In 2018, after years of planning, the General Data Protection Regulation (GDPR) was introduced by authorities across Europe. It aimed to modernize the laws that protect individuals’ private information; laws which hadn’t been updated for nearly two decades. The GDPR was designed to give formidable power to data protection authorities. The threat of fines of up to €20 million or up to 4% of an organization’s global annual turnover (depending on which is greater) had been established. Two years on, although there have been over 160,000 data breaches reported, only a small number of companies have been issued with a punishment…. Enforcement has indeed varied widely across countries, and last year we caught a glimpse of what the data breach landscape may look like in terms of fines in the UK. The Information Commissioner’s Office (ICO) has issued intentions to fine British Airways £183 million, in addition to a potential £3 billion compensation pay-out, after the personal data of around 500,000 customers was exposed from their website and app. Marriott have also been issued with an intention to fine in the sum of £99m. In comparison, almost a third of countries reportedly have yet to issue a single fine.