If you'll give me 20 seconds to open article 83, I think this is one of the lucky provisions where we have no excuse because we have all the opportunities to consider. I'm quoting now the relevant paragraphs:
(a) the nature, gravity and duration of the infringement taking into account the natural scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them; (b) the intentional or negligent character of the infringement; (c) any action taken by the controller or processor to mitigate the damage suffered by data subjects; (d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32; (e) any relevant previous infringements by the controller or processor;
Another important point relates to the degree of co-operation with the supervisory authority to mitigate the possible nefarious effect. How many data subjects have been involved? What about the categories of personal data or data subjects involved? How has a data controller been proactive in approaching the supervisory authority to confess the breach? How do they notify them of the infringement? Are they following codes of conduct? Do they consider other circumstances, for instance financial benefits they got from the infringement?
All these criteria can be applied to four categories of breaches. We cannot treat every breach in a single way. In addition to the criteria I've just mentioned, we should also consider the seriousness of different violations so we are reasonable, we are credible. Otherwise, people would not understand.
We need to avoid a system whereby the fines are simply a budget line item for a big corporation. We need to increase the amount of fines where and when dispensable, but in the end we need to consider the amount of money and the energy that the controller, in the process, has spent on the case.