It is the threat of a fine that seems to push security work in my organisation. Not the proactive aim of actually looking after data because it is the correct thing to be doing. 🙂