GDPR enforcement among various data protection authorities has been gaining traction, and the actions hold lessons for compliance and enforcement of the new law. In a previous article, we looked at fines against a Portuguese hospital and a German social media company. Here we analyze a recent U.K. action against a Canadian data aggregator and its jurisdictional implications, as well as a series of Austrian cases showing that a seemingly simple CCTV camera outside of a store can violate the GDPR. A subsequent article will examine France’s €50‑million Google fine, the largest to date. See “How Will the GDPR Affect Due Diligence?” (Mar. 21, 2018).