News over recent days that the ICO is intending to fine BA £183m and Marriott International £99m is remarkable for a number of reasons.
Firstly, and crucially, these are merely "notices of intent" – most recent figures obtained by this firm under the Freedom of Information Act indicate that nearly one in three ICO notices of intent ultimately either get cancelled, or result in a lower final penalty.
Secondly, the legality and fairness of ICO's investigative procedure has come under serious – and extraordinary - challenge in the recent case involving Facebook, in which the latter is alleging bias, pre-determination and procedural irregularity. It is quite possible that similar arguments will be aired in any challenge to the notices of intent.
Thirdly, the notices of intent were announced initially not by the ICO, but by the recipients, under their market notification obligations. To this extent ICO's hand has been forced, and it will definitely be hoping it has got its factual and legal analyses right, because the challenges coming its way are likely to be robust and costly.
Fourthly, these sums are huge, market-influencing ones. Up until now people were certainly concerned about GDPR, but this news makes it very clear that fines arising from alleged non compliance have become a major corporate risk factor.
No one should over-react to this news. But everyone should pay very close attention to developments.