I guess, it will not be a total surprise for you, that the GDPR will hit in on May 25th in just a few days? But are we ready to meet the enhanced requirements for the Article 25 - “by default & by design”? Have we adjusted the systems development lifecycle to comply with the GDPR, or are we just taking the existing methods into the new era of legislation, without the proper and necessary changes being applied? If so, problems may arise.
Fair question and I suspect that the answer is a resounding "No".
Wide acceptance of agile development methodologies decoupled from education in security subject matter resulted in the Minimum Viable Product mentality in companies that are rushing features and capabilities to the market, risk be damned.
Inevitably, numbers of vulnerabilities and resulting compromises are on the rise. Very few entities are capable of defining what the "secure by design" actually means in relation to their product(s) or services, never mind actually implementing and maintaining it.
When we consider what resources actually necessary for the implementation of sound GRC and corresponding controls, we will inevitably arrive at a certain baseline in a number of positions and people required for it. This could be attained by the companies of certain size and deep pockets.