The notice requirements remain and are expanded. They must include the retention time for personal data and contact information for data controller and a data protection officer has to be provided.
Automated individual decision-making, including profiling (Article 22) is made contestable. Citizens now have the right to question and fight decisions that affect them that have been made on a purely algorithmic basis. Many media outlets have commented on the introduction of a “right to explanation” of algorithmic decisions, but legal scholars have since argued that the existence of such a right is highly unclear without judicial test, and limited at best.
In order to be able to demonstrate compliance with the GDPR, the data controller should implement measures which meet the principles of data protection by design and data protection by default.
Privacy by Design and by Default (Article 25) require that data protection measures are designed into the development of business processes for products and services. Such measures include pseudonymisation of personal data, by the controller, as soon as possible (Recital 78).
It is the responsibility and liability of the data controller to implement effective measures and to be able to demonstrate the compliance of processing activities even if the processing is carried out by a data processor on behalf of the controller. (Recital 74). Source: Wikipedia