Three data breach enforcement examples, two under the GDPR and one in the U.S., highlight differences across the Atlantic in the mechanics of fines and civil penalties, including how and when to seek reductions, and the importance of data privacy training as a mitigation measure. This article was written in partnership with Dr. Carolin Raspé of Hengeler Mueller.