The rules for cross-border data transfers under the GDPR continue to evolve in the wake of the 2020 E.U. Court of Justice Schrems II decision, which invalidated the Privacy Shield mechanism for transfers between the U.S. and Europe. In this article, we distill insights from senior privacy leaders at Carnival Corporation & plc, Amgen and OneTrust, shared at IAPP’s Privacy.Security.Risk 2021 event, on navigating the shifting landscape and practical approaches for conducting transfer impact assessments given the challenges faced by businesses that must move data across borders on a daily basis. See our two-part series on personal data transfers after Year Zero: “Are the New SCCs a Paradigm Shift?” (Jun. 30, 2021); and “A More Appealing Set of EDPB Recommendations?” (Jul. 14, 2021).