Digital Access Without Digital Awareness: Bridging The Gap Between Data Literacy And Data Protection Laws In Nigeria

Introduction

"Data is power"

The above succinct observation by Abhijit Naskar, a leading expert in human behaviour, essentially encapsulates one of the now defining realities of the world today. In an increasingly digitized world and with numerous advancements in technology, data and information have emerged as a central asset that has driven innovation, governance, and commerce. However, this growing centrality of data also presents significant risks, particularly in societies where awareness of data privacy rights and data protection laws remains limited.

In Nigeria, despite the establishment of legal frameworks such as the Nigeria Data Protection Act (NDPA) 2023 and the General Application and Implementation Directive (GAID), 2025, a substantial portion of the population remains uneducated and uninformed about the data protection laws, data privacy rights and obligations. Despite the rapid internet penetration, widespread mobile usage, fintech growth, there is still the persistent gap between policy creation and policy awareness and understanding. Education can be regarded as a key element or step which would serve as a preventive measure in eradicating issues of breach of data privacy or incessant manipulation of data and information. In a world that is becoming largely digitalized in various sectors, it is imperative, if not obligatory, that measures be taken towards education of individuals on their data privacy rights and the data protection laws.

This article examines and provides a deep dive into the importance of educating the public on data privacy rights and the relevant data protection laws as well as the effects of lack of digital awareness. It also provides recommendations and actionable strategies on ways in which the NDPC, government and key stakeholders embed the knowledge of data privacy laws and rights into the average Nigerian. Digital awareness is not merely a legal necessity but a crucial step towards empowering citizens in a digitally evolving ecosystem.

The Digital Landscape in Nigeria

Technology and artificial intelligence are constantly subjected to numerous innovative improvements and advancements on a daily basis. These technological developments span across various areas of life such as business, economy, career, lifestyle, social interactions, domestic activities and many others. The central feature across these areas in which technology has penetrated is the constant and consistent collection and use of data and information of individuals, groups and societies.

Nigeria does not fall behind in the incorporation and use of technology and its innovations. Nigeria's digital economy revenues rose from US$5.09 billion in 2019 to US$7.13 billion and US$9.97 billion in 2020 and 2021, respectively.¹ The Digital landscape in Nigeria has greatly improved with millions of individuals having easy access to technological applications such as Instagram, Facebook, WhatsApp, YouTube, smartphone adoption, and digital services growth. These social platforms and applications are largely data-driven and mostly require the sensitive data of users such as geolocation, debit card details, National Identification Numbers (NIN), other means of identification, like phone numbers, email addresses, educational and family history in some cases. These are all private data of individuals that have access to these platforms.

Nigeria has also recorded the growth of e-commerce and FinTech companies as well as the incorporation of digital software in the dispensing of services. Commercial activities and various service providers utilize technology to create a seamless process for their potential clients or customers. Formal and informal businesses have been on the rise in Nigeria, especially with the easy availability of digital platforms as a tool for e-commerce activities. In most cases like this, the completion of services proffered are largely dependent on the individuals providing their personal data or other personal identifiable information. Online vendors collect personal data and information of individuals such as names, phone numbers, house addresses, etc. Additionally, financial institutions such as digital loan companies, digital banks and saving platforms largely collect very sensitive data and information of their users before services are rendered. This shows how Nigeria's digital landscape has developed and the increasingly data-driven nature of the economy. Digital platforms are constantly being utilized in the creation, marketing, consumption and sale of services.

By contrast, while digital inclusion is growing and data is slowly becoming central in different sectors, digital literacy, particularly in data privacy and data protection laws, still requires major improvement. The average Nigerian does not have adequate knowledge of the existence of data protection laws in Nigeria, let alone its provisions. This makes them easily susceptible to data misuse, exploitation of their personal information by individuals or organisations without clear awareness of the availability of laws that protect their data privacy rights. There is a clear gap between policy creation and policy awareness/understanding by the very people which the law seeks to protect. In most cases, the average Nigerian may not have access to experts and legal professionals who would guidance on their data privacy rights or the provisions of the law. Organisations and companies should also be included as necessary components that should be educated on these privacy laws. Hence, while the establishment of the NDPA and the GAID is a noteworthy development which puts Nigeria on track with the world, it is important that equal and sufficient efforts be placed into educating the public on their data privacy rights, existence of these laws, its provisions, the applicability of the law and its scope.

Data expansion and innovations largely lead to data vulnerability.² Data vulnerability isa weakness that can be exploited by cybercriminals to gain unauthorized access to people's sensitive information placed under the control and custody of third parties. Lack of data subject consent, unsolicited and unauthorised use of personal data, exploitation of data, sale of individual's sensitive data, scams, threats, and failed data rectification and erasure are all incidences that result from unmitigated data expansion and use of digital platforms. The more connected people are, the more exposed their data becomes.³ It is imperative for the sensitization on data privacy rights and the exponential development of the digital landscape to be concurrent.

Understanding Data Protection Laws and Rights in Nigeria

The two regulations that govern and guide data protection practices in Nigeria are the Nigerian Data Protection Act, 2023 (NDPA)⁴ and the General Application and Implementation Directive 2025 (GAID).⁵ The Nigerian Data Protection Act 2023 was established to provide a framework for the protection of sensitive and non-sensitive personal information of individuals, groups and organisations.⁶ The foundation for the protection of the private and personal information of the public stems from section 37 of the Constitution of the Federal Republic of Nigeria which provides that every person, regardless of gender, race or culture possesses the fundamental right to privacy.

The aims for the establishment of the NDPA are; a) to safeguard the fundamental human rights of individuals b) to safeguard the security of personal data and the privacy of data subjects c) regulate the processing of personal data and privacy of subjects d) provide a means of recourse and remedies in the event of breach of the data subject's right e), and ensure that all data controllers and data processors fulfill their obligations to their data subjects.⁷

The provisions of the NDPA do not apply to individuals engaging in the processing of data and information for personal purposes. It only pertains to individuals and companies whose major goal or objective of processing data and information is largely for commercial purposes. The Act is specifically applicable to individuals domiciled in, resident in and operating in Nigeria. The Act is also applicable where processing of data of Nigerian data subjects⁸ occur outside Nigeria by an individual or corporate entity.

Furthermore, the NDPA provides principles that govern the way and manner in which data and sensitive information of individuals are processed by organisations and companies. It sets parameters that guide the processing of personal data and information in Nigeria in order to ensure privacy of data and information is attained and maintained at all times. A data controller or data processor must ensure that personal data is:

1. processed in a lawful and transparent manner.
2. collected for specified, explicit and legitimate purposes, and not further processed in a way incompatible with these purposes.
3. retained for not longer than the minimum necessary for the purposes for which the personal data was initially collected or further processed.
4. accurate, complete, not misleading, and where necessary, kept up-to-date having regard to the purposes to which the personal data is collected.
5. processed in a manner that ensures appropriate security of personal data including protection against unauthorized or unlawful processing, access, loss, destruction, damage or any form of data breach.

The General Application and Implementation Directive (GAID) 2025 was introduced on 20^th March, 2025 by the NDPC for the purposes of providing clarity on the implementation of the NDPA. The regulation provides further directives on the application, enforcement and implementation of the NDPA. Notably, the NDPC has indicated it will no longer enforce the provisions of the Nigerian Data Protection Regulations (NDPR). Contrary to certain prevailing opinions, the General Application and Implementation Directive (GAID) does not have the legal capacity to repeal the Nigeria Data Protection Regulation (NDPR), as it is merely a directive and not a legislative instrument of equivalent authority. While the Nigeria Data Protection Commission (NDPC) has indicated that it will no longer enforce the NDPR, this administrative position does not amount to a repeal. From a legal standpoint, a directive cannot abrogate a regulation, just as a regulation cannot repeal an Act of Parliament. The GAID provides numerous compliance measures and requirements for data controllers and data processors to adhere to, such as conducting periodic training of members of staff on data protection laws and policies, establishing internal data protection strategies, filing of compliance audit returns and semi-annual data protection reports.

The NDPC is the official regulatory authority responsible for the implementation and enforcement of the provisions of both the NDPA and the GAID. They are primarily established for the purpose of preventing misuse and exploitation of data and sensitive information of data subjects by companies and organisations. The NDPC oversees the overall implementation of the NDPA, prescribes fees payable by data controllers and processors, imposes penalties on companies that violate the provisions of the Act as well as conducting investigations where allegations of data breach occur.⁹

However, there is a significant knowledge gap. Most Nigerians are unaware of their data privacy and protection rights as well as the provisions of these regulations. There needs to be addition of equal strategies and policies for education of the public on their data privacy rights. Most Nigerians are unaware of the existence of certain rights and protections provided by the law such as right to consent, withdrawal of consent, data access, data rectification, data erasure, use of data for improper purposes or purposes not initially consented to, the unnecessary retention of data and information past retention periods, the use of their sensitive data and information as profitable tools and also the requirement for the availability of security systems for adequate protection of data by companies and businesses. The average Nigerian is not aware of the responsibilities, duties and requirements which data processors and data controllers are required to adhere to in order to ensure proper security of data and information. People need to also be aware of their rights to seek redress in court in instances of data breach or misuse.¹⁰

Most importantly, taking into consideration the prevalence of informal businesses and services that process personal data and sensitive information of the average Nigerian, which the NDPC are mostly not aware of, it is pertinent that the public be educated on data privacy and protection through targeted and strategically implemented sensitization programmes. Business centers that print, photocopy or process personal data and information such as passports, NINs, BVNs, personal data forms for registrations, and online vendors that use house addresses, phone numbers, account details for various reasons, highlight the need for constant and pervasive education of the public on data protection laws and rights.¹¹

According to the 2025 Africa Cyberthreat Assessment Report, Nigeria ranked among the top ten countries most affected by cyberattacks in Africa.¹² This essentially highlights some consequences of lack of knowledge of data privacy rights and data protection laws in Nigeria. It makes the average Nigerian easily susceptible to data misuse, data breach, malicious attacks and cyber security issues. Moreover, a lot of members of the public are not aware of the standards and requirements which tech companies and other organisations need to observe and implement in order to properly safeguard privacy rights.

Over the years, regulatory authorities such as the National Information Technology Development Agency (NITDA), Nigeria Data Protection Bureau (NDPB) and the Nigerian Data Protection Commission (NDPC) have made significant strides and organised initiatives and programs tailored towards the promotion of data privacy rights through dissemination of relevant information. However, it is important that these efforts become more consistently organised and implemented and not just sporadically conducted. Digital awareness of data privacy rights should be conducted in numerous places, local governments and states in Nigeria. The different demographics of the Nigerian population such as the aged, illiterates, the deaf and dumb, blind individuals and people in rural communities, should be included and accommodated. These individuals also utilise data driven technology in different ways as well and should be educated on their rights.

Bridging the Gap Using Specific Strategies for Digital Awareness and Education on Data Protection Laws and Privacy Rights

Strategic and systematically targeted education and creation of awareness is a key element in the enforcement and implementation of local laws. Recently, the NDPC has taken commendable steps towards enforcement and implementation of the law as well as creating awareness and educating the general public. However, there are more initiatives which can be employed to ensure that the average Nigerian is inculcated with the knowledge of data protection laws and data privacy rights. These strategies are:

1. Simplification of Legal Language and Communication

The data protection frameworks which have been established contains complex technical and legal language and information which is not properly understood by the average Nigerian in most cases. Plain-language summaries of key provisions of the NDPA and the GAID can be created and disseminated to the general public for effective and proper understanding. The salient provisions which essentially establishes the data privacy rights of individuals as well as obligations of data controllers and data processors should be highlighted in simpler language and communication versions, infographics, flowcharts, visual explainers, sign language options, in order to accommodate different educational demographics.

Additionally, translations of the key provisions to other languages and forms of communication should be made available in order to reach broader population clusters in the country. Data privacy training materials and awareness documents must be developed to effectively reach and engage all segments of society, including older persons, individuals with disabilities such as those who are deaf or hard of hearing and those with visual impairments as well as populations residing in rural or underserved communities. The use and protection of technology, sensitive data, and personal information concern every individual, irrespective of demographic or geographical differences. Accordingly, education and awareness initiatives should adopt an inclusive and accessible approach that ensures equitable understanding and participation across diverse groups within the general public.

1. Integration of Data Protection Laws and Rights in Education Systems

Data Protection laws and data privacy rights should be incorporated and integrated in the curriculum of secondary and tertiary schools of learning. This stems from the fact that sensitive data is central and applicable to every individual irrespective of age, class or stage. Hence, practical modules on data protection laws, data consent, cybersecurity, data privacy rights, should be incorporated in the education system in order to achieve the desired level of sensitization and public awareness from the grass-root level.

1. Increased and Diversified Public Awareness Campaigns

The strategies incorporated for public awareness campaigns can also include more collaborations with radio, television, newspaper outlets, billboards, telecommunications companies to disseminate simplified messages on data protections laws and data privacy rights. More collaborations should be embarked upon by the NDPC such as collaborations with civil society groups to assist in creating awareness of data protection laws and data privacy rights. Systems such as Data Protection Days/Month, community outreach programs for the purpose of creating awareness, organisation of competitions and programs centred largely on education of Nigerians on data protection laws can be implemented by the NDPC.

1. Incentivised Recognition and Compliance Programs

In order to encourage compliance and also to create more awareness on the existence of data protection laws and data privacy rights, incentivised recognition programs and systems can be incorporated such as creating annual awards for businesses, companies, media and institutions promoting data privacy in Nigeria. This strategy will encourage more organisations, stakeholders and businesses to take part in promoting data privacy in Nigeria and also boost awareness of the regulatory frameworks for the public's guidance.

Conclusion

The presence of the regulatory frameworks such as Nigeria Data Protection Act, 2023 and the General Application and Implementation Directive, 2025 signals the nation's commitment to safeguarding informational privacy within its digital economy. Nevertheless, the effectiveness of this legislation hinges not solely on its statutory provisions, but on the degree to which its principles are internalized, understood, and operationalized by the broader public and institutional actors alike. Legal norms, no matter how well crafted, remain aspirational in the absence of widespread awareness and practical comprehension among those bound by them.

Ultimately, Nigeria's aspiration to build a resilient and rights-respecting digital ecosystem will be realized only when the NDPA's mandates are matched by an informed citizenry and a compliance-oriented culture across all sectors. The law must, therefore, be accompanied by a deliberate and coordinated national strategy for education, sensitization, and capacity building. In this way, data protection will evolve from a statutory requirement into a lived legal consciousness—anchored in respect for privacy, the rule of law, and the ethical stewardship of personal information.

Footnotes

1. Central Bank of Nigeria, "Nigeria's Budding Digital Economy: Copying With Disruptive Technology" available at https://www.cbn.gov.ng/out/2024/rsd/nigeria%E2%80%99s%20budding%20digital%20economy.pdf accessed on 17^th October, 2025.

2. Pravin Meta, "Stages of Data Vulnerability and the Risks" (Bitraser, July 22, 2022), available at https://www.bitraser.com/article/stages-of-data-vulnerability- risks.php?srsltid=AfmBOoo3C9MyXqvA5YFUACB1VPjooqzpKwRz3bw2TQqFQ9pacsYwPzI6 accessed on 28^th October, 2025.

3. Securiti, "What is Sensitive Data Exposure Vulnerability & How to Avoid it?" available at https://securiti.ai/blog/sensitive-data-exposure/ accessed on 28^th October, 2025.

4. See, Nigerian Data Protection Act, 2023.

5. See, Nigeria Data Protection Act General Application and Implementation Directive, 2025.

6. Section 1 Nigeria Data Protection Act 2023.

7. Ibid.

8. A data subject refers to an individual to whom personal data relates. (Section 65 NDPA 2023).

9. Section 6 Nigeria Data Protection Act, 2023.

10. Sections 46 and 51.

11. Adeyemi Adeptun, "Poor awareness, Manpower Threaten Data Privacy in Nigeria" (The Guardian, 23 October, 2023) available at https://guardian.ng/technology/poor-awareness-manpower-threaten-data-privacy-in-nigeria-says-olatunji/ accessed on 28^th October, 2025.

12. Adedunmade Onibokun & Co "Legal Implications of Data Breaches in Nigeria: Navigating Cyber Security Laws and Liabilities" available at https://aocsolicitors.com.ng/legal-implication-of-data-breaches-in-nigeria-navigating-cybersecurity-laws-and-liabilities/ accessed on 28^th October, 2025.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.