A recent European Court of Justice (CJEU) decision has potentially altered the GDPR’s “one-stop-shop” mechanism, and fining frameworks are in flux in many Member States. We analyze the recent CJEU case with input from Rohan Massey, a partner at Ropes & Gray, and distill insight from a Spring Privacy & Security Academy panel featuring Latham & Watkins partners Gail Crawford, Myria Saarinen and Tim Wybitul, and Porsche chief privacy officer Christian Volkel about the GDPR enforcement landscape and how to defend GDPR fines and civil actions. See “How Do You Put a System of Privacy and Security Controls in Place When Your Target Keeps Moving?” (May 26, 2021).