By James Castro-Edwards and Eavan Prenter (October 26, 2018, 2:25 PM EDT) -- Recently, the U.K. Information Commissioner's Office announced that it was issuing a penalty of £500,000 to Equifax Ltd. for a cyberattack affecting the personal data of millions of people in the U.K. — the highest penalty available under the Data Protection Act 1998. The ICO has had the power to issue financial penalties of up to £500,000 since April 2010, yet until this year it had never awarded the maximum penalty. Then in July the regulator announced its intention to fine Facebook £500,000 for Facebook's actions in the Cambridge Analytica scandal, and now it has awarded the maximum penalty to Equifax. Many will see this decision as a sign that the commencement of the European General Data Protection Regulation in May has already bled into the ICO's decision-making, and that from now on we can expect to see a tougher stance from the ICO, reflected in an increase in the number and size of fines, but is this decision really such a departure?...