Re: And here come the fines ...
"they will still be fined because they didn't deal with the problem ten years ago despite having no knowledge of it "
a) So the business's best approach is to make sure the breach doesn't happen in the first place and is promptly spotted.
In the words of the ICO "In light of the tight timescales for reporting a breach - it is important to have robust breach detection, investigation and internal reporting procedures in place"
b) "Failing to notify a breach when required to do so result in a significant fine UP TO 10 million Euros or 2 per cent of your global turnover" (my emphasis)
So genuine sloppiness could be punished harder than a serious of unforeseen consequences.