The U.K.’s Information Commissioner’s Office significantly reduced the penalties from its original notices of intent for both British Airways and Marriott, but the penalty notices, along with a more recent penalty levied on Ticketmaster UK Limited, show that the agency, while refining its approach to GDPR regulatory fines, expects all data controllers to have robust security measures, including around third parties. The cases also shed light on how the agency is considering the economic ramifications of the pandemic in its fines. We analyze the cases and the penalties issued by the ICO as the lead supervisory authority, and how the ICO’s role will change in 2021. See “GDPR Enforcement Lessons and New ICO Guidance on COVID-19” (Apr. 29, 2020).