The panic has receded. The frantic drafting has slowed down. The GDPR – widely regarded as the most ambitious data protection legal framework ever created – is in place and life goes on. As the dust left by the dramatic coming into effect of the GDPR settles, we are beginning to see what the GDPR means in practical terms. Many questions remain unanswered and many aspects of the law will take years – if not decades – to be fully interpreted and understood. However, among the numerous issues covered by the GDPR, some areas are emerging as the key strategic questions to address and becoming the focus of attention at an operational level.