Just one day after the ICO delivered a notice of intent to fine British Airways £183 million for alleged personal data breaches, it has delivered another, this time to global hotel group, the Marriott International.

In a statement published yesterday the ICO has confirmed it had issued a notice of intent to impose a £99,200,396 million penalty for infringements of the General Data Protection Regulation (GDPR).

The infringements in question related to a global data exposure of approximately 339 million guest records, 30 million of which related to EU residents including 7 million residents in the UK.

These guest records were held on a database operated by Starwood hotels group which Marriott acquired in 2016.

The exposure apparently commenced in 2014 but it was not until November 2018 that the Marriott notified the ICO of the breach. Personal details potentially accessed included names, addresses, passport details, account and booking information and some encrypted credit card details.

What did Marriott get wrong?

The ICO has cited Marriott’s failure to “undertake sufficient due diligence” when it bought Starwood and that it “should also have done more to secure its systems”.

Under the GDPR, organisations must implement appropriate technical and organisational measures to safeguard personal data.

What constitutes sufficient technical and organisational measures is a question of a degree and largely depends on the nature of the processing. If an organisation is in the business of bulk processing of personal data and the risk to such individuals is high because for example the data processed includes identity data or financial information, its technical and organisational measures must be adequate to mitigate these risks.

 Some obvious examples of technical and organisational measures include:

1. Installation of basic technical systems such as those described in Cyber Essentials, a UK government quality assurance scheme;
2. Regular testing and monitoring of the adequacy of IT systems;
3. Implementation and regular review of internal IT and security policies; and
4. Staff training and education.

ICO has confirmed it had issued a notice of intent to impose a £99,200,396 million penalty for infringements of the GDPR

Lesson to be learned: Data Compliance risk when acquiring a business

The Marriott case illustrates the importance of proper due diligence when acquiring the shares or assets of a business.  It is not always apparent to a purchaser whether a business has fully complied with data protection laws. Organisations that simply play lip service to data protection compliance run the risk of being exposed when and if a data breach occurs. Unfortunately for purchasers such as the Marriott, these failures may only come to light subsequent to completion of the sale.

It is therefore essential that a comprehensive due diligence of an organisation’s technical and organisational measures is undertaken before acquisition. It may also be appropriate to require the seller to provide indemnities in respect of data protection compliance within the asset or share sale documentation.

For sellers of businesses, an audit of data protection compliance is warranted to ensure the business passes any due diligence of potential buyers and guard against potential liability in the future.

If you are considering buying or selling your business, Clarkslegal’s Corporate and Commercial Team, can offer you tailored advice and assistance.