Re: Is that it?
I can imagine an environment that rewards individuals for quick actions and information.
The law says that only suitable qualified and trained staff, can access certain data, with appropriate safeguards. It's not a trivial environment, multiple early staff were caught stalking their partners, ex-partners and ex-partners new partners.
The whole point of training and oversight, was to ensure that those accessing secret information, were doing so for a valid reason, within valid timelines and responsibly deleting that information after. No training = less likely to achieve prosecution later on (if you haven't done the training, you cannot be held to the same legal standard, since it hasn't been spelled out to you)
If you cannot demonstrate this, then you cannot continue to practice.
Whether they really need more legal help, I cringe at throwing more money at lawyers, as I am sure that the internal compliance teams and engineers are more than capable of doing their jobs properly, it is probably more about whether they really have the desire to do so.
PS I laughed at "using boiler plate language", but surely that's the point? You use legal templates for such things?