There's nothing wrong with persecuting the large perpetrators first, and only going into the smaller ones once the large get under control. In fact, it's the cost-effective way of doing it.

Besides, the GDPR is not extremely clear, so setting the boundaries in a very public way is a good thing.