[M2Ys4U]

Respectfully, you're talking nonsense.

The GDPR doesn't mandate fines of 4% regardless of the nature of the breach. That's the maximum size of the fine.

You should go ahead and actually read the text of the GDPR. Specifically, Article 83.

Paragraph 1 states that "the imposition of administrative fines [...] in respect of infringements of this Regulation [...] shall in each individual case be effective, proportionate and dissuasive".

Paragraph 2 lists eleven factors that the SAs have to have regard to when setting fines, and top of the list is "the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them".