Re: "areas such as transparency and improved privacy information"
"[1] practically no organisation has actually fulfilled its transparency obligations"
Indeed. Two recent examples that I have complained about: the NI Census in March and the NI Electoral Canvass in July - in both cases the Privacy Notice was missing some mandatory information which, as per GDPR, *must* be provided at the time of data collection (i.e. before you fill in your Census form/Register to vote form).
In the case of the NI Census the ICO has decided that "there is more work for the organisation to do" and is in discussion with the org's Chief Executive "explaining that we want them to work with you to resolve any outstanding matters". However I fail to see how it can be resolved as the Census Day is past and everyone here has already filled in their forms when the Privacy Notice was not valid - this can't be resolved/fixed, all that ICO should do is issue a fine against NISRA for failing in their GDPR obligations.
In the case of the Electoral Canvass the matter is with with the EONI currently but I expect to open a case with ICO once EONI have responded to me with their "excuses".
Both of these events are once-every-10-years activities so it is even more important than usual for these organisation to ensure that everything is in compliance in *advance* of the events.
"[2] transparency (even if of itself sufficient) is useless unless redress is available to individuals where processing is questionable (let alone unlawful). To date is generally isn't except very rarely."
My personal data was leaked last year in a hack on a online company operating worldwide and they notified me. However I had stopped using their system 7 years previously but, at the time like many other companies, they only provided a "deactivate your account" option and provided no means to delete your account. With the introduction of GDPR in 2018 this company appeared from then onwards to provide a deletion request mechanism but did not implement any automatic deletion of deactivated accounts (and their Privacy Notice made no mention of deactivated accounts at all, let alone defining retention periods for them) and so deactivated accounts personal data appears to be retained indefinately.
ICO closed the case and basically said "you never asked them to delete your data " and "well they've offered to delete your data now" whilst completely ignoring the point that, at the time I stopped using that service I *could not* request that my data be deleted (which I would have wished to do at the time) as the company then had a policy of "deactivation only".
ICO, and indeed many/most of the regulators in EU, beyond a few "headline" instances have failed to take any significant actions to enforce data protection law.