Maybe an increase in fines but
As the prosecution rate is so low, one can see why a CEO may just choose to ignore it.
Violating Europe's General Data Protection Regulation (GDPR) rules is a costly mistake that is only getting more expensive, according to lawyers totaling up fines from the UK's Information Commissioner's Office (ICO). Law firm Reynolds Porter Chamberlain (RPC) today said it has been tracking ICO fines since 2016 and has found …
'"This suggests that the ICO is being selective about its enforcement targets," said Richard Breavington'
You don't need a law degree to spot this. However a basic principle has escaped everyone concerned. If you don't nip abuses in the bud they become ingrained and accepted as normal practice. As data protection consultants, since the GDPR came into force we've only found a couple of privacy "policies" that actually comply with the law. Indeed, the last time I looked, the ICO's own template "policy" for SMEs didn't. It requires all the statutory information, but not in a manner that allows the data subject to exercise their rights (which is what "transparency" actually means).
It's tricky for the ICO though. They do need to assure that SMEs aren't misbehaving but they also need to avoid killing off UK business.
There's also the challenge that individual SMEs breaching the rules are likely to impact far fewer people than large businesses, so the ICO probably feels obliged to focus resources where they'll have the greatest benefit.
Have you fed back to the ICO your thoughts on their template? That does feel a sensible thing to assure is giving SMEs a good start point for compliance.