Re: Max fine
"the regulator has no qualms about setting maximum fines for the really big offences" - I don't think that is what is going on here. I think what happened is that GDPR has upgraded the scale for fines like this. In other words the regulator thought about what fine they would levy if GDPR applied, and then capped it at what the DPA allowed.
I would be surprised if they would hand out a maximum fine under GDPR for this; but of course, even 0.4% of global turnover would get the attention of the boards of the other credit agencies.