Europe's General Data Protection Regulation (GDPR) is having influence all over the world. Policymakers look to GDPR as they adopt new privacy laws in places like California, Virginia, United Arab Emirates and elsewhere in Asia Pacific. Now that GDPR has been in effect almost 3 1/2 years, we have much to learn about how that law is interpreted in practice with respect to cyber security. The practical interpretation of GDPR is more nuanced than one might have guessed by listening to the media back in 2018. Leading developments such as the British Airways data breach case in the UK help cyber defenders around the world understand what law is coming to expect of them. This presentation will offer practical tips for managing legal risk in cyber security.