General Data Protection Regulation (GDPR) privacy law came into full force on May 25, 2018. Failure to comply exposes organizations to fines of up to 4% of their annual global revenue or 20 million ($23.3 million) A four-year breach exposed the personal information for about 430,000 customers, with 244,000 possibly having their names, addresses, payment card numbers and CVVs compromised. BA and Marriott fined BA 184 million ($238 million) and Marriott 99 million ($128.2 million) in July 2019.”]
Source: https://www.inforisktoday.com/blogs/marriott-bas-reduced-privacy-fines-gdpr-realpolitik-p-2963