"When security requirement are imposed externally, and the likes of GDPR can do that, it becomes in the top team's interest to take is seriously."
Is it? Or is it just a case of the lawyers finding a way out of it? I've yet to see anything really lawyer-proof.