On the other hand it is always convenient to hide behind the "We big, careless, silly org, we no knows how to handle data.". If we apply too many razors, then they are just gonna cut our freedom away. At some size of organizations negligence becomes malicious, since they ought to have people knowing how stuff should be handled and they most likely ignore it.

What is more likely? Everyone at an organization's IT, sales and data protection department is incapable of doing their job, or someone doesn't give a damn, calculating, that preventing such things from happening costs too much?