Re: It was a commercial company that screwed up...
Indeed, just like banking. Can't interrupt criminals at work.
Why there isn't a flat fee per individual I don't know.
Non-identifying info - £1 per record
Communication info [cyber] - £2 per address
Communication info [real] - £5 per number
Identifying info [minor] - £10 per record (e.g. name and city - probably not enough to be truly unique)
Identifying info [reversible] - £50 per record (e.g. when combined with another readily available dataset, it become trivial to uniquely identify a person; name, postcode, d.o.b)
Identifying info [full] - £100 per record (without reference to any other dataset, it is possible to uniquely identify someone)
Add in some other entries for financial etc and you can simply calculate a fine, which could well be ruinous even for a small breach (e.g. "Racing Post" could have been on to a £6.7million pound fine). AND THAT'S A GOOD THING!
Well, it will make companies seriously consider if they need to collect that information at all; rather than just doing the data-rape land-grab they do now.