It is nothing to large companies, but as far as I can tell, there is nothing that would stop a company from being fined multiple times for the mishandling of each person's data. I doubt there will ever be a case where a company is fined millions for each person's data being stolen, but it does mean that 17 million is not technically the cap.
Ah yes, the ambiguity of laws that haven't been tested or that are dependent on the whim of the regulatory agency. Plus it is very typical to see something like a 50m fine that gets contested in courts and negotiated down over the years to say, 500k.
I think this issue prevents a lot of real progress and explain the divide between those saying corporations aren't regulated vs those saying there is too much regulation. They're both right, but they're both talking past each other. There is way too much regulation that can't be followed, enforced, or even understood. At the same time a reaction to corporate abuses is to want to add new regulation, but that just keeps the circle going. I suppose the solution is to drastically reduce regulation, but make it extremely clear and reduce ambiguity about the consequences, penalties, and enforcement. I won't hold my breath for this to happen.
That's a start. Percentage fines or fines that scale by the number of victims (without a cap) seem like the only thing that would actually carry real consequences. 17m quid to company like HSBC is nothing. It has to be an existential threat to the company.
In any case, I'll be curious to see how that works out in the UK.