2018 has been a watershed year for the privacy field. The European Union’s General Data Protection Regulation (GDPR) has been the main attraction. Companies subject to the GDPR have expended and will continue to expend enormous efforts and funds to understand and diagram their data-processing operations. Now that the GDPR has gone live, as of 25 May 2018, it remains to be seen how the Member State data protection authorities will deploy their significant new penalty authority to enforce substantially more stringent standards. Will US tech companies continue to bear the brunt of EU enforcement wrath, or will the DPAs scrutinise inwards as well?