The data protection authorities of the EU Member States (DPAs) are imposing ever high fines for violations of the GDPR. In June and July 2019, the UK DPA imposed large fines on Marriott (€111 million) and British Airways (€204 million) for data breaches that breached the GDPR. But it is clear that increasingly larger fines are not the only problem facing companies worried about their exposure to the GDPR. Non-EU companies in particular face a risk of parallel GDPR investigations for the same conduct, and in each such case, the investigating DPR is authorized by GDPR to impose fines up to the maximums provided for the GDPR, which can be 2% or 4% of the company’s global group turnover, depending on the nature of the infringement. How can this be possible?