However, crunching the numbers on past punishments, a couple of things become clear. Marketers plying their trade at everyday companies are not the major transgressors.
No, that honour goes to the public sector. According to figures from The SMS Works, the sector is responsible for more than a quarter of punishments.
The financial services industry is typically considered the worst transgressor, but the public sector accounts for nearly twice as many fines compared to financiers. Ironically, if there were two public bodies that the person on the street believes they can trust, it would have to be the NHS and the police -- but they are actually responsible, between them, for one in three of the public sector's fines.
Lifting the lid here, something this column has made clear on several occasions comes to the fore.
The NHS and police fines have been for data loss, not a marketing team misusing personal information.
Indeed, overall, between 2014 and the end of last year, just over half of fines were for data breaches. In addition, a quarter are for nuisance calls. That leaves the remaining quarter to be split between email and SMS marketing, mostly in the favour of SMS.
So there is a huge irony here. GDPR is nearly always talked about in relation to email lists and the CRM software used to build customer segments so messages are relevant. However, only around 7% of fines have traditionally been found in this sector.
There has also been a large increase in the level of fines. They have increased more than fourfold between 2014 and 2018, and that trend would appear to be on the verge of accelerating now that GDPR has increased the ICO's powers.
In fact, BA and Marriott are currently contesting fines of a combined GBP280m. If those appear to be unsuccessful, the ICO will have ended up fining companies twelve times more in one year than in its entire previous history, The SMS Works' figures suggest.
Again, these are not for marketing mistakes but for data being stolen by hackers. This column has made the point many times, the headline fines brought in by GDPR would always be for massive hacks, not emailing someone who has unsubscribed from a list.
Private sector company marketers can perhaps sleep a little easier tonight, as long as they have ensured they are GDPR compliant. For heads of IT and cyber security at businesses -- and particularly, public sector organisations -- the news isn't quite as reassuring.