Latest GDPR Fine Emphasizes Need for Privacy and Data Security Due Diligence in Corporate Acquisitions

Hot on the heels of yesterday’s announcement that it intends to impose a record-setting $230 million GDPR fine on British Airways for a 2018 data breach, the UK ICO announced today that it intends to fine Marriott International £99,200,396 ($123 million) for a data breach the company announced in November 2018. That breach, however, didn’t occur on Marriott’s watch: it began when the Starwood hotel group’s systems were compromised in 2014. Marriott discovered the breach after it acquired Starwood in 2016. The ICO’s announcement faults Marriott for failing to discover the incident as part of the due diligence it conducted for the acquisition.

The ICO’s announcement is especially notable in that it characterizes that failure by Marriott to discover an acquisition target’s data security failures as a violation of the GDPR’s accountability principle. According to Information Commissioner Elizabeth Denham, that principle requires “carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

Read the full article on LinkedIn.