The below is from the Information Commissioners Website (The ICO are the body enforcing GDPR in the UK)
What penalties can the Information Commissioner issue?
The Information Commissioner has the power to issue a monetary penalty for an infringement of the provisions of Part 3 of the Act – Law Enforcement Processing. Any penalty that we issue is intended to be effective, proportionate and dissuasive, and will be decided on a case by case basis.
Under Part 6 of the Act, there are two tiers of penalty for an infringement of Part 3 – the higher maximum and the standard maximum.
The higher maximum amount, is 20 million Euros (or equivalent in sterling) or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
In practice, the higher maximum amount can apply to any failure to comply with any of the data protection principles, any rights an individual may have under Part 3 or in relation to any transfers of data to third countries.
If there is an infringement of other provisions, such as administrative requirements of the legislation, the standard maximum amount will apply, which is 10 million Euros (or equivalent in sterling) or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.