Fines are meaningless.
In other areas, (e.g. Health & Safety) a board member is ultimately responsible at a company. We need a change in the law to force one board member to be responsible for data protection. That way, there is one, clearly identifiable person, who can be held accountable and sent down when their organization screws up.