Under GDPR and other data regulations, the UK and EU routinely fine companies not just for data breaches but also for unnecessary data collection and data processing, even when no sensitive data is actually leaked.

In common with most UK & EU legislation, very little of the UK and EU GDPR is prescriptive. Most of the clauses require an entity to take action to avoid certain outcomes or to behave in a certain manner, but the ‘actions’ are not defined. In contrast to many industry-specific regulations, there is no defence or leniency in being able to prove that you have made the effort: it is the outcome that counts.

Article 25 of UK & EU GDPR is the critical catch-all. Whilst it is fuzzy, stating that companies must ‘put in place appropriate technical and organisational measures’, the history of fines clearly demonstrates this means far more than simple encryption of data at rest. Compliance requires extensive segregation of data and highly restricted programmatic and human access.
Whatever happens to the laws of other nations, the EU makes it clear that if you process data of a person in the EU you must conform to EU regulation regardless of where you operate from or are legally based. So to achieve maximum ROI, it is safe to assume that EU GDPR compliance is a requirement.