While the largest GDPR penalty so far has been the €50 million fine France levied on Google, there have also been smaller cases that hold lessons for compliance and enforcement. The U.K.’s ICO has been active in examining how personal data is being used for political campaign purposes, and has levied an action against a Canadian data aggregator – a reminder that the GDPR can apply to companies outside of the E.U. A series of Austrian cases show that a seemingly simple CCTV camera outside of a store can violate the GDPR as well. We analyze these cases with input from local sources. In a previous article, we looked at a €400,000 fine against a Portuguese hospital and a €20,000 fine against a German social media company, and in a subsequent article, we will examine the Google case. See our three-part series on GDPR essentials for the financial sector: “Benchmarking and Assessing the Risks” (Jul. 11, 2018); “Compliance Steps” (Jul. 18, 2018); and “Staying Compliant and Special Challenges” (Jul. 25, 2018).