The maximum fine allowed by GDPR is "10 million or 2% of global revenue, whichever is higher". The goal is to ensure the GDPR "has teeth" even against companies for who 10 million is a drop in the bucket.
Keep in mind that large parts of the GDPR were already law in many EU countries, meaning there's years worth of enforcement activity that you can lookup to see how similar laws were enforced.
And mostly that has not been "handing out the biggest fines possible" and more "fines scaled to how grossly you violate the regulation". Companies who try their best to follow the law, have good processes and respond promptly, get a slap on the wrist or even just a warning if they remedy the issue fast. Companies that blatantly violate the law and stonewalling regulators get the harsh fines.
Keep in mind that large parts of the GDPR were already law in many EU countries, meaning there's years worth of enforcement activity that you can lookup to see how similar laws were enforced.
And mostly that has not been "handing out the biggest fines possible" and more "fines scaled to how grossly you violate the regulation". Companies who try their best to follow the law, have good processes and respond promptly, get a slap on the wrist or even just a warning if they remedy the issue fast. Companies that blatantly violate the law and stonewalling regulators get the harsh fines.