Article
22 April 2024
3 minute read
When the Information Commissioner’s Office (ICO) announced its intention to fine Marriott International approximately £99m for breaches of the General Data Protection Regulation (EU) 2016/679 (GDPR), we took a look at the case to see what lessons could be learned.
Implement appropriate security processes
It’s impossible to guarantee ‘security perfection’ but all businesses need to have robust security procedures that follow best industry practices in place, especially if they process a high level of sensitive personal data including credit card numbers, names and addresses.
Regularly review and test your security processes
Businesses are obliged to continually monitor and test their security structures and processes in response to new threats. One of the aggravating factors in the Marriott case is that the security weaknesses in their systems had been allowed to remain for a number of years.
Keep records
If your business is hacked, being able to provide evidence of all the steps you’ve taken to prevent it and to protect the personal data you hold, will assist in defending any potential legal claims.
Buy cyber insurance
We always advise our Cheltenham clients to buy a cyber insurance policy to protect themselves from the financial consequences of data breach.
Take extra care when acquiring new businesses that come with databases containing personal data.
Appropriate due diligence on the security structures and procedures of the potential acquisition should be carried out before completing the purchase. After the sale is complete, audit the security processes and structures of the business you have acquired to validate any assurances given by the sellers and to ensure everything’s up to standard.
It could have been worse for Marriott. Under GDPR the ICO can raise fines of 4% of annual turnover, or £20m if higher. With revenues in the order of £20bn, the fine for Marriott could have been up to £800m.
Don’t get caught out. Data protection and security of personal data must be taken extremely seriously. If you need advice, download our GDPR Survival Guide, or you can view all our GDPR content here.
If you want to talk about GDPR and data protection, contact one of our Cheltenham solicitors today.
Related Blogs
Article
22 April 2024
4 minute read
DfE launch call for evidence: safeguarding children in schools and colleges
Read more
Article
19 April 2024
5 minute read
Campaigning in the pre-election period: what charities need to know
Read more
Article
19 April 2024
5 minute read
Government publishes response to consultation on ‘fire and rehire’ Code of Practice
Read more
Article
18 April 2024
3 minute read
Academy support grant eligibility changes from September 2024
Read more
Article
18 April 2024
5 minute read
It doesn’t always pay to be flexible – the risks of inadvertently straying into regulated credit agreements with parents
Read more
