Legislation without sufficient enforcement is useless. Back in the C19th when the Factory Acts and the like were introduced an inspectorate was set up to ensure it was obeyed.
The same thing is needed now along with a provision that was in DPA 1.0: the power to forbid further data processing until the situation is remedied. Party inspected tries to hide from the inspector via an NDA? Told to take down the site Right Now.