[outsideoflife]

Under what circumstances are you expecting to receive a $5m dollar fine? To me (who is assessing this risk at a UK SME) the idea of an SME receiving this kind of fine is absurd. As the poster above said, the law asks for proportionate fines.

The big number max fines in GDPR are there to deal with companies like Google and Facebook who can write of $5m as a rounding error.

People who have been fined at all under the existing DPA, being enforced by the very same people as GDPR, have been negligent, repeat offenders. I don't believe anyone has ever received the maximum fine in the existing regulations. That just isn't how UK law works