpaSection:"Section 40",pass:e.notifiesWithin72Hours},{key:"hasRiskAssessment",label:"Breach risk assessment performed",priority:"high",effort:"medium",recommendation:"Perform a risk assessment for every identified breach to determine notification obligations.",ndpaSection:"Section 40",pass:e.hasRiskAssessment},{key:"hasRecordKeeping",label:"Breach records maintained",priority:"medium",effort:"low",recommendation:"Maintain a breach register documenting all incidents, assessments, and actions taken.",ndpaSection:"Section 40",pass:e.hasRecordKeeping}]}function S(e){let t=p(e.lastUpdated)<=13;return [{key:"hasPrivacyPolicy",label:"Privacy policy exists",priority:"critical",effort:"high",recommendation:"Draft and publish a comprehensive privacy policy that satisfies NDPA requirements.",ndpaSection:"Section 27",pass:e.hasPrivacyPolicy},{key:"isPubliclyAccessible",label:"Privacy policy publicly accessible",priority:"high",effort:"low",recommendation:"Make the privacy policy easily accessible to data subjects on your website or app.",ndpaSection:"Section 27",pass:e.isPubliclyAccessible},{key:"policyUpToDate",label:"Privacy policy reviewed within 13 months",priority:"medium",effort:"medium",recommendation:"Review and update the privacy policy at least annually to reflect current practices.",ndpaSection:"Section 27",pass:t},{key:"coversAllSections",label:"Privacy policy covers all required sections",priority:"high",effort:"medium",recommendation:"Ensure the privacy policy addresses all NDPA-mandated disclosures including lawful basis, retention, and subject rights.",ndpaSection:"Section 27",pass:e.coversAllSections}]}function R(e){return [{key:"documentedForAllProcessing",label:"Lawful basis documented for all processing",priority:"critical",effort:"high",recommendation:"Identify and document a valid lawful basis for every processing activity before it begins.",ndpaSection:"Section 25(1)",pass:e.documentedForAllProcessing},{key:"hasLegitimateInterestAssessment",label:"Legitimate interest assessment completed",priority:"medium",effort:"medium",recommendation:"Complete a Legitimate Interest Assessment (LIA) where legitimate interests is the chosen lawful basis.",ndpaSection:"Section 25(1)",pass:e.hasLegitimateInterestAssessment}]}function v(e){return [{key:"hasTransferMechanisms",label:"Transfer mechanisms in place",priority:"critical",effort:"high",recommendation:"Implement appropriate transfer mechanisms (SCCs, BCRs, adequacy decisions, or Section 43 derogations) for all cross-border transfers.",ndpaSection:"Section 41",pass:e.hasTransferMechanisms},{key:"adequacyAssessed",label:"Adequacy of destination country assessed",priority:"high",effort:"medium",recommendation:"Assess whether the destination country provides an adequate level of data protection before transferring.",ndpaSection:"Section 42",pass:e.adequacyAssessed},{key:"ndpcApprovalObtained",label:"NDPC approval obtained where required",priority:"high",effort:"high",recommendation:"Obtain NDPC approval (e.g. for binding corporate rules, codes of conduct, or certification mechanisms) for transfers to countries without adequacy decisions where required.",ndpaSection:"Section 42(5)",pass:e.ndpcApprovalObtained}]}function w(e){let t=p(e.lastReviewed)<=6;return [{key:"maintained",label:"Record of Processing Activities maintained",priority:"critical",effort:"high",recommendation:"Create and maintain a comprehensive Record of Processing Activities (ROPA) as required by the NDPA.",ndpaSection:"Section 29",pass:e.maintained},{key:"includesAllProcessing",label:"ROPA includes all processing activities",priority:"high",effort:"medium",recommendation:"Ensure the ROPA captures every processing activity across all departments and systems.",ndpaSection:"Section 29",pass:e.includesAllProcessing},{key:"ropaUpToDate",label:"ROPA reviewed within 6 months",priority:"medium",effort:"low",recommendation:"Review and update the ROPA at least every six months to reflect changes in processing activities.",ndpaSection:"Section 29",pass:t}]}var k=[{name:"consent",weight:.2,ndpaSections:["Section 25","Section 26"],evaluate:e=>f(e.consent)},{name:"dsr",weight:.15,ndpaSections:["Section 34","Section 35","Section 36","Section 37","Section 38"],evaluate:e=>g(e.dsr)},{name:"breach",weight:.15,ndpaSections:["Section 40"],evaluate:e=>b(e.breach)},{name:"policy",weight:.12,ndpaSections:["Section 27"],evaluate:e=>S(e.policy)},{name:"dpia",weight:.12,ndpaSections:["Section 28"],evaluate:e=>y(e.dpia)},{name:"lawfulBasis",weight:.1,ndpaSections:["Section 25(1)"],evaluate:e=>R(e.lawfulBasis)},{name:"crossBorder",weight:.08,ndpaSections:["Section 41","Section 42","Section 43"],evaluate:e=>v(e.crossBorder)},{name:"ropa",weight:.08,ndpaSections:["Section 29"],evaluate:e=>w(e.ropa)}];function P(e){return e>=90?"excellent":e>=70?"good":e>=40?"needs-work":"critical"}function C(e){let i={},t=[],s=0;for(let o of k){let a=o.evaluate(e),c=h(a),l=c*o.weight;s+=l;let d=[];for(let n of a)n.pass||(d.push(n.label),t.push({module:o.name,key:n.key,label:n.label,priority:n.priority,effort:n.effort,recommendation:n.recommendation,ndpaSection:n.ndpaSection}));i[o.name]={name:o.name,score:c,maxScore:100,weightedScore:Math.round(l*100)/100,ndpaSections:o.ndpaSections,gaps:d};}t.sort((o,a)=>m.indexOf(o.priority)-m.indexOf(a.priority));let r=Math.round(s),u=[{section:"Section 25",title:"Consent and lawful basis for processing"},{section:"Section 26",title:"Consent"},{section:"Section 27",title:"Privacy notice requirements"},{section:"Section 28",title:"Data Protection Impact Assessment (including Section 28(2) NDPC consultation)"},{section:"Section 29",title:"Records of processing activities"},{section:"Section 34",title:"Data subject rights (access, rectification, erasure, restriction)"},{section:"Section 35",title:"Right to withdraw consent"},{section:"Section 36",title:"Right to object"},{section:"Section 37",title:"Rights related to automated decision-making"},{section:"Section 38",title:"Right to data portability"},{section:"Section 40",title:"Data breach notification"},{section:"Section 41",title:"Cross-border transfer mechanisms (SCCs / BCRs)"},{section:"Section 42",title:"Cross-border adequacy decisions"},{section:"Section 43",title:"Cross-border transfer derogations"}];return {score:r,rating:P(r),modules:i,recommendations:t,regulatoryReferences:u,generatedAt:new Date().toISOString()}}exports.a=C;

package/dist/chunk-GYLUTVKB.js

@@ -0,0 +1 @@
+'use strict';var chunkOXFULQTE_js=require('./chunk-OXFULQTE.js'),chunk7TTXS7JX_js=require('./chunk-7TTXS7JX.js'),react=require('react');function u(t,e){return react.useMemo(()=>chunkOXFULQTE_js.a(t,e),[t,e])}function M({input:t}){let e=JSON.stringify(t);return react.useMemo(()=>chunk7TTXS7JX_js.a(t),[e])}function D(t,e){return react.useMemo(()=>chunkOXFULQTE_js.d(t,e),[t.dataSubjectsInSixMonths,t.isDesignated,e])}function P(t,e){return react.useMemo(()=>chunkOXFULQTE_js.e(t,e),[t.commencementDate,t.asOf,t.tier,e])}exports.a=u;exports.b=M;exports.c=D;exports.d=P;

package/dist/chunk-KOHFQIV4.mjs

@@ -0,0 +1 @@
+import {a}from'./chunk-ZJYULEER.mjs';var d=e=>typeof e=="string"&&e.trim().length>0,R=e=>typeof e=="number"&&Number.isFinite(e)&&e>=0,x=e=>Array.isArray(e)&&e.length>0,H=e=>!!e&&d(e.name)&&d(e.email);function G(e,n={}){var C,A,I,N,O;let i=(C=n.asOf)!=null?C:Date.now(),r=(A=n.deadlineHours)!=null?A:72,s=e.discoveredAt+r*36e5,o=n.notification,t=!!o,c=o==null?void 0:o.sentAt,a=(t?c:i)>s,h={deadline:s,hoursSinceDiscovery:Math.round((i-e.discoveredAt)/36e5),notified:t,notifiedAt:c,withinDeadline:!a,hoursRemaining:Math.round((s-i)/36e5),overdue:a,requiresDelayJustification:a},f=[{id:"circumstances",label:"Description of the circumstances of the breach",section:"GAID 2025 Art. 33(5)(a)",satisfied:d(e.description)},{id:"occurrence",label:"Date or time period of the breach",section:"GAID 2025 Art. 33(5)(b)",satisfied:R(e.occurredAt)},{id:"personalInfo",label:"Description of the personal data involved",section:"GAID 2025 Art. 33(5)(c)",satisfied:x(e.dataTypes)},{id:"riskOfHarm",label:"Assessment of the risk of harm to data subjects",section:"GAID 2025 Art. 33(5)(d)",satisfied:d(e.likelyConsequences)},{id:"numberAtRisk",label:"Estimated number of data subjects at risk of significant harm",section:"GAID 2025 Art. 33(5)(e)",satisfied:R(e.estimatedAffectedSubjects)},{id:"mitigation",label:"Steps taken to reduce the risk of harm",section:"GAID 2025 Art. 33(5)(f)",satisfied:d(e.mitigationMeasures)},{id:"notifySteps",label:"Steps taken to notify affected data subjects",section:"GAID 2025 Art. 33(5)(g)",satisfied:d(e.initialActions)},{id:"contactPoint",label:"Name and contact details of a contact point",section:"GAID 2025 Art. 33(5)(h)",satisfied:H(e.dpoContact)},{id:"dataSubjectCategories",label:"Categories of data subjects concerned",section:"NDPA 2023 S. 40(2)",satisfied:x(e.dataSubjectCategories)},{id:"recordCount",label:"Approximate number of personal data records concerned",section:"NDPA 2023 S. 40(2)",satisfied:R(e.approximateRecordCount)}],D=(O=(N=n.highRisk)!=null?N:(I=n.assessment)==null?void 0:I.highRisksToRightsAndFreedoms)!=null?O:false,g=D?[{id:"dsNature",label:"Nature and context of the breach in plain language",section:"NDPA 2023 S. 40(3)",satisfied:d(e.description)},{id:"dsConsequences",label:"Likely consequences of the breach",section:"NDPA 2023 S. 40(3)",satisfied:d(e.likelyConsequences)},{id:"dsMeasures",label:"Safeguards and measures data subjects can take",section:"NDPA 2023 S. 40(3)",satisfied:d(e.mitigationMeasures)},{id:"dsContact",label:"Contact point for data subjects",section:"NDPA 2023 S. 40(3)",satisfied:H(e.dpoContact)}]:[],l=[...f,...g],P=l.filter(m=>m.satisfied).length,S=Math.round(P/l.length*100),p=l.filter(m=>!m.satisfied).map(m=>m.label),y=p.length===0,u=[];for(let m of l.filter(L=>!L.satisfied))u.push(`Add: ${m.label} (${m.section}).`);return a?u.push("The 72-hour notification deadline has passed \u2014 notify the NDPC now and state the reasons for the delay; phased reporting is permitted where complete details are not yet available (NDPA S. 40(2))."):t||u.push(`${Math.max(0,h.hoursRemaining)} hour(s) remain to notify the NDPC within the 72-hour window (NDPA S. 40(2)).`),D&&u.push("High risk to data subjects \u2014 communicate the breach to affected data subjects immediately, in plain and clear language (NDPA S. 40(3))."),{complete:y,completeness:S,notificationToCommission:f,dataSubjectCommunication:g,dataSubjectCommunicationRequired:D,timing:h,missing:p,recommendations:u,asOf:i}}var j={ohl:200,ehl:1e3,uhl:5e3},k={UHL:25e4,EHL:1e5,OHL:1e4};function _(e,n={}){let i=a(a({},j),n.thresholds),r=a(a({},k),n.fees),s=e==null?void 0:e.dataSubjectsInSixMonths,o=typeof s=="number"&&s>0?Math.floor(s):0,t;o>i.uhl?t="UHL":o>=i.ehl?t="EHL":o>=i.ohl?t="OHL":e!=null&&e.isDesignated?t="listed":t="none";let c=t!=="none",b=t==="UHL"||t==="EHL"||t==="OHL"?r[t]:0,a$1=[];return t==="listed"&&a$1.push("Designated as a DCPMI below the volume tiers \u2014 confirm the applicable registration tier and fee with the NDPC."),c&&a$1.push(t==="OHL"?"OHL organisations renew their NDPC registration annually and file Compliance Audit Returns (CAR) each year.":"Register once with the NDPC, then file Compliance Audit Returns (CAR) annually."),a$1.push("Thresholds, fees, and filing dates follow the NDPC GAID 2025 baseline and can change \u2014 verify against current NDPC guidance before relying on them."),{tier:t,isDCPMI:c,annualFeeNGN:b,registration:{required:c,renewsAnnually:t==="OHL"},compliance:{auditReturnsAnnual:c,initialAuditWithinMonths:15},notes:a$1,dataSubjectsConsidered:o}}function w(e){return String(e).padStart(2,"0")}function T(e){let[n,i,r]=e.split("-").map(Number);return new Date(Date.UTC(n,i-1,r))}function B(e){return e.toISOString().slice(0,10)}function U(e,n){let[i,r,s]=e.split("-").map(Number);return B(new Date(Date.UTC(i,r-1+n,s)))}function F(){return new Date().toISOString().slice(0,10)}function W(e,n={}){var P,S,p,y,u,C,A;let i=(P=e.asOf)!=null?P:F(),r=(S=n.initialAuditWithinMonths)!=null?S:15,s=(y=(p=n.annualDeadline)==null?void 0:p.month)!=null?y:3,o=(C=(u=n.annualDeadline)==null?void 0:u.day)!=null?C:31,t=(A=n.deadlineOverrides)!=null?A:{},c=e.tier===void 0?true:e.tier!=="none",b=U(e.commencementDate,r),a=I=>{var N;return (N=t[I])!=null?N:`${I}-${w(s)}-${w(o)}`},h=Number(i.slice(0,4)),f=a(h);i>f&&(h+=1,f=a(h));let D=Math.round((T(f).getTime()-T(i).getTime())/864e5),g=i>=b,l=[];return c?(l.push("File the Compliance Audit Return with the NDPC via the NDPC Information Management Portal (NIMP)."),g&&l.push("The initial compliance-audit window has elapsed \u2014 ensure the initial audit has been conducted.")):l.push("Compliance Audit Returns apply only to Data Controllers/Processors of Major Importance."),l.push("Filing deadlines follow the NDPC GAID 2025 baseline and can be extended \u2014 verify the current deadline with the NDPC."),{applicable:c,schedule:{commencementDate:e.commencementDate,initialAuditWithinMonths:r,initialAuditDueDate:b,nextFilingDeadline:f,filingYear:h},status:{initialAuditDue:g,daysUntilNextDeadline:D},notes:l,asOf:i}}export{G as a,j as b,k as c,_ as d,W as e};

package/dist/chunk-NKFTLFPD.mjs

@@ -0,0 +1 @@
+import {a,d,e}from'./chunk-KOHFQIV4.mjs';import {a as a$1}from'./chunk-6A7M4CGJ.mjs';import {useMemo}from'react';function u(t,e){return useMemo(()=>a(t,e),[t,e])}function M({input:t}){let e=JSON.stringify(t);return useMemo(()=>a$1(t),[e])}function D(t,e){return useMemo(()=>d(t,e),[t.dataSubjectsInSixMonths,t.isDesignated,e])}function P(t,e$1){return useMemo(()=>e(t,e$1),[t.commencementDate,t.asOf,t.tier,e$1])}export{u as a,M as b,D as c,P as d};

package/dist/chunk-OXFULQTE.js

@@ -0,0 +1 @@
+'use strict';var chunkRFPLZDIO_js=require('./chunk-RFPLZDIO.js');var d=e=>typeof e=="string"&&e.trim().length>0,R=e=>typeof e=="number"&&Number.isFinite(e)&&e>=0,x=e=>Array.isArray(e)&&e.length>0,H=e=>!!e&&d(e.name)&&d(e.email);function G(e,n={}){var C,A,I,N,O;let i=(C=n.asOf)!=null?C:Date.now(),r=(A=n.deadlineHours)!=null?A:72,s=e.discoveredAt+r*36e5,o=n.notification,t=!!o,c=o==null?void 0:o.sentAt,a=(t?c:i)>s,h={deadline:s,hoursSinceDiscovery:Math.round((i-e.discoveredAt)/36e5),notified:t,notifiedAt:c,withinDeadline:!a,hoursRemaining:Math.round((s-i)/36e5),overdue:a,requiresDelayJustification:a},f=[{id:"circumstances",label:"Description of the circumstances of the breach",section:"GAID 2025 Art. 33(5)(a)",satisfied:d(e.description)},{id:"occurrence",label:"Date or time period of the breach",section:"GAID 2025 Art. 33(5)(b)",satisfied:R(e.occurredAt)},{id:"personalInfo",label:"Description of the personal data involved",section:"GAID 2025 Art. 33(5)(c)",satisfied:x(e.dataTypes)},{id:"riskOfHarm",label:"Assessment of the risk of harm to data subjects",section:"GAID 2025 Art. 33(5)(d)",satisfied:d(e.likelyConsequences)},{id:"numberAtRisk",label:"Estimated number of data subjects at risk of significant harm",section:"GAID 2025 Art. 33(5)(e)",satisfied:R(e.estimatedAffectedSubjects)},{id:"mitigation",label:"Steps taken to reduce the risk of harm",section:"GAID 2025 Art. 33(5)(f)",satisfied:d(e.mitigationMeasures)},{id:"notifySteps",label:"Steps taken to notify affected data subjects",section:"GAID 2025 Art. 33(5)(g)",satisfied:d(e.initialActions)},{id:"contactPoint",label:"Name and contact details of a contact point",section:"GAID 2025 Art. 33(5)(h)",satisfied:H(e.dpoContact)},{id:"dataSubjectCategories",label:"Categories of data subjects concerned",section:"NDPA 2023 S. 40(2)",satisfied:x(e.dataSubjectCategories)},{id:"recordCount",label:"Approximate number of personal data records concerned",section:"NDPA 2023 S. 40(2)",satisfied:R(e.approximateRecordCount)}],D=(O=(N=n.highRisk)!=null?N:(I=n.assessment)==null?void 0:I.highRisksToRightsAndFreedoms)!=null?O:false,g=D?[{id:"dsNature",label:"Nature and context of the breach in plain language",section:"NDPA 2023 S. 40(3)",satisfied:d(e.description)},{id:"dsConsequences",label:"Likely consequences of the breach",section:"NDPA 2023 S. 40(3)",satisfied:d(e.likelyConsequences)},{id:"dsMeasures",label:"Safeguards and measures data subjects can take",section:"NDPA 2023 S. 40(3)",satisfied:d(e.mitigationMeasures)},{id:"dsContact",label:"Contact point for data subjects",section:"NDPA 2023 S. 40(3)",satisfied:H(e.dpoContact)}]:[],l=[...f,...g],P=l.filter(m=>m.satisfied).length,S=Math.round(P/l.length*100),p=l.filter(m=>!m.satisfied).map(m=>m.label),y=p.length===0,u=[];for(let m of l.filter(L=>!L.satisfied))u.push(`Add: ${m.label} (${m.section}).`);return a?u.push("The 72-hour notification deadline has passed \u2014 notify the NDPC now and state the reasons for the delay; phased reporting is permitted where complete details are not yet available (NDPA S. 40(2))."):t||u.push(`${Math.max(0,h.hoursRemaining)} hour(s) remain to notify the NDPC within the 72-hour window (NDPA S. 40(2)).`),D&&u.push("High risk to data subjects \u2014 communicate the breach to affected data subjects immediately, in plain and clear language (NDPA S. 40(3))."),{complete:y,completeness:S,notificationToCommission:f,dataSubjectCommunication:g,dataSubjectCommunicationRequired:D,timing:h,missing:p,recommendations:u,asOf:i}}var j={ohl:200,ehl:1e3,uhl:5e3},k={UHL:25e4,EHL:1e5,OHL:1e4};function _(e,n={}){let i=chunkRFPLZDIO_js.a(chunkRFPLZDIO_js.a({},j),n.thresholds),r=chunkRFPLZDIO_js.a(chunkRFPLZDIO_js.a({},k),n.fees),s=e==null?void 0:e.dataSubjectsInSixMonths,o=typeof s=="number"&&s>0?Math.floor(s):0,t;o>i.uhl?t="UHL":o>=i.ehl?t="EHL":o>=i.ohl?t="OHL":e!=null&&e.isDesignated?t="listed":t="none";let c=t!=="none",b=t==="UHL"||t==="EHL"||t==="OHL"?r[t]:0,a=[];return t==="listed"&&a.push("Designated as a DCPMI below the volume tiers \u2014 confirm the applicable registration tier and fee with the NDPC."),c&&a.push(t==="OHL"?"OHL organisations renew their NDPC registration annually and file Compliance Audit Returns (CAR) each year.":"Register once with the NDPC, then file Compliance Audit Returns (CAR) annually."),a.push("Thresholds, fees, and filing dates follow the NDPC GAID 2025 baseline and can change \u2014 verify against current NDPC guidance before relying on them."),{tier:t,isDCPMI:c,annualFeeNGN:b,registration:{required:c,renewsAnnually:t==="OHL"},compliance:{auditReturnsAnnual:c,initialAuditWithinMonths:15},notes:a,dataSubjectsConsidered:o}}function w(e){return String(e).padStart(2,"0")}function T(e){let[n,i,r]=e.split("-").map(Number);return new Date(Date.UTC(n,i-1,r))}function B(e){return e.toISOString().slice(0,10)}function U(e,n){let[i,r,s]=e.split("-").map(Number);return B(new Date(Date.UTC(i,r-1+n,s)))}function F(){return new Date().toISOString().slice(0,10)}function W(e,n={}){var P,S,p,y,u,C,A;let i=(P=e.asOf)!=null?P:F(),r=(S=n.initialAuditWithinMonths)!=null?S:15,s=(y=(p=n.annualDeadline)==null?void 0:p.month)!=null?y:3,o=(C=(u=n.annualDeadline)==null?void 0:u.day)!=null?C:31,t=(A=n.deadlineOverrides)!=null?A:{},c=e.tier===void 0?true:e.tier!=="none",b=U(e.commencementDate,r),a=I=>{var N;return (N=t[I])!=null?N:`${I}-${w(s)}-${w(o)}`},h=Number(i.slice(0,4)),f=a(h);i>f&&(h+=1,f=a(h));let D=Math.round((T(f).getTime()-T(i).getTime())/864e5),g=i>=b,l=[];return c?(l.push("File the Compliance Audit Return with the NDPC via the NDPC Information Management Portal (NIMP)."),g&&l.push("The initial compliance-audit window has elapsed \u2014 ensure the initial audit has been conducted.")):l.push("Compliance Audit Returns apply only to Data Controllers/Processors of Major Importance."),l.push("Filing deadlines follow the NDPC GAID 2025 baseline and can be extended \u2014 verify the current deadline with the NDPC."),{applicable:c,schedule:{commencementDate:e.commencementDate,initialAuditWithinMonths:r,initialAuditDueDate:b,nextFilingDeadline:f,filingYear:h},status:{initialAuditDue:g,daysUntilNextDeadline:D},notes:l,asOf:i}}exports.a=G;exports.b=j;exports.c=k;exports.d=_;exports.e=W;

package/dist/core.d.mts

@@ -62,6 +62,12 @@ export declare const arabicLocale: Required<{
  */
 export declare function assemblePolicy(context: TemplateContext): PolicySection[];
 
+/**
+ * Assess a breach report against the NDPA S. 40 / GAID 2025 Article 33
+ * notification requirements.
+ */
+export declare function assessBreachNotification(report: BreachReport, options?: BreachNotificationOptions): BreachNotificationAssessment;
+
 /**
  * Analyzes all processing activities and returns compliance gaps including
  * missing DPO approval, overdue reviews, undocumented justifications,
@@ -112,6 +118,93 @@ export declare interface BreachCategory {
     defaultSeverity: 'low' | 'medium' | 'high' | 'critical';
 }
 
+export declare interface BreachNotificationAssessment {
+    /** Whether all applicable mandated content items are satisfied. */
+    complete: boolean;
+    /** Completeness of applicable content items, 0–100. */
+    completeness: number;
+    /** GAID 2025 Article 33(5) / NDPA S. 40(2) content of the notification to the Commission. */
+    notificationToCommission: BreachNotificationItem[];
+    /** NDPA S. 40(3) communication to data subjects — populated only when high-risk. */
+    dataSubjectCommunication: BreachNotificationItem[];
+    /** Whether a data-subject communication is owed (high risk). */
+    dataSubjectCommunicationRequired: boolean;
+    timing: BreachNotificationTiming;
+    /** Labels of unsatisfied applicable items. */
+    missing: string[];
+    /** Actionable next steps, including timing warnings. */
+    recommendations: string[];
+    asOf: number;
+}
+
+export declare interface BreachNotificationItem {
+    /** Stable identifier for the requirement. */
+    id: string;
+    /** Human-readable requirement. */
+    label: string;
+    /** Authoritative citation, e.g. `GAID 2025 Art. 33(5)(a)`. */
+    section: string;
+    /** Whether the report satisfies it. */
+    satisfied: boolean;
+}
+
+/**
+ * Personal-data-breach notification completeness checker for NDPA 2023
+ * Section 40, as detailed by NDPC General Application and Implementation
+ * Directive (GAID) 2025 Article 33.
+ *
+ * Section 40(2) requires a data controller to notify the Commission within 72
+ * hours of becoming aware of a breach likely to result in a risk to data
+ * subjects' rights and freedoms. GAID 2025 Article 33(5)(a)–(h) enumerates the
+ * content that a notification to the Commission "shall include". Where the
+ * breach is likely to result in a *high* risk, Section 40(3) additionally
+ * requires the controller to communicate the breach to affected data subjects
+ * in plain and clear language.
+ *
+ * This assesses a `BreachReport` against those requirements: which mandated
+ * content items are present, whether the 72-hour window is met, and whether a
+ * data-subject communication is owed. It is a documentation-completeness aid,
+ * not legal advice — verify against current NDPC guidance.
+ *
+ * @see NDPA 2023 Section 40 (Personal data breaches)
+ * @see NDPC GAID 2025 Article 33 (Data Breach Notification)
+ */
+
+export declare interface BreachNotificationOptions {
+    /** Risk assessment for the breach; drives whether data-subject communication is required. */
+    assessment?: RiskAssessment;
+    /** The regulatory notification actually sent, if any — used to judge timeliness. */
+    notification?: RegulatoryNotification;
+    /** Reference "now" in epoch ms. Defaults to `Date.now()`. */
+    asOf?: number;
+    /** Notification window in hours. Defaults to 72 (NDPA S. 40(2)). */
+    deadlineHours?: number;
+    /**
+     * Explicit high-risk flag (NDPA S. 40(3)). When omitted, derived from
+     * `assessment.highRisksToRightsAndFreedoms`.
+     */
+    highRisk?: boolean;
+}
+
+export declare interface BreachNotificationTiming {
+    /** `discoveredAt` + the notification window. */
+    deadline: number;
+    /** Whole hours between discovery and `asOf`. */
+    hoursSinceDiscovery: number;
+    /** Whether a regulatory notification has been recorded. */
+    notified: boolean;
+    /** When the regulatory notification was sent, if any. */
+    notifiedAt?: number;
+    /** Whether the notification (or, if none, `asOf`) falls within the deadline. */
+    withinDeadline: boolean;
+    /** Whole hours from `asOf` to the deadline (negative once past). */
+    hoursRemaining: number;
+    /** Whether the deadline has been missed. */
+    overdue: boolean;
+    /** Late filings must state the reasons for the delay (NDPA S. 40(2)). */
+    requiresDelayJustification: boolean;
+}
+
 /**
  * Represents a data breach report
  */
@@ -214,6 +307,74 @@ export declare function calculateBreachSeverity(report: BreachReport, assessment
     justification: string;
 };
 
+/**
+ * Compliance Audit Returns (CAR) scheduling under the NDPC General Application
+ * and Implementation Directive (GAID) 2025.
+ *
+ * A Data Controller/Processor of Major Importance (DCPMI) must conduct an
+ * initial compliance audit within 15 months of commencing data processing, and
+ * thereafter file a Compliance Audit Return with the NDPC annually (default
+ * deadline 31 March, filed through the NDPC Information Management Portal/NIMP).
+ *
+ * This computes the schedule (initial-audit due date, the next annual filing
+ * deadline relative to a reference date) and a light status. NDPC deadlines
+ * shift (the 2026 filing was extended to 30 May), so the annual deadline is
+ * configurable and per-year overrides are supported. The audit *content* itself
+ * is the organisation's compliance posture — pair this with `getComplianceScore`.
+ *
+ * @see NDPC General Application and Implementation Directive (GAID) 2025
+ */
+
+export declare interface CARInput {
+    /** ISO date (YYYY-MM-DD) the organisation commenced data processing. */
+    commencementDate: string;
+    /** Reference date to evaluate against (YYYY-MM-DD). Defaults to today. */
+    asOf?: string;
+    /** DCPMI tier; CAR applies to DCPMIs only. Omit to assume applicable. */
+    tier?: DCPMITier;
+}
+
+export declare interface CAROptions {
+    /** Default annual filing deadline (month is 1-12). Defaults to 31 March. */
+    annualDeadline?: {
+        month: number;
+        day: number;
+    };
+    /** Per-year overrides for the annual deadline, e.g. `{ 2026: '2026-05-30' }`. */
+    deadlineOverrides?: Record<number, string>;
+    /** Months after commencement the initial audit is due. Defaults to 15. */
+    initialAuditWithinMonths?: number;
+}
+
+/**
+ * Classify an organisation's DCPMI status, registration tier, annual fee, and
+ * Compliance Audit Returns obligations under NDPC GAID 2025.
+ */
+export declare function classifyDCPMI(input: DCPMIInput, options?: DCPMIClassificationOptions): DCPMIClassification;
+
+export declare interface ComplianceAuditReturn {
+    /** Whether CAR applies (false for non-DCPMI organisations). */
+    applicable: boolean;
+    schedule: {
+        commencementDate: string;
+        initialAuditWithinMonths: number;
+        /** Commencement date + the initial-audit window. */
+        initialAuditDueDate: string;
+        /** The next annual filing deadline on or after `asOf`. */
+        nextFilingDeadline: string;
+        /** The year the next filing deadline falls in. */
+        filingYear: number;
+    };
+    status: {
+        /** Whether the initial-audit obligation has arisen (asOf ≥ due date). */
+        initialAuditDue: boolean;
+        /** Whole days from `asOf` to the next filing deadline. */
+        daysUntilNextDeadline: number;
+    };
+    notes: string[];
+    asOf: string;
+}
+
 /** A single gap found during NDPA compliance evaluation. */
 export declare interface ComplianceGap {
     /** Machine-readable requirement identifier. */
@@ -580,6 +741,90 @@ export declare interface DataCategory {
     selected: boolean;
 }
 
+export declare interface DCPMIClassification {
+    /** Registration tier (or `'none'` when not a DCPMI). */
+    tier: DCPMITier;
+    /** Whether the organisation is a Data Controller/Processor of Major Importance. */
+    isDCPMI: boolean;
+    /** Annual registration fee in Nigerian Naira (0 when not a volume-tiered DCPMI). */
+    annualFeeNGN: number;
+    registration: {
+        /** Whether NDPC registration is required. */
+        required: boolean;
+        /** OHL renews registration annually; UHL/EHL register once and file CAR annually. */
+        renewsAnnually: boolean;
+    };
+    compliance: {
+        /** Whether the organisation must file annual Compliance Audit Returns (CAR). */
+        auditReturnsAnnual: boolean;
+        /** Initial compliance audit is due within this many months of commencing processing. */
+        initialAuditWithinMonths: number;
+    };
+    /** Human-readable caveats and next steps. */
+    notes: string[];
+    /** The count actually used for classification, after defensive normalisation. */
+    dataSubjectsConsidered: number;
+}
+
+export declare interface DCPMIClassificationOptions {
+    thresholds?: Partial<DCPMIThresholds>;
+    fees?: Partial<DCPMIFees>;
+}
+
+export declare interface DCPMIFees {
+    UHL: number;
+    EHL: number;
+    OHL: number;
+}
+
+export declare interface DCPMIInput {
+    /** Distinct data subjects whose data was processed in the relevant six-month window. */
+    dataSubjectsInSixMonths?: number;
+    /** True if the Commission has separately designated/listed the organisation as a DCPMI. */
+    isDesignated?: boolean;
+}
+
+export declare interface DCPMIThresholds {
+    /** Lower bound (inclusive) for OHL. */
+    ohl: number;
+    /** Lower bound (inclusive) for EHL. */
+    ehl: number;
+    /** A count strictly greater than this is UHL. */
+    uhl: number;
+}
+
+/**
+ * Data Controller/Processor of Major Importance (DCPMI) classification under the
+ * NDPC General Application and Implementation Directive (GAID) 2025.
+ *
+ * Volume-based tiers — data subjects processed within a six-month window:
+ *   - UHL (Ultra High Level):    more than 5,000  → ₦250,000 / year
+ *   - EHL (Extra High Level):    1,000 – 5,000    → ₦100,000 / year
+ *   - OHL (Ordinary High Level): 200 – 999        → ₦10,000  / year
+ *   - below 200:                 not a DCPMI by volume
+ *
+ * Boundaries: the 1,000 mark resolves to EHL (so OHL is 200–999); UHL is
+ * strictly greater than 5,000 (so 5,000 itself is EHL). The NDPC has revised
+ * classification metrics before and shifts filing deadlines, so thresholds and
+ * fees are configurable — treat the defaults as the September 2025 GAID
+ * baseline, not a constant.
+ *
+ * `isDesignated` marks an organisation the Commission has otherwise listed as a
+ * DCPMI; it is then a DCPMI regardless of volume. Below the volume tiers such an
+ * organisation is reported as `'listed'` with the fee left at 0 and a note to
+ * confirm the applicable tier/fee with the NDPC.
+ *
+ * @see NDPC General Application and Implementation Directive (GAID) 2025
+ * @see NDPC Guidance Notice on the Registration of Data Controllers and Processors of Major Importance
+ */
+export declare type DCPMITier = 'UHL' | 'EHL' | 'OHL' | 'listed' | 'none';
+
+/** September 2025 GAID baseline annual fees (NGN). */
+export declare const DEFAULT_DCPMI_FEES_NGN: DCPMIFees;
+
+/** September 2025 GAID baseline — override via {@link DCPMIClassificationOptions} as the rules evolve. */
+export declare const DEFAULT_DCPMI_THRESHOLDS: DCPMIThresholds;
+
 /**
  * Default NDPA-compliant privacy policy sections.
  * Each section uses {{variable}} placeholders that are resolved at generation time.
@@ -954,6 +1199,11 @@ export declare const frenchLocale: Required<{
     [K in keyof NDPRLocale]: Required<NonNullable<NDPRLocale[K]>>;
 }>;
 
+/**
+ * Derive the CAR schedule and status for a DCPMI under NDPC GAID 2025.
+ */
+export declare function generateComplianceAuditReturn(input: CARInput, options?: CAROptions): ComplianceAuditReturn;
+
 /**
  * Generates a summary of all lawful basis documentation across processing activities.
  *