When the Information Commissioner’s Office (ICO) announced its intention to fine Marriott International approximately £99m for breaches of the General Data Protection Regulation (EU) 2016/679 (GDPR), we took a look at the case to see what lessons could be learned.
Implement appropriate security processes
It’s impossible to guarantee ‘security perfection’ but all businesses need to have robust security procedures that follow best industry practices in place, especially if they process a high level of sensitive personal data including credit card numbers, names and addresses.
Regularly review and test your security processes
Businesses are obliged to continually monitor and test their security structures and processes in response to new threats. One of the aggravating factors in the Marriott case is that the security weaknesses in their systems had been allowed to remain for a number of years.
If your business is hacked, being able to provide evidence of all the steps you’ve taken to prevent it and to protect the personal data you hold, will assist in defending any potential legal claims.
Buy cyber insurance
We always advise our Cheltenham clients to buy a cyber insurance policy to protect themselves from the financial consequences of data breach.
Take extra care when acquiring new businesses that come with databases containing personal data.
Appropriate due diligence on the security structures and procedures of the potential acquisition should be carried out before completing the purchase. After the sale is complete, audit the security processes and structures of the business you have acquired to validate any assurances given by the sellers and to ensure everything’s up to standard.
It could have been worse for Marriott. Under GDPR the ICO can raise fines of 4% of annual turnover, or £20m if higher. With revenues in the order of £20bn, the fine for Marriott could have been up to £800m.