GDPR & Co are such a complex and heavy-weighing thing that Id say, nearly all companies break it - not by intention but because of failing to implement it: Esp. in large legacy environments its often very difficult to get everything right. And then you have all this Cloud and outsourcing-stuff etc. - that makes it a real burden to implement, and auditors very often do not check on these implementations that detailled, depending on the business.