The way it's been done in the past, it usually starts by notifying you and giving you reasonable time (a month) to fix things then move up to sanctions.

But this is not a given every time and not everyone goes the nice route, some go directly to court. So when you are a small fish, you are better off doing your best to follow the GDPR in the first place than scrambling to avoid sanction in a limited time later. it is not that complicated to not collect data you don't need, ask before collecting it and informing about what you do with it.