Inevitably, personal data is transferred from EU to third countries. GDPR should follow this data wherever it is transferred. How can this requirement be enforced in practice? Currently, data transfers from EU to third countries are mostly regulated by legal agreements between data exporters and data importers. But these agreements tend to be complicated, unforeseeable, and ultimately inefficient. Technology can be employed to automatically ensure that transferred data is used by a third country is a way that does not violate GDPR. This talk explores information flow control as a tool to enforce GDPR, before it dives into new information flow semantics.