It is interesting that the fines are getting the bulk of the attention and so rarely does the opportunity even get mentioned.
It is much the same as the 'old' days of Corporate Security, Risk and Resilience "you need to have Corporate Security, or bad things will happen...". Spreading fear, uncertainty and doubt, entirely misses the point of the business value and opportunity that lies within - there are risks of non-compliance, and there are opportunities for compliance. There is too little focus concerning the resulting opportunities that GDPR compliance will undoubtedly present.
Knowing what data you have, securing that data, and effectively managing that data will reduce risk, support in identifying new business opportunities and maximising existing revenue streams. I believe what we'll see is an equally significant impact from the resultant damage to both brand and reputation, from a severe breach or non-compliance rather than the fines alone.
Fines at the upper 4% level may well be the last resort. The ICO is a public body, yes it needs to enforce; however, it's unlikely to want to put companies out of business on a frequent basis... The ICO has said "[Fines] may be avoided if organisations are open and honest, and report without undue delay”). The brand and reputation aspect will be critical especially where consumer (B2B or General public) trust is intrinsic in the value proposition of the enterprise.
What is definite is the deadline when GDPR becomes enforceable is May 25th, 2018, and there are still businesses that haven't even considered how they will attempt to comply, much less how they will seize the opportunity.
If you would like to learn more and have a balanced discussion about the opportunities as well as the risks, and how we can support your unique compliance requirements firstname.lastname@example.org