(no title)

Keep in mind that large parts of the GDPR were already law in many EU countries, meaning there's years worth of enforcement activity that you can lookup to see how similar laws were enforced.

And mostly that has not been "handing out the biggest fines possible" and more "fines scaled to how grossly you violate the regulation". Companies who try their best to follow the law, have good processes and respond promptly, get a slap on the wrist or even just a warning if they remedy the issue fast. Companies that blatantly violate the law and stonewalling regulators get the harsh fines.