How can we help?


GDPR: ICO issues second intent to fine in two days

Just one day after the ICO delivered a notice of intent to fine British Airways £183 million for alleged personal data breaches, it has delivered another, this time to global hotel group, the Marriott International.

In a statement published yesterday the ICO has confirmed it had issued a notice of intent to impose a £99,200,396 million penalty for infringements of the General Data Protection Regulation (GDPR).

The infringements in question related to a global data exposure of approximately 339 million guest records, 30 million of which related to EU residents including 7 million residents in the UK.

These guest records were held on a database operated by Starwood hotels group which Marriott acquired in 2016.

The exposure apparently commenced in 2014 but it was not until November 2018 that the Marriott notified the ICO of the breach. Personal details potentially accessed included names, addresses, passport details, account and booking information and some encrypted credit card details.

What did Marriott get wrong?

The ICO has cited Marriott’s failure to “undertake sufficient due diligence” when it bought Starwood and that it “should also have done more to secure its systems”.

Under the GDPR, organisations must implement appropriate technical and organisational measures to safeguard personal data.

What constitutes sufficient technical and organisational measures is a question of a degree and largely depends on the nature of the processing. If an organisation is in the business of bulk processing of personal data and the risk to such individuals is high because for example the data processed includes identity data or financial information, its technical and organisational measures must be adequate to mitigate these risks.

 Some obvious examples of technical and organisational measures include:

  1. Installation of basic technical systems such as those described in Cyber Essentials, a UK government quality assurance scheme;
  2. Regular testing and monitoring of the adequacy of IT systems;
  3. Implementation and regular review of internal IT and security policies; and
  4. Staff training and education.

ICO has confirmed it had issued a notice of intent to impose a £99,200,396 million penalty for infringements of the GDPR

Lesson to be learned: Data Compliance risk when acquiring a business

The Marriott case illustrates the importance of proper due diligence when acquiring the shares or assets of a business.  It is not always apparent to a purchaser whether a business has fully complied with data protection laws. Organisations that simply play lip service to data protection compliance run the risk of being exposed when and if a data breach occurs. Unfortunately for purchasers such as the Marriott, these failures may only come to light subsequent to completion of the sale.

It is therefore essential that a comprehensive due diligence of an organisation’s technical and organisational measures is undertaken before acquisition. It may also be appropriate to require the seller to provide indemnities in respect of data protection compliance within the asset or share sale documentation.

For sellers of businesses, an audit of data protection compliance is warranted to ensure the business passes any due diligence of potential buyers and guard against potential liability in the future.

If you are considering buying or selling your business, Clarkslegal’s Corporate and Commercial Team, can offer you tailored advice and assistance.

About this article

This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

About this article

Read, listen and watch our latest insights

  • 10 April 2024
  • Employment

New Guidance: Confidence to Recruit

The new Government guide in collaboration with the CIPD aims to give employers the confidence to recruit its workforce from a wider range of people including those who may have been overlooked in the past as a problem rather than an asset.

  • 03 April 2024
  • Employment

FAQ’s on the new Carer’s Leave Act

Beginning on 6 April 2024, the Carer’s Leave Act comes into force, meaning carers are now entitled to request 1 week’s unpaid leave to care for their dependants.

  • 02 April 2024
  • Construction

UK housebuilders investigated over suspected exchanges of anti-competitive information

In 2022 the CMA was called upon by the Secretary of State for the Department for Levelling Up, Housing & Communities to conduct a study into the housebuilding sector and provide recommendations on how the sector can operate as efficiently as possible

  • 28 March 2024
  • Corporate and M&A

Legal perspectives on ESG and director duties

In today’s rapidly changing business landscape, the concept of ESG factors has emerged as a guiding framework for companies seeking to thrive in the long term.

  • 27 March 2024
  • Commercial Real Estate

5 key considerations when taking on a lease of a pub property

Taking on a pub property can be both exciting and daunting. Here are 5 key considerations that pub tenants should consider when taking on this new venture.

  • 26 March 2024
  • Employment

Navigating Neuroinclusion: A Guide for Employers

Over the past few years, we have seen a marked rise in awareness of neurodiversity, as well as campaigns for awareness and inclusion in the workplace for neurodiverse employees.