"a data protection framework that is focused on privacy outcomes rather than box-ticking"
Actually that was what many complained about GDPR, because it says what is required but not how to do it. and most executives and lawyers really like "box-ticking" because it is simple to implement, and makes fake compliance easier.
Best practices" were introduced based on the Regulation, but are not part of the Regulation itself - there is no "box ticking" there.