The latest company to be issued a fine by a Data Protection Authority is hotel chain Marriott. As with British Airways, the fine comes after news of a data breach came to light in 2018 exposing the personal details of up to 500 million guests.
After their investigation, the ICO found that the hotel chain failed to undertake proper due diligence when it bought Starwood and should have done more to secure its systems.
Information Commissioner Elizabeth Denham said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
Marriott International’s president and chief executive Arne Sorenson said the company was ‘disappointed’ with the ICO’s announcement and said it would contest the fine.