I’ve posted some GDPR stuff on Jyutsu.com
My high-level map of GDPR fines (pdf)
Although my PhD research is not on GDPR fines, the outcome from my research should help organisations to be better prepared to respond to data breach incidents.
Not notifying affected data subjects when ordered by the data authority (ICO) fall under the high 1st level of fines i.e. 4% or EUR20M. However, failure to notify the data breach to the data authority (ICO) and to data subjects exposed organisations to the 2nd level of fines i.e. 2% or EUR10M. In essence be prepared to be fined when you failed to comply with the breach notification requirements, Art 33 and Art 34.
Note that when organisations have a security breach i.e. failure to comply with the data processing principles Art 5 (1)(f) (failure to use appropriate technical or organisational measures), this falls under the high 1st level of fines
So..there’s no way to avoid the fines unless you can totally avoid security breaches or avoid falling foul to the data processing principles.