I am amazed that is that the average length of time is so short, although obviously some companies (such as the suspected Uber breech) skew figures. A median value even without a distribution would be useful in such a report.
From 'anonymous' above, I could not agree more. Name and shame which will drive some consumer resistance in order to add pressure to these lazy bastards seems essential. I know there will be an argument that this might deter some of them from reporting, but an independent bounty on 'spots' of GPDR breeches combined with punitive fines (which will pay for the bounty) would be a welcome addition.