I still think that will never be enforced on companies that didn't have it coming. I never heard of the EU fining a company in a way that truly hurt them unless they knowingly and exceedingly violated the law.
As an example, Cambridge Analytica was started in 2013 and was presumably a startup when it started doing public manipulation, so that's an example of whom I think has it coming if they get a company-bankrupting fine. Your mom and pop shop having a data breach due to a negligent SQL injection won't have to close up just because of that. I would be interested to hear a case where a company was fined to bankruptcy when they did not totally deserve it. Until then, I feel like reciting this over and over (people often bring it up in a negative context) is just spreading FUD about doing business in the EU.
I can't find any sources now, but there have been numerous fines for minor data breaches. (Like sending a mail to all your clients and putting everybody on CC, not BCC, so each client gets to know all others).
But they absolutely haven't been fined to bancrupcy, just a few thousand Euro.
