[TACIXAT]

I feel the best test was "did you get breached? what data was taken?", if the answers are yes and PII, you were collecting data that you didn't have the capability to protect and should face a fine.

There is a lot a company can do to protect data. If they demonstrate that they were following all those best practices re: encryption, storage, least privilege, etc. then that should absolutely factor in.

At least to hold people accountable who store stuff in plain text and leave it on publicly accessible storage.