- GDPR fines (amongst other things) are for inappropriate security as opposed to getting breached. Breaches are a good pointer but are not themselves actionable. So organisations need to implement security that is appropriate for their size, means, risk and need.
The GDPR has teeth against anyone that messes up security, but clearly action will be greatest where the human impact is most significant.

