GDPR develops a backbone – what can we learn from the recent British Airways and Marriott International GDPR fines?

The Information Commissioner’s Office (ICO), the United Kingdom’s data privacy regulator, has this week published a statement confirming their intention to fine Marriott International approximately £93 million for a data breach that infringed the General Data Protection Regulations (GDPR). The proposed fine relates to a data breach that Marriott reported to the ICO in November 2018, whereby they informed the ICO that the personal data of 339 million guests had been exposed globally. This announcement comes only a day after the ICO announced their plans to fine UK airline, British Airways, £183 million for a data breach that occurred in 2018 where British Airways failed to protect their cyber security systems.

The ICO have commented that they believe the breach originally occurred in 2014 within the systems of the Starwood Hotels Group. Interestingly, Marriott International only acquired the Starwood Hotels Group in 2016, but did not discover the data breach until November 2018. The ICO have issued a statement explaining that Marriott International failed to carry out a satisfactory level of due diligence when acquiring Starwood Hotels Group in 2016 and subsequently failed to ensure its systems were secure.

In a statement released on 9th July 2019, UK Information Commissioner, Elizabeth Denham, confirmed that:

Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that does not happen, we will not hesitate to take strong action when necessary to protect the rights of the public”.

The ICO make it clear that they intend to use the increased powers given to them by the GDPR legislation in May 2018 without hesitation.

Before this, the largest fine the ICO had ever issued was in the sum of £500,000. Under the GDPR legislation introduced in May 2018, the ICO now have the power to fine up to 4% of a company’s turnover or £20 million, whichever is higher.

The British Airways and Marriott International fines can arguably be seen as the ICO test cases and it has been suggested that more frequent and larger fines are likely to come through in the future. The short timespan between these two announcements could potentially be seen as the ICO  providing companies with a serious warning as to their duties under the GDPR legislation, and they clearly want the public to know that they are taking breaches of GDPR seriously and have every intention of enforcing the legislation in its fullest form.

If we can learn anything from the punishment of these two household names, it is that protecting customer’s data is of paramount importance. To find out more about how you can ensure that your business is compliant with GDPR legislation, please contact a member of our GDPR team on

Lily Burton

  • This field is for validation purposes and should be left unchanged.