The U.K.’s Information Commissioner’s Office has significantly reduced the GDPR penalties from its original notices of intent for both British Airways and Marriott. The enforcement actions, along with a more recent action against Ticketmaster UK Limited, show that the agency is refining its approach to GDPR regulatory fines, but still expects all data controllers to have robust security measures, including around third parties. The cases also shed light on how the agency is considering the economic ramifications of the pandemic in its fines. We analyze the cases and the penalties issued by the ICO as the lead supervisory authority, and how the ICO’s role will change in 2021. See “A Considered Cooperation Approach Is Vital in ICO Data Protection Audits,” (Apr. 1, 2020).