@smiddy,
This is due to several issues:
GDPR is relatively new. The national and international agencies that are responsible for informing, policing and enforcing the law are often overwhelmed and understaffed. They are also somewhat lenient as not all aspects of the rules are entirely clear yet (there is little jurisprudence and precedents).
Unfamiliarity of the agencies with all the companies and organizations that fail to uphold the law in this regard. How could an agency know JW elders have your ADD on their private PC unless someone complains about it? And of course the good little JW aren't gonna complain. Those who don't report child abuse certainly would not report a simple violation of privacy laws, would they? So the enforcement agencies are often in the dark.
It's interesting though that the more visible issues of Watchtower and GDPR are already being addressed. In Finland, JW were convicted for violating GDPR by taking and keeping records during field service. JW argued those notes are exempt as for strictly personal use. The courts disagreed. JW appealed to EU courts, but they agreed with Finland. So now in all of Europe JW have a problem as their field service notes are considered to be subject to GDPR. I know the Dutch government is already aware of this too, and probably the same is true for other countries too.
But processes like these run slowly....