Whistleblowing is a noble idea on paper. In practice, especially in Nigeria, it is closer to an extreme sport. The rules are unclear, the referees are inconsistent, and the crowd is rarely on your side. Yet organisations keep importing whistleblowing frameworks as though Lagos operates on the same emotional temperature as London or Amsterdam. It does not.
In Nigeria, telling the truth is rarely the problem. Surviving after telling it is.
This is where privacy and cyber governance often get the tone wrong. Policies are drafted with impeccable international flair, GDPR footnotes intact, reporting channels clearly marked, anonymous hotlines proudly announced. Then silence. No reports. Leadership wonders why. Consultants shrug. Compliance ticks the box and moves on.
The missing ingredient is not technology. It is etiquette.
Whistleblowing in Nigeria sits at the intersection of fear, loyalty, hierarchy, and lived consequence. People worry about retaliation, yes, but also about being labelled disloyal, troublesome, or worse, foolish. In a market where professional circles are small and memories are long, anonymity is not a comfort blanket. It is a marketing slogan.
This is where privacy professionals must stop pretending that regulation alone builds trust. It does not. Behaviour does.
A whistleblowing framework that works in Nigeria must do three things exceptionally well. First, it must feel human. Second, it must demonstrate protection in action, not in policy language. Third, it must respect the unspoken rules of the market.
Let us start with the human bit. If your whistleblowing system looks like it was designed by someone who has never worked outside a regulator, people will sense it immediately. Over engineered portals, aggressive legal disclaimers, and cold automated acknowledgements do not inspire courage. They inspire screenshots and WhatsApp group analysis.
A Nigerian employee does not need reassurance that the law exists. They need reassurance that someone sensible, senior, and calm will handle their disclosure without drama. Tone matters. Response time matters. Who follows up matters more than what the policy says.
Next, protection must be visible. Saying “we do not retaliate” is meaningless if everyone knows the last person who spoke up was quietly sidelined, moved, or labelled difficult. Privacy and cyber teams must work closely with HR and leadership to ensure whistleblowers are not only protected, but seen to be protected. In Nigeria, perception is evidence.
This is where cyber governance can help or harm. Logging, monitoring, access controls, and case management tools should be configured to minimise internal curiosity. Fewer eyes, fewer leaks, fewer problems. Confidentiality failures travel faster than broadband in Lagos, and once trust is broken, no policy update will fix it.
Finally, etiquette. This is the part rarely written down.
In Nigeria, hierarchy is real. Seniority matters. Respect matters. A whistleblowing programme that encourages bypassing all lines of authority without explanation can feel culturally abrasive. That does not mean wrongdoing should be buried. It means organisations must clearly explain when escalation is appropriate and why, without framing it as rebellion.
There is also the matter of language. Calling someone a whistleblower sounds heroic in theory. In practice, many Nigerians would rather describe themselves as raising a concern, asking a question, or seeking clarification. Smart organisations adapt their vocabulary accordingly.
A good whistleblowing framework in Nigeria does not shout about courage. It quietly rewards good judgement.
Privacy and cyber professionals operating in the Nigerian market must therefore move beyond imported templates. Playing privacy properly here requires cultural literacy, emotional intelligence, and a willingness to design for reality rather than aspiration.
When people feel safe, they speak. When they trust the system, they use it. When they see others protected, they believe it.
Ultimately, boards must own this conversation. Whistleblowing is not an IT tool or a legal footnote. It is a cultural signal. Get it right, and risk surfaces early. Get it wrong, and silence becomes the organisation’s loudest control failure every single time globally.
Michael Irene, CIPM, CIPP(E) certification, is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
What will you leave when you’re gone?