> Does GDPR have any non-monetary enforcement?

Yes:

https://gdpr-info.eu/art-84-gdpr/

> Member States shall lay down the rules on other penalties applicable to infringements of this Regulation

So every country can create whatever penalties they want, as long as they are "effective, proportionate and dissuasive".

It has a maximum, not a minimum: The higher of 4% turnover OR €20m. That means even with 0 revenue, your fine can be up to €20m (It won't, because if you're not making money your small fry to them, but still, the fine can be greater than 0)

20m euro or 4% of revenue, whichever is higher, is the max fine. Up to the individual to say how truly likely it is a small revenueless project could possibly get fined, even with large amounts of malfeasance.