Is the ICO being too harsh with its GDPR fines?