Ireland’s Data Protection Commission recently issued its first GDPR fine against a big tech company, finding that Twitter had reported a breach late and inadequately documented its actions, including why it missed GDPR’s 72-hour deadline. Several other countries’ data protectors objected to Ireland’s fine amount and conclusions, eliciting a first-ever ruling from the European Data Protection Board to settle enforcement arguments between countries. In this article, we discuss with data protection leaders from Cordery Compliance, Ropes & Gray and Steptoe & Johnson key aspects of the ruling, what clarity it provides about the 72-hour deadline and other takeaways for companies. See “GDPR Enforcement Lessons and New ICO Guidance on COVID-19” (Apr. 22, 2020).