ICO's past behaviour may not be indicative of the future
One also needs to understand that under the new Regulation, it is highly likely the EU Commission will have the powers to intervene in situations where a DPA has not taken sufficient action in a case. This means that ICO are likely to take more action against the private sector than they have in the past, especially as they are probably the most complained about DPA in Europe.
In my experience of the EC, at least one situation involving the ICO became the second largest public complaint issue the Commission had ever handled and it is certainly likely based on my ongoing work in this arena, that the situation has not improved.
That said, even if ICO do not significantly increase their actions against the private sector, the Commission will soon be in a position to do something about it, directly. Therefore, it is advisable that the private sector start to take privacy and security matters more seriously - ICO may not be an ally they can hide behind for much longer.