Data subjects have the right to sue in the event of a data breach, the data subject can sue for material or non material damage. Even if there is a breach and no financial or reputation damage was suffered the subject can still sue.
Under GDPR if the ICO do not take any action they can also be sued, the regulations do not give an upper limit on what the courts could award.
The supervising authority (ICO in th eUK) can impose large fines:
Tier 1 breaches: 20m or 4% of turnover
Tier 2 breached: 10m or 2% of turnover
TalkTalk were fined by the ICO just under £500k for their previous breached, should they be fined under the new rules they would see a significantly larger fine which would have an impact on their business unlike previous fines.
The ICO also have other sanctions available to them, it is unlikely the ICO will be handing out fines at the higher end of the scale straight away, however, they could stop you processing which could pose a bigger loss to your business – Can your business function without processing data?