The key is to set multiple avenues of responsibility. It may be easy to find loopholes individually, but collectively it would become too burdensome. At least, for the company, make skirting the charges be as costly as following suit.
There is a very long list of companies who have been fined for GDPR violations, and several which have been fined repeatedly. It's not working. Show me a list of companies which have been dissolved or were broken up and sold off after GDPR violations. Then it might be enough to be taken seriously.
