ONE big difference I see regarding mentality change is that the burden of proof is reversed:

• If you are using data, you need to assure the required mechanisms are in place to pursue your endeavours.
• There is, therefore, a “documentation obligation” that kicks in, shifting the burden of proof that until now was set out in the contracts between B2B entities (article 5, paragraph 2).
• The accountability is, then, reinforced with a conditional appointment of a DPO (Data Protection Officer) to assure data protection policies and information notices are transparent and easily accessible to the data subject.
• This then needs to be put in parallel with the different (EU citizen) Rights’ the GDPR is adding or clarifying: the Right to Object to Profiling, the Right to be Forgotten, the Right to Data Portability, etc.