The first days after GDPR entered into force were full of action. They were used by many consumer rights advocates and also by individuals to file a ton of complaints against huge data processors like Google and Facebook.
European supervisory authorities were basically overwhelmed with complaints and they took time to resolve. Some major fines were imposed on Apple, Google, Amazon and other big companies. The initial approach of authorities towards small and medium enterprises have so far been to give mandatory prescriptions and to avoid sanctions at least initially.
The main guidelines provided by the European Commission and local authorities in the EU focused on the consent receival from data subjects under the GDPR. This was the most discussed topic – how exactly does a business acquire consent to process personal data and when is this consent necessary. A major issue was also the use of personal data for profiling and direct marketing. Most fines for huge data processors were imposed due to some form of violation of the rules regarding these topics (i.e. Google Adds algorithms for profiling).