The GDPR is prescriptive about what organisations have to do to comply. They have to appoint a “data-protection officer” (DPO), an ombudsman who reports directly to top management and cannot be penalised for doing his job. They also have to draw up detailed “data-protection impact assessments”, describing how personal data are processed. And they have to put well-defined processes in place to govern the protection of personal data and to notify authorities within 72 hours if there is a breach. Companies that persistently ignore these rules face stiff fines of up to €20m ($25m) or 4% of global annual sales, whichever is greater.The Economist - The Real Technology Problem
It'll be interesting to see how the GDPR will work in reality but it's definitely a step in the right direction. The latest Facebook / Cambridge Analytica breach is a great example of something that would have been avoided with a set of rules and regulation in place.