[daveoflynn]

> Do the regulators take into account whether the firm is actually at fault?

To echo others: yes, a lot. To quote the Information Commissioner:

> "I have no intention of changing the ICO’s proportionate and pragmatic approach after 25 May [the GDPR intro date] ... Hefty fines will be reserved for those organisations that persistently, deliberately or negligently flout the law."

A good overview of the ICO's approach: https://www.pinsentmasons.com/out-law/news/gdpr-uk-watchdog-...

The whole draft policy for how the ICO applies its powers is here. It's a good read, but not short: https://ico.org.uk/media/2258810/ico-draft-regulatory-action...