Following the British Airways decision on Monday, the ICO announced yesterday that it intends to issue a data breach fine to the international hotel group, Marriott, for an eye-watering £99,200,396 after hackers stole the records of 339 million guests in November 2018. Much like with British Airways (BA), hackers got away with personal data including credit card details, passport numbers and dates of birth. This marks the second time in two days that the ICO has demonstrated its now considerable power to impose huge data breach fines under GDPR. Elizabeth Denham again took the opportunity to issue a comment and said “personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn't happen, we will not hesitate to take strong action when necessary to protect the rights of the public”
The ICO is serving serious reminders this week that data protection is an ongoing project that companies should take seriously and not just one that was relevant in May 2018.
Marriott also has the opportunity to make representations to the ICO.
Please see our article on the British Airways fine.
It would be worth reviewing the GDPR policies that you put in place last year to ensure you are still adhering to them. Please refer to our GDPR FAQs and if you have any further questions please let us know by contacting the Commercial Team.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.