That’s how GDPR works. Most EU regulation focuses on outcomes, as opposed to specific methodologies.
Results in many Americans complaining about how difficult to interpret the regulation is, due to lack of specificity (US regulation tends to be highly specific). But makes it much harder to people skirt the intent of the law, because the intent is written into the law and used as the benchmark to determine compliance. This approach does require a transition process so businesses and regulators can figure out how to meet the intent of law in their specific situation, and create implement guidelines. But over the long term produces more flexible law that adapts to technical and social change better.
Results in many Americans complaining about how difficult to interpret the regulation is, due to lack of specificity (US regulation tends to be highly specific). But makes it much harder to people skirt the intent of the law, because the intent is written into the law and used as the benchmark to determine compliance. This approach does require a transition process so businesses and regulators can figure out how to meet the intent of law in their specific situation, and create implement guidelines. But over the long term produces more flexible law that adapts to technical and social change better.