Re: To be fair (?!) ...
"GDPR should have been worded to explicitly outlaw the transmission and storage of unencrypted personal data outside of a company controlled network"
So you're saying that unencrypted files of user data on corporate laptops is OK?
Or on department file servers?
Sounds a lot like you're responsible for the NHS network!
In this particular example it doesn't matter a jot whether the data was encrypted or not - s3 offers server side encryption that would satisfy your rule and it may well have been enabled. Wouldn't affect the outcome at all.
Legislation should never mandate a technical approach, it should define requirements. Otherwise it stifles progress and just invites stupid implementation.