Personal opinion, IANAL and all that.
Failure to report a breach to the SA within 72 hours, failure to respond to a Subject Access Request in the 30 days, having a highly visible lack of proper privacy notice, explicit consent, specified purpose of processing etc in the proper visible place and publicized breaches/data loss are all going to be potential starting points.
I think that we might also see a lot of speculative lawsuits:
https://www.youoweus.co.uk seemingly from https://www.mishcon.com/about
Also competitor referrals might be seen as good starting points for business people with a 'Jack Tramiel' mindset:
https://qz.com/1131515/google-collects-android-users-locations-even-when-location-services-are-disab... with some thoughts from the register https://www.theregister.co.uk/2017/11/22/google_oracle_location_privacy/
Not selecting Google specifically in these examples, but scale has got to be a play here.
Once something is under the purview of a SA then breach of principles, transfer to third countries without adequacy, unauthorized processing by controllers, ignorance of data flows that process Personal Data, sprinkling privacy on top of the system(not by design, not by default in the OPs post ) and multiple offences ignoring the DPO are all going to make it hurt more.
Big game hunting season for SAs starts in May 2018, but I think/hope they will show some restraint as normalising large adminsitrative fines would arguably make lawsuits much more likely if the damages resulting from them are proportional.
That said until it goes live and we get data we really don't know, we can infer from current enforcement actions, but given the febrile atmosphere around privacy right know all bets are off - I'd look at any model of risk stating with 1) how do they find out and start digging? 2) Once they do, ask how naughty has the organization been?
