Experts Say It's Further Proof Of The Regulator Stepping Up Its Activity
The ICO has issued a notice of its intention to fine hotel group, Marriott International, £99.2m for infringements of the General Data Protection Regulation (GDPR).
The news follows the announcement earlier in the week that the ICO intends to also fine British Airways £183m for a data breach.
In the case of Marriott, the infringement relates to a cyber incident which was notified to the ICO by Marriott in November 2018.
A variety of personal data contained around 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA).
Information Commissioner Elizabeth Denham said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.
“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
Prior to the General Data Protection Regulation coming in to force the maximum fine that could be levied in the UK was £500,000. The maximum fine that can now be imposed against an organisation is up to 4% of global annual turnover.
Lauren Burrows, an associate in the data protection team at Irwin Mitchell, said: "This latest development demonstrates that the Regulator is doing what it said it would and is now stepping up its activity and willing to hand out some significant punishments for data breaches under GDPR. The warnings have been clear and organisations must take action to ensure they are not the latest to be hit by these new and much higher fines.”
Marriott has co-operated with the ICO investigation and has made improvements to its security arrangements since these events came to light.
The company will now have an opportunity to make representations to the ICO as to the proposed findings and sanction.