Since EU supervisory authorities began GDPR enforcement in May 2018, at least 250 companies and government agencies have been punished for privacy and security failures. These failures have resulted in excess of €150M in fines, plus orders for remediation. Remarkably, only a few GDPR articles—such as Articles 5 (Principles), 6 (Legal Basis) and 32 (Security)—are consistently cited by those authorities. Moreover, in the majority of cases, the failures were attributable to basic privacy and security practices. In this presentation, a data protection industry veteran will review several post-mortems, determine what went wrong, and discuss the implications for complying with the privacy and security requirements of the GDPR going forward.