Skip to content

Hotel chain Marriott second organisation this week to face fine for data protection breaches

Hot on the heels of its first notice of its intention to issue a fine to British Airways for infringements of the General Data Protection Regulation (GDPR), the ICO has issued another notice.

Hotel chain Marriott is facing a fine of just over £99m in relation to a data breach which is estimated to have affected around 339 million customers. The proposed fine relates to a cyber incident which was notified to the ICO by Marriott in November 2018. The issue appeared when the systems of the Starwood hotels group were compromised in 2014. Marriot bought the Starwood chain in 2016 but the theft of customer information wasn’t discovered until 2018.

The ICO carried out an investigation and has come to the conclusion that Marriott failed to carry out adequate due diligence on Starwood Hotels when it acquired the chain. It should also have done more to secure the systems once it was in charge.

Information Commissioner Elizabeth Denham has said that “the GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition.”

Marriott has co-operated with the ICO investigation and has made improvements to its security arrangements since these events came to light. Marriott will now be given the opportunity to make representations to the ICO as to the proposed findings and sanction.

The fine comes just one day after the ICO released a statement that it had issued a notice of intention to fine British Airways £183m for a data breach that occurred last year and the Information Commissioner has already said that she will “not hesitate to take strong action when necessary to protect the rights of the public” if organisations are not protecting personal data.

The case demonstrates the importance of making sure data security is a paramount consideration in all corporate activities, including corporate acquisitions. All organisations should ensure they are fully GDPR compliant, which includes having appropriate, technical and organisational security.

We will be running a series of workshops in the Autumn on how to handle your data and subject access requests, keep an eye out for further information coming soon.

If you have any queries or concerns about data protection or on the Data Protection Act 2018 or the GDPR more generally, please do not hesitate to get in touch for an initial chat about any issues, and to find out how we can help.

Please note that this briefing is designed to be informative, not advisory and represents our understanding of English law and practice as at the date indicated. We would always recommend that you should seek specific guidance on any particular legal issue.

This page may contain links that direct you to third party websites. We have no control over and are not responsible for the content, use by you or availability of those third party websites, for any products or services you buy through those sites or for the treatment of any personal information you provide to the third party.

Follow us on LinkedIn

Keep up to date with all the latest updates and insights from our expert team

Take me there

What we're thinking