Here are some cases. The first is a company that was processing sensitive data (health data) who had to register with the ICO in the UK. They didn't register. They were not fined at all, because they were asked to register and did so. (Last paragraph). https://www.bloomberg.com/news/articles/2018-04-26/u-k-healt...
Here's an organisation that had video interviews with children who were the victims of sexual abuse. The organisation put these videos on DVDs with no encryption, and sent them through regular mail. The DVDs were lost. This is a repeat of a previous data loss from this organsition. Despite the severity of this breach, and the repeat, and the lack of protective action, the organisation was not fined the maximum available fine. https://ico.org.uk/action-weve-taken/enforcement/crown-prose...
There is no caselaw on the GDPR and no way to predict how fines will be levied. You can speculate how it will be enforced (as you have), but businesses tend to avoid speculation when assessing risk.
The parent post is entirely speculation. It is speculation about how a new law will be enforced. It’s not even very robust speculation since after March 2019, the GDPR will not be enforced by any organisation in the UK.
