I think we should exempt this from double-jeopardy: the fines are considered purely-punitive, and are in addition to any civil or criminal penalty issued by the courts. This will help ensure that organisations can't just price data breaches in to "move fast and break things" and have no further liability, and that people who've experienced damages much greater than the standard fine don't lose their chance to get suitable compensation.