The Effects of Data Privacy Regulations on Cybersecurity Practices in Nigeria and Africa

Document Type : Review article

Authors

1 Centre for Cyberspace Studies, Nasarawa State University, Keffi, Nigeria

2 Department of Physics, Nasarawa State University, Keffi, Nigeria.

10.22059/jcss.2025.390087.1127

Abstract

Background: With the rapid digital transformation across the African continent, ensuring the protection of personal data through effective regulatory frameworks is crucial. Key regulations, including Nigeria’s Data Protection Regulation (NDPR) and the African Union’s Convention on Cyber Security and Personal Data Protection, have been enacted to address growing concerns about data privacy and cybersecurity.
Aims: This literature review critically examines the impact of data privacy regulations on cybersecurity practices in Nigeria and across Africa, focusing on empirical studies that highlight the interplay between regulation enforcement and cybersecurity outcomes.
Methodology: This review synthesizes empirical studies that explore the effectiveness of these regulations in improving cybersecurity practices in both public and private sectors.
Results: Empirical research from Nigeria indicates that while the NDPR has led to some positive changes in organizational data protection strategies, challenges in enforcement, resource allocation, and awareness continue to hinder its full impact. Studies reveal that small to medium enterprises (SMEs) face difficulties in complying with the regulations due to a lack of capacity and knowledge. Similarly, research across several African countries shows a significant gap in both the implementation of data privacy laws and the cybersecurity measures required to mitigate emerging threats, such as ransomware and data breaches. Furthermore, empirical evidence highlights that varying levels of regulatory enforcement across the continent result in inconsistent cybersecurity practices, leading to vulnerabilities in the digital infrastructure. The review also explores empirical findings on the socio-economic and political barriers that affect the successful enforcement of data privacy regulations, with particular focus on limited technical expertise, political instability, and insufficient resources for regulatory bodies. Additionally, studies suggest that there is a growing need for cross-border collaboration and capacity building to bridge the regulatory gaps and improve overall cybersecurity resilience.
Conclusion: Empirical evidence underscores the need for stronger regulatory frameworks and greater cooperation across African nations to enhance the protection of personal data and fortify cybersecurity practices across the region. Recommendations for future policy development are provided, based on the insights gained from existing empirical studies.

Keywords

Main Subjects

References

Adediran, O. & Okon, I. (2023). “Challenges of data privacy enforcement in Nigeria: A regulatory perspective”. Journal of Cybersecurity and Data Protection. 5(2): 45-62.
Adeoye, A.A. & Adeoye, M.O. (2021). “Cybersecurity readiness in the healthcare sector: An assessment post-NDPR in Nigeria”. African Journal of Science, Technology, Innovation and Development. 13(4): 456-472. https://doi.org/10.1080/20421338.2021.1907218.
African Union Commission. (2022). “Assessing the effectiveness of data privacy regulations on cybersecurity across Africa”. African Journal of Legal Studies. 15(3): 200-220. https://doi.org/10.1163/17087384-2022AJLS045.
African Union. (2014). “African Union convention on cyber security and personal data protection”. https://au.int/en/treaties/african-union-convention-cyber-security-and-personal-data-protection.
Akinyede, O.; Awodele, O. & Agbeyangi, A. (2021). “Awareness and compliance with Nigeria Data Protection Regulation among Nigerian organizations”. Journal of Cyber Security Technology. 5(2): 140-159. https://doi.org/10.1080/23742917.2021.1902094.
Aloamaka, P.C.A. (2023). “Data protection and privacy challenges in Nigeria: Lessons from other jurisdictions”. UCC Law Journal. 3(1): 281-321. https://doi.org/10.47963/ucclj.v3i1.1259.
Anderson, R. (2001). “Security engineering: A guide to building dependable distributed systems”. IEEE Security & Privacy. 1(1): 19-25. https://doi.org/10.1109/MC.2003.1146732.
Babalola, O. (2023). “Data protection and the right to privacy in Nigeria: A bibliography”. ssrn. https://ssrn.com/abstract=4625918.
Bello, I. & Yusuf, A. (2023). “Data privacy compliance and consumer trust in Nigerian e-commerce platforms”. International Journal of Electronic Commerce Studies. 14(1): 100-120. https://doi.org/10.7903/ijecs.2023.0009.
Bennett, N. (2025). “Large language models pose growing security risks”. The Wall Street Journal. https://www.wsj.com/articles/large-language-models-pose-growing-security-risks-f3c84ea9.
Bertino, E. & Sandhu, R. (2008). “Regulatory compliance in data management”. In Encyclopedia of Database Systems (pp. 2435-2439). Springer. https://doi.org/10.1007/978-0-387-39940-9_305.
Boateng, R.; Hinson, R.; Heeks, R. & Molla, A. (2022). “The impact of data protection laws on cybersecurity practices in Africa: A comparative study”. African Journal of Information Systems. 14(3): 321-345. https://doi.org/10.1007/s10462-022-10072-3.
Bouke, M.A.; Abdullah, A.; ALshatebi, S.H.; El. Atigh, H. & Cengiz, K. (2023). “African union convention on cyber security and personal data protection: Challenges and future directions”. arXiv preprint arXiv. 2307.01966. https://doi.org/10.48550/arXiv.2307.01966.
Chika, D.M. & Tochukwu, E.S. (2020). “An analysis of data protection and compliance in Nigeria”. International Journal of Research and Innovation in Social Science (IJRISS). 4(5). 377-382. https://www.researchgate.net/publication/342068885_An_Analysis_of_Data_Protection_and_Compliance_in_Nigeria.
Dlamini, S. & Modise, T. (2022). “Longitudinal assessment of POPIA’s impact on cyber threats in South Africa”. Journal of Information Security and Applications. 66: 102969. https://doi.org/10.1016/j.jisa.2022.102969.
ECOWAS Commission. (2023). “Harmonization of data privacy and cybersecurity regulations in West Africa: Progress and challenges”. Journal of West African Studies. 8(2): 215-235. https://doi.org/10.1080/23774894.2023.2174927.
European Union. (2016). “General Data Protection Regulation (GDPR)”. Official Journal of the European Union. L119: 1-88. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679.
Goddard, M. (2017). “The EU General Data Protection Regulation (GDPR): European regulation that has a global impact”. International Journal of Law and Information Technology. 25(3): 163-198. https://doi.org/10.1093/ijlit/eax003.
ISO. (2018). “ISO/IEC 27005: Information security risk management. International Organization for Standardization”. https://www.iso.org/standard/75281.html.
Kamau, N. (2022). “Enforcement challenges in data privacy regulations: A case study of Kenya”. African Journal of Criminology and Justice Studies. 15(2): 90-110. https://doi.org/10.31920/2050-4251/2022/15n2a6.
Kshetri, N. (2021). “The economics of personal data and cyber security”. IT Professional. 23(3): 21-28. https://doi.org/10.1109/MITP.2021.3058985.
---------------. (2019). “Cybercrime and cybersecurity in Africa”. Journal of Global Information Technology Management. 22(2): 77-81. https://doi.org/10.1080/1097198X.2019.1603527.
Mensah, C.A. & Osei, E.A. (2023). “Investment trends in cybersecurity post-data privacy regulation in Ghana’s telecommunications sector”. Journal of Information, Communication and Ethics in Society. 21(1): 100-120. https://doi.org/10.1108/JICES-05-2022-0042.
Mwangi, J. & Njenga, K. (2023). “Regulatory impact on cybersecurity incidents in Kenya’s financial sector”. International Journal of Cyber Criminology. 15(1): 75-94. https://doi.org/10.5281/zenodo.4727346.
NITDA: National Information Technology Development Agency. (2023). Nigeria Data Protection Act 2023: Implications for organizations. Abuja, Nigeria: NITDA.
---------------. (2019). “Nigeria data protection regulation”. https://nitda.gov.ng/nigeria-data-protection-regulation-2019/.
NIST: National Institute of Standards and Technology. (2024). NIST Cybersecurity Framework 2.0. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.02042024.pdf.
---------------. (2020). “Risk management framework for information systems and organizations: A system lifecycle approach for security and privacy” (NIST Special Publication 800-37 Rev. 2). U.S. Department of Commerce. https://doi.org/10.6028/NIST.SP.800-37r2.
---------------. (2018). “Risk management framework for information systems and organizations: A system lifecycle approach for security and privacy” (NIST Special Publication 800-37 Rev. 2). U.S. Department of Commerce. https://doi.org/10.6028/NIST.SP.800-37r2.
Ncube, L. (2020). “The unintended consequences of data privacy regulations on tech startups in Zimbabwe”. Journal of Business Venturing Insights. 14: e00175. https://doi.org/10.1016/j.jbvi.2020.e00175.
Nte, N.D. & Teru V. (2022). “Intelligence education for national security and public safety policy: A comparative analysis of Nigeria, South Africa, and Indonesia”. Lex Scientia Law Review. 6(1): 187-218. http://dx.doi.org/10.15294/lesrev.v6i1.54431.
Okereafor, E.E. & Emembolu, I. (2020). “Cybersecurity practices in Nigerian organizations: A regulatory perspective”. International Journal of Cybersecurity and Digital Forensics. 9(1): 42-59. https://doi.org/10.17781/P002624.
Olawunmi, O. & Emejuo, C. (2021). “Nigeria data protection regulation”. https://nitda.gov.ng/nigeria-data-protection-regulation-2019/.
Oyewole, T. & Oduwole, A. (2022). “The impact of data protection regulations on cybersecurity practices in Nigeria”. African Journal of Information Security. 7(1): 89-104.
Parker, C. & Nielsen, V.L. (2017). “Compliance: 14 questions”. In C. Parker, C. Scott, N. Lacey, & J. Braithwaite (Eds.). Regulating Law (pp. 217–232). Oxford University Press. https://doi.org/10.1093/acprof:oso/9780199264070.003.0012.
Scholl, F. (2025). “Security concerns rise over Elon Musk's DOGE”. CT Insider. https://www.ctinsider.com/business/article/elon-musk-doge-digital-security-20175416.php.
Schwartz, P.M. & Solove, D.J. (2011). “The PII problem: Privacy and a new concept of personally identifiable information”. New York University Law Review. 86: 1814-1894. https://www.nyulawreview.org/issues/volume-86-number-6/the-pii-problem-privacy-and-a-new-concept-of-personally-identifiable-information/.
Smith, J. (2020). “The impact of data protection regulations on organizational cybersecurity strategies”. Cybersecurity Journal. 35(2): 102-118. https://doi.org/10.1080/01436597.2020.1756745.
Solove, D.J. (2006). “A taxonomy of privacy”. University of Pennsylvania Law Review. 154(3): 477-564. https://doi.org/10.2307/40041279.
Statista. (2023). “Internet usage in Nigeria- statistics & facts”. https://www.statista.com/topics/2364/internet-usage-in-nigeria/.
Suchman, M.C. (1995). “Managing legitimacy: Strategic and institutional approaches”. Academy of Management Review. 20(3): 571-610. https://doi.org/10.5465/amr.1995.9508080331.
Toure, M.; Sagna, M. & Diop, D. (2021). “Data privacy awareness and cybersecurity behavior among West African internet users”. Journal of Cyber Policy. 6(2): 245-262. https://doi.org/10.1080/23738871.2021.1940842.
UNCTAD: United Nations Conference on Trade and Development. (2021). “Digital economy report 2021: Cross-border data flows and development”. https://unctad.org/webflyer/digital-economy-report-2021.
UNECA. (2020). Cybersecurity and Data Protection in Africa: A Policy Handbook. https://www.uneca.org/publications/cybersecurity-and-data-protection-africa-policy-handbook.
Voigt, P. & von dem Bussche, A. (2017). The EU General Data Protection Regulation (GDPR): A Practical Guide. Springer. https://doi.org/10.1007/978-3-319-57959-7.
Wachter, S. (2018). “Normative challenges of identification in the Internet of Things: Privacy, profiling, discrimination, and the GDPR”. Computer Law & Security Review. 34(3): 436-449. https://doi.org/10.1016/j.clsr.2018.05.010.
Journal of Cyberspace Studies
Volume 9, Issue 2
July 2025
Pages 313-336

Files

Share

How to cite

Statistics