How Can Organisations Protect Themselves Against GDPR Fines and What Should They be Prioritising?