UK companies could find it difficult to show they are protecting data under GDPR in the absence of clear guidance from the Information Commissioner’s Office. The fines levied against British Airways and Marriott have put firms on notice, but input is still needed.