There is mostly a motive for lots of CYA to reduce liability. Do some tickbox security to keep costs down if something goes wrong.
IN any case AFAIK most of the big fines are not for poor security, but for poor practices.
On the other hand GDPR imposes quite a cost burden on small organisations that hold limited data and thereby provides a competitive advantage to big business.
There is mostly a motive for lots of CYA to reduce liability. Do some tickbox security to keep costs down if something goes wrong.
IN any case AFAIK most of the big fines are not for poor security, but for poor practices.
On the other hand GDPR imposes quite a cost burden on small organisations that hold limited data and thereby provides a competitive advantage to big business.