Maybe if data leaks were treated like H&S, where corporate and individual criminal responsibility is assigned and poor performance can result in losing your house and going to jail, then we'd see companies take it seriously.
From the Data Protection Act 2018:
Liability of directors etc
(1) Subsection (2) applies where—
(a) an offence under this Act has been committed by a body corporate, and
(b) it is proved to have been committed with the consent or connivance of
or to be attributable to neglect on the part of—
(i) a director, manager, secretary or similar officer of the body
(ii) a person who was purporting to act in such a capacity.
(2) The director, manager, secretary, officer or person, as well as the body
corporate, is guilty of the offence and liable to be proceeded against and