500,000-pound data protection fines are simply not enough