How can we help?


GDPR: ICO issues second intent to fine in two days

Just one day after the ICO delivered a notice of intent to fine British Airways £183 million for alleged personal data breaches, it has delivered another, this time to global hotel group, the Marriott International.

In a statement published yesterday the ICO has confirmed it had issued a notice of intent to impose a £99,200,396 million penalty for infringements of the General Data Protection Regulation (GDPR).

The infringements in question related to a global data exposure of approximately 339 million guest records, 30 million of which related to EU residents including 7 million residents in the UK.

These guest records were held on a database operated by Starwood hotels group which Marriott acquired in 2016.

The exposure apparently commenced in 2014 but it was not until November 2018 that the Marriott notified the ICO of the breach. Personal details potentially accessed included names, addresses, passport details, account and booking information and some encrypted credit card details.

What did Marriott get wrong?

The ICO has cited Marriott’s failure to “undertake sufficient due diligence” when it bought Starwood and that it “should also have done more to secure its systems”.

Under the GDPR, organisations must implement appropriate technical and organisational measures to safeguard personal data.

What constitutes sufficient technical and organisational measures is a question of a degree and largely depends on the nature of the processing. If an organisation is in the business of bulk processing of personal data and the risk to such individuals is high because for example the data processed includes identity data or financial information, its technical and organisational measures must be adequate to mitigate these risks.

 Some obvious examples of technical and organisational measures include:

  1. Installation of basic technical systems such as those described in Cyber Essentials, a UK government quality assurance scheme;
  2. Regular testing and monitoring of the adequacy of IT systems;
  3. Implementation and regular review of internal IT and security policies; and
  4. Staff training and education.

ICO has confirmed it had issued a notice of intent to impose a £99,200,396 million penalty for infringements of the GDPR

Lesson to be learned: Data Compliance risk when acquiring a business

The Marriott case illustrates the importance of proper due diligence when acquiring the shares or assets of a business.  It is not always apparent to a purchaser whether a business has fully complied with data protection laws. Organisations that simply play lip service to data protection compliance run the risk of being exposed when and if a data breach occurs. Unfortunately for purchasers such as the Marriott, these failures may only come to light subsequent to completion of the sale.

It is therefore essential that a comprehensive due diligence of an organisation’s technical and organisational measures is undertaken before acquisition. It may also be appropriate to require the seller to provide indemnities in respect of data protection compliance within the asset or share sale documentation.

For sellers of businesses, an audit of data protection compliance is warranted to ensure the business passes any due diligence of potential buyers and guard against potential liability in the future.

If you are considering buying or selling your business, Clarkslegal’s Corporate and Commercial Team, can offer you tailored advice and assistance.

About this article

This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

About this article

Read, listen and watch our latest insights

  • 01 June 2023
  • Employment

Facts employees should know about their personal data

We previously published an article on facts an employer should know about holding personal data, so it is only fair that we also write about the other side of the coin – facts employees should know as individuals whose personal data is held by their employer.

  • 01 June 2023
  • Immigration

What is the Immigration Skills Charge (ISC) and how much do you have to pay?

The Immigration Skills Charge (ISC) is a levy on companies who sponsor migrant workers. This levy was imposed on 6 April 2017. The Government states that the charge has been levied to contribute towards addressing the skills gap in the local economy.

  • 26 May 2023
  • Employment

Avoiding discrimination in flexible working requests

The right to request flexible working is currently available to employees with at least 26 weeks’ service and is set to be extended further under new Government reforms.

  • 25 May 2023
  • Corporate and M&A

Management Buyout – Top 5 things to consider

A management buyout is a financial transaction in which a member of the management team purchases the company from its registered owner. MBO’s usually occur in private companies in an effort to enhance profitability and simplify strategies.

  • 25 May 2023
  • Employment

Carer’s Leave Bill set to become law

On 19 May 2023, the Carer’s Leave Bill had its third reading in the House of Lords, and upon receiving Royal Assent, will become law. There is not yet a date for the implementation of this bill, however it is likely that this will happen relatively quickly upon receiving Royal Assent, so is definitely one to keep an eye on.

  • 18 May 2023
  • Immigration

Navigating SOC Codes

When it comes to UK immigration, understanding the intricacies of the system is vital. One significant aspect of the process revolves around Standard Occupational Classification (SOC) codes. SOC codes play a crucial role in determining the eligibility for an individual to apply for a work visa, assessing skill levels, and matching individuals to appropriate job roles.