In the nearly 10 months since the EU GDPR was brought into force, several well-known companies have been penalized by EU data protection authorities for misuse and loss of personal data. In this session, we will review these post-mortems, determine what went wrong, and discuss the implications for complying with the security requirements of the GDPR going forward.