Global hospitality chain Marriott International has been dealt a notice of intent for a fine equaling £99m from the UK’s Information Commissioner’s Office (ICO) for infringements of the General Data Protection Regulation (GDPR).

This follows a cyber incident in November 2018 when the company informed the ICO “a variety of personal data” was exposed – with approximately 339 million guest records globally compromised.

Information Commissioner Elizabeth Denham commented: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. 

“This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

First notification of exposure was back in 2014 when systems at the Starwood hotels group were compromised.

Marriott International acquired the Starwood group in 2016 however exposure of customer information was not uncovered until 2018. 

The ICO’s investigation discovered Marriott has failed to undertake “sufficient due diligence” following the purchase of Starwood and overall should have “done more to secure its systems.”

“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset,” added Denham

“If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”

Marriott International said in a statement it intends to respond and “vigorously defend its position.”

Marriott International’s president and CEO, Arne Sorenson, expressed his disappointment with the notice of intent and said the firm “deeply regret” the incident that took place.

He stated: “Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.

“We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”

GDPR is here to stay

Earlier this week British Airways were hit with a record £183m fine for similar GDPR data compliance failures.

Both fines act as the first major penalties to be issued under GDPR regulations it came into force in May 2018.

Its purpose is to “harmonise” data privacy laws across Europe whilst also increase user protection and provide further clarity of who holds their data, placing a duty of care with those who do.

Azy Shojaeian, founder & CEO of compliance advisory and training consultancy Integress, spoke to PaymentExpert about the recent fines and her experiences with GDPR.

“For the culture to change and for the senior management to take it seriously enforcement needs to take place including fines of this magnitude. 

“Pre 25th May 2018 I offered free GDPR consultancy to many charities here in the UK and whilst the intention was in the right place I learnt that not only within financial services but also in other sectors the importance of data privacy was not fully recognised. 

“Companies were simply putting an action plan together to roll out changes over the next 2 years post May 2018.”

Shojaeian made clear that “enforcement is the best way of promoting good conduct” and believes that the ICO is handling each situation in the correct manner.

“Bearing in mind we have had data privacy laws since 1998, GDPR is only a further layer of protection to consumers data,” she added.

“But when things go wrong and data is leaked, not only the law has been broken but also the leaked data become the foundation of many different type of economic crime such as fraud. 

“All in all I believe the ICO is doing a fantastic job in enforcing fines and publicising it.”