That's not how GDPR is enforced. A relatively minor, harmless infraction will get at most a letter from the regulator asking for it to be fixed. More likely is that fuck all will happen, which is what currently happens in the UK.
Huh, I thought it was grounds for a hefty fine right off the bat. What about horns being trumpeted that GDPR is going to stifle innovation (smaller companies unable to muster the legal force to comply)?
They want you to comply, first and foremost. If you comply, then no fines. If you don't comply, you'll get fined, that's how I understand.
GDPR is a process, it's about pushing companies to good practices through compliance. A lot of it makes sense, for example, making sure your staff understand basic IT security practices, which is no different to health and safety.
