[jacquesm]

The most important bit that you can do that is actionable and that will not be open to interpretation is to have someone competent write a clause into employment contracts regarding data confidentiality, to put in place a protocol on how to deal with various levels of breaches and to review your sites privacy policy to ensure that it is still applicable (this is something you should be doing regularly anyway).

On the whole I think your approach is a very balanced and reasonable one, especially the 'act in good faith' bit. What surprises me is that plenty of companies explicitly do not act in good faith and try to interpret the directive creatively so that they can continue to do what they were already doing without modification. That's asking for trouble in my opinion, some companies in that bracket will find themselves in the un-enviable position of being used to educate the rest.

Especially in adtech and marketing there will be a lot of tension between business goals and the law as written and the finer you want to ride that line the more important it becomes to have competent guidance.