I handed my passport to a security guard.
Not a data protection officer. Not a compliance manager. A security guard at the entrance of a company owned by a major Nigerian bank. I was there to consolidate my shareholding, a routine financial request in an institution that publicly claims regulatory maturity.
He took the passport and walked away.
He did not copy it in front of me. He did not ask me to wait while he verified anything. He disappeared. For six full minutes, my passport was out of sight, out of my control, somewhere inside a corporate building, handled by someone whose job description does not include identity management. No explanation. No oversight. No accountability.
Six minutes is an eternity when your primary identity document has vanished into institutional quiet.
When he returned, there was no apology, no acknowledgement, no attempt to normalise what had just occurred. The next instruction was to fill in a form with my date of birth, address and other personal details. The passport had already provided all of this, but repetition is a Nigerian corporate ritual. Data is collected because it can be, not because it is necessary.
This is not an edge case. This is the operating culture.
Nigerian organisations speak confidently about privacy while behaving casually with personal data. Policies exist upstairs. On the ground, anything goes. If a security guard can walk off with a passport and no one thinks to intervene, your privacy programme is decorative.
What makes this worse is the response pattern when data subjects complain. The language becomes soothing, procedural and empty. “We acknowledge your concern.” “We take privacy seriously.” “We are reviewing the matter.” These are not responses. They are delays dressed up as empathy.
When a Nigerian data subject says, “you are not taking me seriously,” it is not drama. It is a diagnosis. It means emails have gone unanswered. It means questions have been sidestepped. It means responsibility has been diluted until no one owns the problem. The organisation hears inconvenience. The individual experiences disrespect.
Executives often distance themselves from these moments. They assume this is an operational issue, a staff training gap, something several layers below their line of sight. That assumption is convenient but wrong. The presence of a security guard handling passports is not an accident. It is a design choice. Someone approved that workflow. Someone decided this risk was acceptable.
From a privacy standpoint, this is how trust collapses. Not through spectacular breaches, but through everyday arrogance. Through the quiet assumption that the individual has nowhere to go, no leverage and no audience. Until they do.
Executives should pay attention to where privacy actually fails. It fails at reception desks. It fails in back offices. It fails when untrained staff are given access to sensitive documents because it is “how things are done.” It fails when no one can explain where personal data went, who touched it or why.
This is not solved by citing the NDPR. Quoting regulation to a frustrated data subject only confirms that the organisation understands compliance language better than human impact. People do not complain because they enjoy escalation. They complain because nothing happened when they asked politely.
If a data subject raises a concern and receives another email saying “we understand,” without being told what was done, what changed or who is now accountable, the message is clear. The organisation is managing risk, not fixing harm.
Boards should ask sharper questions. Who touches identity documents. Why? For how long? Under what controls? Where is this logged? Who reviews it? If these answers are vague, the exposure is not hypothetical. It already exists.
Leadership cannot outsource this. Privacy culture is set at the top and revealed at the bottom. If dignity is not enforced operationally, no policy will save you. Nigerian consumers are watching more closely now. Regulators are listening more carefully. Silence and sloppiness are no longer invisible.
My passport was gone for six minutes. In those six minutes, an organisation demonstrated exactly how seriously it treats personal data. No breach was reported. No headline was written. Yet the failure was complete.
That is how privacy collapses in Nigeria. Quietly. Casually. Every day.
