Search

How can we help?

Icon

GDPR: ICO issues second intent to fine in two days

Just one day after the ICO delivered a notice of intent to fine British Airways £183 million for alleged personal data breaches, it has delivered another, this time to global hotel group, the Marriott International.

In a statement published yesterday the ICO has confirmed it had issued a notice of intent to impose a £99,200,396 million penalty for infringements of the General Data Protection Regulation (GDPR).

The infringements in question related to a global data exposure of approximately 339 million guest records, 30 million of which related to EU residents including 7 million residents in the UK.

These guest records were held on a database operated by Starwood hotels group which Marriott acquired in 2016.

The exposure apparently commenced in 2014 but it was not until November 2018 that the Marriott notified the ICO of the breach. Personal details potentially accessed included names, addresses, passport details, account and booking information and some encrypted credit card details.

What did Marriott get wrong?

The ICO has cited Marriott’s failure to “undertake sufficient due diligence” when it bought Starwood and that it “should also have done more to secure its systems”.

Under the GDPR, organisations must implement appropriate technical and organisational measures to safeguard personal data.

What constitutes sufficient technical and organisational measures is a question of a degree and largely depends on the nature of the processing. If an organisation is in the business of bulk processing of personal data and the risk to such individuals is high because for example the data processed includes identity data or financial information, its technical and organisational measures must be adequate to mitigate these risks.

 Some obvious examples of technical and organisational measures include:

  1. Installation of basic technical systems such as those described in Cyber Essentials, a UK government quality assurance scheme;
  2. Regular testing and monitoring of the adequacy of IT systems;
  3. Implementation and regular review of internal IT and security policies; and
  4. Staff training and education.

ICO has confirmed it had issued a notice of intent to impose a £99,200,396 million penalty for infringements of the GDPR

Lesson to be learned: Data Compliance risk when acquiring a business

The Marriott case illustrates the importance of proper due diligence when acquiring the shares or assets of a business.  It is not always apparent to a purchaser whether a business has fully complied with data protection laws. Organisations that simply play lip service to data protection compliance run the risk of being exposed when and if a data breach occurs. Unfortunately for purchasers such as the Marriott, these failures may only come to light subsequent to completion of the sale.

It is therefore essential that a comprehensive due diligence of an organisation’s technical and organisational measures is undertaken before acquisition. It may also be appropriate to require the seller to provide indemnities in respect of data protection compliance within the asset or share sale documentation.

For sellers of businesses, an audit of data protection compliance is warranted to ensure the business passes any due diligence of potential buyers and guard against potential liability in the future.

If you are considering buying or selling your business, Clarkslegal’s Corporate and Commercial Team, can offer you tailored advice and assistance.

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Author profile

About this article

Read, listen and watch our latest insights

art
  • 15 September 2025
  • Immigration

Sharp rise in Sponsor Licence Revocations – What employers need to know

The Home Office has reported a record number of sponsor licence revocations over the past year, as part of its intensified efforts to crack down on abuse of the UK’s immigration system.

art
  • 10 September 2025
  • Commercial Real Estate

Trouble at the Table: The Challenges Facing the UK Hospitality Sector in the run up to Christmas 2025

The UK hospitality sector, long celebrated for its vibrancy and resilience, is facing a perfect storm of economic, operational, and structural challenges in 2025.

art
  • 09 September 2025
  • Commercial Real Estate

Le bail commercial anglais: quelques points essentiels à considérer

Typiquement, les baux commerciaux en Angleterre sont de court terme, d’une durée de 5 ou 10 ans, avec un loyer de marché et des ajustements du loyer périodiques en fonction de l’inflation ou d’autres facteurs. 

art
  • 09 September 2025
  • Corporate and M&A

The Failure to Prevent Fraud Offence – be prepared to avoid criminal liability

The failure to prevent fraud offence is a new corporate offence which has come into force on 1 September 2025.

art
  • 08 September 2025
  • Employment

Can employers still make changes to contracts after the Employment Rights Bill?

The short answer is yes but it will be much more difficult for employers following the introduction of the Employment Rights Bill because their ability to fairly dismiss employees who do not agree contractual changes is being restricted. 

art
  • 05 September 2025
  • Privacy and Data Protection

When Ignoring a DSAR Becomes a Criminal Offence

On 3 September 2025, Mr Jason Blake appeared at Beverley Magistrates Court and was fined for failing to respond to a data subject access request (DSAR).