If we had taken a bet last year, most people would have been convinced that the ICO would issue huge GDPR fines. These would have been calculated based on turnover even if the issue had been caused by a malicious cyber attack. Evidence of this approach was the ICO’s announcement of its intention to issue the extraordinary fines of £183.39 million to British Airways(1) and £99 million to Marriott International(2) in 2019. However, for those ever sceptical amongst us, this image did not quite sit with the ICO’s reputation or normal business practice. And that is a good thing, because it is our experience that being an assertive, reasonable and professional regulator is the best way to influence market practices.