swayne johnson logo

GDPR Breach From Marriott International Sees Further Fines


Posted on 11 Jul 2019

The Information Commissioner’s Office (ICO) announced on 9 July 2019 an intention to issue a fine of £99,200,396 to hotel chain Marriott International (Marriott) for breaches of the General Data Protection Regulation (GDPR). 

This comes just days after the announcement of the ICO’s intention to fine British Airways over £183.39m following a cyber attack, set to be the largest penalty yet.

What happened?

Marriott suffered a cyber-security incident, which was reported to the ICO in November 2018. A variety of personal data contained in approximately 339 million guest records globally – 7 million UK guests – were affected by the incident. The ICO statement indicates that this incident may have been ongoing since 2014, when the systems of Starwood Hotels Group (acquired by Marriott in 2016) were compromised. Following notification of the incident, the ICO carried out an investigation and found that there was a failure by Marriott to conduct a sufficient due diligence exercise when it acquired Starwood back in 2016. 

What does this mean for you and your organisation?

The recent flurry of enforcement action from the ICO demonstrates the regulator’s serious attitude towards implementation of the GDPR. Following the anniversary of the introduction of the GDPR, it has become clear that the ICO will not be taking a lenient approach to non-compliance, particularly personal data breaches, and all organisations should be taking steps to protect their systems with appropriate security measures. 

The Marriott enforcement action highlights that there is an increased emphasis on data protection compliance during the due diligence process of a sale and purchase of a business.  Before acquiring a business, it is essential to make appropriate enquiries, review its data security policies and practices and test for cyber security robustness. Appropriate warranties and indemnities from the sellers should be included in the acquisition contract as to the target business’ data protection and cyber security processes, procedures, and compliance in order to mitigate the purchaser’s exposure to risk of fines from the ICO and claims for compensation from affected data subjects. 

If you are thinking of selling your business, it would be most beneficial for you to identify the data processed and review the procedures that you have in place before you commence the sale process. We have the necessary expertise to assist you with this at Swayne Johnson Solicitors, as our Commercial team regularly deal with business sales and purchases and we have the specialist knowledge to provide expert advice on GDPR.

The buyer will want to obtain certain information, including but not limited to, the type of personal data processed, how the business collects and stores the data, whether appropriate records have been kept, whether a data protection officer has been appointed and whether there are any data processing agreements with third parties.

If you would like to enquire about ways to prevent or deal with personal data breaches, or our corporate data protection due diligence services, please email or call one of Swayne Johnson Solicitors’ Data Protection specialists:


Claire Sumner – Associate


01745 818297, 07715 521804 or 01829 707884   


Juana Eastwood – Solicitor


01745 586833


Further News - »