No sooner have we published a blog about British Airways’ largest GDPR fine on record, we find another story in the news.
Jul 2019
No sooner have we published a blog about British Airways’ largest GDPR fine on record, we find another story in the news.
It seems that hotel group chain, Marriott International, is next in line to be subject to one of the largest GDPR fines since the new GDPR laws were introduced last year. According to a recent story, the fine relates to an incident that is thought to date back to 2014, but was only discovered in late 2018. During that time, around 339 million guests have had their personal details exposed in a data breach that could be one of the ICO’s biggest fines to date.
The data breach included 30 million guest records that were held in a reservation system and occurred within a rival hotel group that was acquired by Marriott three years ago.
Whilst the system has since been phased out and eradicated completely from the hotel chain, the Information Commissioners Office (ICO) states that the fine still stands, as the rules relating to GDPR, and the personal details held by a company, are very clear. They also state that organisations should be accountable for the data they hold by carrying out proper due diligence and in the case of Marriott, at the point of acquisition, but also for any organisation looking to access or store any personal data they hold for their customers.
It seems that the ICO is starting to make examples of organisations that do not toe the line – and the size of the BA and Marriott penalties (£183m and £99m respectively) – shows that the fines for those who do not comply are eye wateringly high.
The General Data Protection Regulation, best known as GDPR, was brought into force in 2018 and aimed to give the public more transparency as to how their data is being stored, used and accessed. It seems that one year on, the ICO is not taking any nonsense and the fines will stand for both of these organisations.
If you would like some further information or guidance surrounding the new GDPR legislation, contact Downs Solicitors to see how we can help