Long before its application in May 2018, the EU General Data Protection Regulation (GDPR) triggered numerous controversies. The excitement about the GDPR is based on the novel regulatory approach, which follows from the special nature of its subject matter and environment. At first glance, the GDPR may regulate the processing of personal data. At second glance, however, this law is about controlling the risks that arise for people when data that relates to them is processed. Furthermore, recognizing the dynamics of data-driven innovation as an essential element of our digital society, all involved actors – from the legislator and data protection authorities up to data controllers, processors and data subjects – face similar knowledge uncertainties.