The substance of this line of criticism is that yes, it's
probably going to be fine. But if it's not, they can fine you at 4% of global turnover. They
probably won't, but they
literally can. "I read on a blog that they'd be nice and send me a warning first" gets you exactly nowhere in court ("very well, but what did your lawyer tell you?"). The article praises the GDPR for having teeth -- being timid can be something you are because that's your nature, or it can be something your are because you don't have teeth.
This is what risk is. Absolutely, don't panic. But responsibly managing risk means considering the 100% real and existing option of regulators abandoning their previous caution and trying out their new teeth. Perhaps they get reined in, but perhaps that takes 10 years, or perhaps it turns out to be politically convenient not to rein them in a all. There are 28 EU countries, so 28 regulators, only one ambitious rising star at one of which need to "break bad".
Yes, I agree that this is probably a very small risk. But having a calm and correct view of the fact that there is a risk is 100% the right move here. Something like every other lawyer in Europe is worried about this right now, and do think it's a bit of a big deal. Don't panic, but take the advice of a non-lawyer's blog over your actual lawyer's at your own extreme peril.
