A Proposition for A More Effective GDPR Enforcement

What would be the most effective way of enforcing the GDPR while giving incitement to comply without knocking the company, at the best of customers interest ? Will the ICO ever fine BA and Marriott? Should they ? A proposition for a more effective GDPR enforcement.