The WP29 guidance for administrative fines in the GDPR mention Article 25 (Data protection by design and by default) four times. On page 13 in the guidance document WP29 states as one of the parameters used when assessing the fines: “the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;”
Has the controller implemented technical measures that follow the principles of data protection by design or by default (article 25)?
Has the controller implemented organisational measures that give effect to the principles of data protection by design and by default (article 25) at all levels of the organisation?
If you do not bake privacy and security into your day to day operations of the organization, you may be putting yourself in harm's way in regards to the sanctions, you may face.
Failure to report a breach to the SA within 72 hours, failure to respond to a Subject Access Request in the 30 days, having a highly visible lack of proper privacy notice, explicit consent, specified purpose of processing etc in the proper visible place and publicized breaches/data loss are all going to be potential starting points.
I think that we might also see a lot of speculative lawsuits:
Not selecting Google specifically in these examples, but scale has got to be a play here.
Once something is under the purview of a SA then breach of principles, transfer to third countries without adequacy, unauthorized processing by controllers, ignorance of data flows that process Personal Data, sprinkling privacy on top of the system(not by design, not by default in the OPs post ) and multiple offences ignoring the DPO are all going to make it hurt more.
Big game hunting season for SAs starts in May 2018, but I think/hope they will show some restraint as normalising large adminsitrative fines would arguably make lawsuits much more likely if the damages resulting from them are proportional.
That said until it goes live and we get data we really don't know, we can infer from current enforcement actions, but given the febrile atmosphere around privacy right know all bets are off - I'd look at any model of risk stating with 1) how do they find out and start digging? 2) Once they do, ask how naughty has the organization been?