In Alberta, the commissioner can recommend a fine for data breaches. I have studied about 30 decisions like that, and they are effective enough to make companies change their practices when there are problems, even when the fine is $5,000 or $10,000.
If the commissioner has the power and the responsibility to impose fines, those decisions are tough enough for other companies to examine them. The commissioner's decisions are sort of small tests for data breaches that really benefit other companies, in the sense that it spares them from having to do the same thing. That is just one example among others.