Search

How can we help?

Icon

GDPR: ICO issues second intent to fine in two days

Just one day after the ICO delivered a notice of intent to fine British Airways £183 million for alleged personal data breaches, it has delivered another, this time to global hotel group, the Marriott International.

In a statement published yesterday the ICO has confirmed it had issued a notice of intent to impose a £99,200,396 million penalty for infringements of the General Data Protection Regulation (GDPR).

The infringements in question related to a global data exposure of approximately 339 million guest records, 30 million of which related to EU residents including 7 million residents in the UK.

These guest records were held on a database operated by Starwood hotels group which Marriott acquired in 2016.

The exposure apparently commenced in 2014 but it was not until November 2018 that the Marriott notified the ICO of the breach. Personal details potentially accessed included names, addresses, passport details, account and booking information and some encrypted credit card details.

What did Marriott get wrong?

The ICO has cited Marriott’s failure to “undertake sufficient due diligence” when it bought Starwood and that it “should also have done more to secure its systems”.

Under the GDPR, organisations must implement appropriate technical and organisational measures to safeguard personal data.

What constitutes sufficient technical and organisational measures is a question of a degree and largely depends on the nature of the processing. If an organisation is in the business of bulk processing of personal data and the risk to such individuals is high because for example the data processed includes identity data or financial information, its technical and organisational measures must be adequate to mitigate these risks.

 Some obvious examples of technical and organisational measures include:

  1. Installation of basic technical systems such as those described in Cyber Essentials, a UK government quality assurance scheme;
  2. Regular testing and monitoring of the adequacy of IT systems;
  3. Implementation and regular review of internal IT and security policies; and
  4. Staff training and education.

ICO has confirmed it had issued a notice of intent to impose a £99,200,396 million penalty for infringements of the GDPR

Lesson to be learned: Data Compliance risk when acquiring a business

The Marriott case illustrates the importance of proper due diligence when acquiring the shares or assets of a business.  It is not always apparent to a purchaser whether a business has fully complied with data protection laws. Organisations that simply play lip service to data protection compliance run the risk of being exposed when and if a data breach occurs. Unfortunately for purchasers such as the Marriott, these failures may only come to light subsequent to completion of the sale.

It is therefore essential that a comprehensive due diligence of an organisation’s technical and organisational measures is undertaken before acquisition. It may also be appropriate to require the seller to provide indemnities in respect of data protection compliance within the asset or share sale documentation.

For sellers of businesses, an audit of data protection compliance is warranted to ensure the business passes any due diligence of potential buyers and guard against potential liability in the future.

If you are considering buying or selling your business, Clarkslegal’s Corporate and Commercial Team, can offer you tailored advice and assistance.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

About this article

Read, listen and watch our latest insights

art
  • 20 January 2025
  • Employment

AI Opportunities Action Plan – The impact of AI on employment

The Government has announced its ‘AI Opportunities Action Plan’ in which it plans to increase the use of AI across the UK to ensure the UK is a world leader in the field. 

art
  • 16 January 2025
  • Corporate and M&A

Business Asset Disposal Relief: Changes to CGT Relief and the Consequences for Business Owners

Developing a robust cybersecurity strategy is essential to ensuring value retention, securing sensitive data, minimising risks and a seamless transfer during and after the merger or acquisition.

art
  • 14 January 2025
  • Employment

Is this the end of working from home?

In this article, we explore what legal rights employees and businesses have in this context as well as considering more commercial factors.

art
  • 13 January 2025
  • Litigation and dispute resolution

Looking ahead to Dispute Resolution in 2025

2025 is shaping up to be a busy year with  a number of important changes due to be implemented by new legislation. In this article we take a look at a few of the changes affecting litigation and Dispute Resolution. 

Pub
  • 13 January 2025
  • Corporate and M&A

Preparing your business for exit – London Seminar

Join Stuart Mullins, Partner at Clarkslegal, and Nicky Goringe Larkin, Managing Director at Succession Planning, for a seminar on preparing your business for exit at Goringe Accountants London office.

Pub
  • 10 January 2025
  • Privacy and Data Protection

UK Data Protection: What happened in 2024 and what’s in store in 2025?

It’s been a year of political change and uncertainty for data protection. Join our data protection webinar, where we will discuss the implications of the Data Protection and Digital Information Bill not passing and the upcoming Digital Information and Smart Data Bill from the King’s Speech, which will affect existing laws.