Data protection has become a key policy issue in Nigeria and for many years, law and policymakers have proposed to regulate data processing without success. The Nigeria Data Protection Regulation (NDPR) was issued by the National Information Technology Development Agency (the NITDA) in 2019 ostensibly to fill this regulatory void. While the NDPR has generated more awareness of data protection among stakeholders, this article argues that it is unlikely to change the regulatory landscape for data protection in Nigeria. This is firstly because the NDPR misapprehends key concepts and principles of data protection, thus creating interpretative and compliance problems, and secondly, because its enforcement mechanisms are deficient when measured against best practices in the regulation of data processing. The article demonstrates that in spite of the fact that the NDPR models the EU General Data Protection Regulation (GDPR) and emulates most of its aspects, it has significant limitations in terms of effectiveness and enforcement. It proposes that in order for Nigeria to truly join the global data protection regime, a new data protection law must not only address the challenges identified in the NDPR but must also incorporate emerging best practices in data protection.