Re: What Exactly Was The Breach ???
"The data subject-facing business should remain liable under both civil and criminal law for any breaches further along the line"
Funnily enough this is exactly one of the things* that changes under GDPR. Under DPD-derived legislation, typically only the Processor who actually violates the law is liable. Under GDPR both the Controller and their subsidiary Processors are liable.
There's a shitload of FUD and consultancy bullshit around GDPR, but honestly, at its core it is a pretty sane piece of legislation. I'd encourage everyone to go out and read, if not the entire law (it's not that long) then your local ICO's guidance on what the law practically means. You will probably find yourself nodding along thinking "Hrm, you know what, that actually kind of makes sense".
*It's also worth noting that apart from this only two other things really change under GDPR. One is its scope, applying to any organisation that processes EU citizens' data regardless of where that organisation is. The other is the penalties involved, with fines of up to 4% of turnover. Almost everything else is pretty much the same.