GDPR applies to all organizations that deal with personal data of European citizens or residents, but the size of the fine will ultimately depend on the organization’s ability to demonstrate compliance (Article 5).
Unable to do so will could result in a fine of up to €20 million, or 4% of the organization’s global annual revenue (whichever is higher).
Organizations that are able to demonstrate compliance, but have not enforced organizational measures to protect personal data, may risk fines of € 10 million, or 2% of the organization’s global revenue (again, whichever may be higher).
Each situation will always differ, that’s why we suggest you consult GDPR professionals to guide you through your current data protection setup.
However, you can use article 83 to get a better understanding of how the size of fines is determined.
Read "Article 83"