GDPR applies to any business storing, sharing, sending or receiving the personal data of European Union and UK citizens, wherever in the world that business is located. Fines for GDPR breaches are substantial, up to €20 million or 4% of annual global turnover, whichever is greater. Post-Brexit, GDPR continues to apply in the UK.
GDPR rules proscribe that all communications containing any data which allows a person to be identified should be kept secure. Organizations are required to ensure that appropriate technical or organizational measures are in place to ensure confidentiality of personal data, and if a communication is accessed by a third party it is a data breach.
Free webmail accounts are free for a reason: the webmail provider gets access to the data. By sending an email containing personal information to a webmail account you are sharing that information with the webmail provider. This is a clear breach of the rules.
The data breach only arises because the client is using a free webmail account. If the client had their own private email account (as companies do) the problem would not arise. It might seem a little unfair that the company, not the client, is the one liable for the fine, but those are the rules. And companies can avoid the problem by either not using email entirely or implementing a corporate email encryption solution.