“GDPR enforcement is coming,” Ireland’s Data Protection Commissioner Helen Dixon told the Cybersecurity Law Report, and “companies should not be complacent” just because there have not been large actions yet. We spoke with Dixon about the potential for private rights of action, her experiences so far with breach notification, her examination of the role of the DPO and her advice for the U.S. Congress as it considers implementing a federal privacy law. A previous article featured her insight on the timeline of investigations, her enforcement approach, lessons she has learned and why the €50‑million fine against Google was levied in France and not Ireland, as well as insight from U.K. and Austrian regulators who spoke at the recent IAPP conference on the roles of their agencies. See our three-part series analyzing early GDPR enforcement: “Portugal and Germany” (Jan. 23, 2019); “U.K. and Austria” (Jan. 30, 2019), “France” (Feb. 6, 2019).