GDPR is just the beginning... and if you are not making adjustments now you are going to be waayyy behind. Too little, too late.
Reality - a lot of organizations are still sitting back and waiting. Waiting to see if it 'sticks', if there will be any real policing...
Let me ask you:
>> Do you understand what your critical data is?
>> Do you know where it's located?
>> Are you properly protecting it?
Breaches continue to happen but the gov, customers, and regulatory boards are less tolerant of organizations not properly protecting customer info at this point.