Elizabeth Denham - head of the ICO (responsible for overseeing the GDPR in the UK) - gave a speech last week to an audience made up primarily of public sector leaders. It's well worth a read though - she reiterates the fact that her organisation is not looking to fine organisations without good reason - they realise that not everyone will be compliant on day 1. So long as you are on the path to compliance then you are unlikely to receive huge fines for a breach - but they do want to see that you are trying!
This is a long haul and preparations will be ongoing. But if you self-report a breach, engage with us to resolve issues, can demonstrate effective accountability arrangements, you will find us to be fair.