The ICO has had 20 years to establish their pattern, and it seems to be pretty well set by now. They basically do fuck all about individual complaints, unless perhaps it's something incredibly serious. I recently had to take a data bureau to court for selling my details without permission (and won an out of court settlement for 500GBP) for spam, because the ICO did fuck all. I have another case pending against the very large UK company that used 2 separate data bureaus to spam me without permission.

So if the ICO won't sanction a very large company for clearly violating PECR, I really wouldn't worry. They only take action if they get thousands of complaints. I very much doubt that GDPR is going to change this behaviour, but I would love to be proven wrong.

If they are not in the EU and not doing anything out of the ordinary then yes.

Life is full of risk and the GDPR is right down towards the bottom of things to worry about at this point if you are outside the EU. I suspect this is also the case if you are inside the EU too, but we will soon know.