The European Union’s (EU) Article Working Party recently revealed a number of General Data Protection Regulation (GDPR) application guidance documents. The mandatory Data Protection Officer (DPO) role can be confusing to organizations who question the terms “core activities” and “large scale.” Guidance recommends those in doubt should err on the side of appointing a DPO. This individual should be a professional who is qualified to determine the organization’s compliance with national and European data protection laws and practices, including an in-depth understanding of the GDPR. The new data portability law under Article 20 of the GDPR allows data subjects to receive from any controller, in a machine-readable format, the personal data they provided “knowingly and actively” to the controller and any personal data generated by their activity. The WP29’s guidance for establishing a lead data protection authority to lead the “one-stop shop” mechanism details cross-border processing and illustrates sample scenarios for choosing a DPA. And, finally, details on the EU-U.S. Privacy Shield include further definition of the framework for transferring personal data to the United States.