OK, so I am not presenting this as typical. It's not typical. It can't be typical. Surely.... No, it genuinely isn't typical, but the Italian DPA has just fined a British company €5,880,000 for a data breach involving just 1,000 individuals. The back story is complex - it was part of a money laundering act - but the authorities have confirmed that the fine was for the data breach and not the laundering.
The particularly scary point made in the article is that the fines were the maximum amount legal under the current data protection rules - but, post GDPR in May 2018 - the fines would likely be far higher!
If you are concerned about GDPR, the place to go is https://www.dillistone.com/gdpr-executive-search/
It fined Sigue €10,000 for each of the 583 individuals whose data consent rights were violated, amounting to a total of €5,830,000.