How we use cookies

We use necessary cookies to make our site work. We'd also like to set optional analytics cookies to help us to improve it. We won't set optional cookies unless you enable them. Using this tool will set a cookie on your device to remember your preferences.

For more detailed information about the cookies we use, see our 'Cookies Page'.

Necessary cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytics cookies

We'd like to set Google Analytics cookies to help us to improve our website by collecting and reporting information on how you use it. For more information on these cookies please see our 'Cookies Page'. The cookies collect information in an anonymous form.

Select your preference:

Analytics cookies



Thu 11 Jul 2019

Have The GDPR Floodgates For Fines Been Opened?

Have The GDPR Floodgates For Fines Been Opened?

Hot on the heals of the recent announcement from the Information Commissioner’s Office (ICO) that they are intending to fine British Airways a record £183.39M for infringements of the General Data Protection Regulation (GDPR), another notice of intention to fine has been announced. This time it is Marriott International, the international hotel group and the fine is £99,200,396 for infringements of the GDPR after hackers stole the records of 339 million guests, 7 million being UK residents.

Marriott acquired Starwood hotels group in 2016 but it is thought that the vulnerability began back in 2014. The exposure of customer information was then not discovered until 2018 but the ICO’s investigation has concluded that Marriott failed to undertake appropriate due diligence when it bought Starwood and should have done more to secure its systems. Information Commissioner, Elizabeth Denham said:

“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected”.

The fine is a cautionary tale for companies looking to expand and to acquire other businesses as Andrew Morgan, Partner and Head of Corporate & Commercial at JPC Law comments “This is a prime example of the importance of thorough and extensive due diligence in corporate transactions. It is so important to fully understand the business that you are buying and the potential issues and exposures that there might be for you in the future which can only be achieved by going through the correct due process”.

If you need advice in relation to GDPR, please contact Julie Edmonds, Head of Employment by email:, or by telephone 0207 644 7286 or contact her on LinkedIn or if you are looking to acquire a business, contact Andrew Morgan, Head of Corporate and Commercial by email: or by telephone 020 7644 6303 or contact him on LinkedIn.

more news

Bookmark and Share