I think that by virtue of being a massive piece of legislation, it prevents pure self-regulation through firms. It asks firms to comply in particular ways that cost them and have some cost associated with these new norms.
I don't think it puts forward or enshrines pure self-regulation when it comes to privacy and the use of data.