The extent and granularity of data protection mandated by privacy regulations are increasing at the same time the dispersion, movement and overall importance of data accelerate. Further, the fundamental tension between data protection and data utility often plays out across geographic and technical domains such as multiple private and commercial clouds. We argue that new capabilities are required of global IT infrastructures to fully satisfy the oversight and protection needs of sensitive data. The scale of data operations demand a high degree of automation in enforcing policies and detecting violations. Compliance capabilities must be based on a new combination of principles: dynamic metadata collection and analysis; privacy by design; compliance control points; decentralized governance domains; and automation. In this work, we propose a system architecture addressing these principles and present an implementation. We discuss how our approach supports use cases from the automotive industry, in particular the development of new connected-vehicle services enabled by processing personal data in a way compliant with the GDPR.