Marriott International and British Airways facing fines of over £280m- do you take data seriously?

  • Following an intense investigation, the ICO have revealed that Marriott International have infringed on the General Data Protection Regulation (GDPR) and as a result, will be fined £99m. These fines have been tracked to when Marriott subsequently acquired Starwood in 2016 to expand the hotels portfolio, but it can be suggested that the lack of due diligence resulted in the vulnerability of over 300 million guests’ data including credit card information and passport details.

    Marriott International hadn't implemented a dynamic privacy framework, that accounted for all aspects of the privacy regulation across all brands, even those such as Starwood that operated of an alternative system.

    Previously, the biggest fine was to Facebook which was £500,000 as a result of the Cambridge Analytica scandal, which was determined under the previous Data Protection Act 1998, in which, the maximum fine was capped at £500,000. Earlier this week British Airways had also been investigated by the ICO and has been issued with a fine of £183.4m. The penalty imposed on BA is the first one to be made public since those rules were introduced, which make it mandatory to report data security breaches to the information commissioner.

    The investigation found that the website had an issue, through a vulnerability in third-party JavaScript used and therefore was gathering data which users imputed data outside the airlines control.

    The two investigations only have one difference, of course, is that the law has changed, which has required companies to be compliant with the GDPR regulations, this allows fines of up to 4% of annual turnover. This wave of investigations comes just over one year after the regulations have been enforced.

    The message is clear from the data regulator- if you don't treat your customers' data with the utmost care then expect severe punishment when things go wrong. Therefore, it is essential to ensure that customers data is protected and dealt with in the best way. Information and data are the lifeblood of any organisation. Many organisations disregard its importance and more importantly, the value individuals now regard their own data to have.

    Both Marriott International and British Airways could have avoided fines through identifying errors than could have been corrected, while costing less than the fines which will be imposed on both companies.

    The new legislation applies to all businesses, regardless of size or business activity, and is still applicable regardless of the outcomes of Brexit. Quadra offers you a range of services including bespoke policies, webinars, workshops and training.

    View further information, course dates and avail of online booking at

Share this story