GDPR is "supposed" to hold companies responsible for breaches and bad access controls. This is a different beast than liability protection for content.