Outsourced DPO –Privacy by design and by default

By Myles Dacres

Reading the ICO’s monetary penalty notice (MPN) served on Marriott one notes that the fine relates to infringements (Articles 32 and 5(1)(f)) of the GDPR between the dates of 25th May 2018 and 18th September 2018 despite the personal data breach occurring on-going from July 2014.  The MPN sets out that the ICO is not considering the period up to the introduction of the GDPR – so any infringement of the DPA98 has not been assessed.  In the grand scheme of things, levying an additional £500k for a DPA98 breach would not have been of particular significance and may have made for a far more complicated investigation and report.

As a PCI DSS qualified security assessor, (QSA) the Outsourced DPO was particularly interested in the payment card industry angle to this.  The MPN states that Marriott’s reliance on reports on compliance (ROCs) issued by two independent PCI DSS assessors that led Marriott to conclude (albeit erroneously) that access to the card holder environment was appropriately protected, did not constitute a breach Marriott’s obligations under the GDPR.  It would seem then that the independent ROCs, which are in effect audit reports to the uninitiated, were accepted as evidence of appropriate security measures being in place – despite them not being sufficiently reliable in the final analysis.  An organisational control (the ROC) was effectively implemented to test a technical control (Multi Factor Authentication): but the performance of the organisational control by Marriott’s QSA company (i.e. the testing of the MFA) was flawed.

It’s reassuring that the ICO says hindsight is not an effective methodology for assessing appropriateness of control measures.  There are many folks who all too easily jumped on the Marriott-bashing bandwagon.  Of note is that having an audit program in place through the PCI DSS ROC was sufficient to provide Marriott with something of a defensible position… well, partially!

Contact Us

Send us a Message

    We would like to use your contact information to send you marketing and promotional materials and special offers by email from time to time. We may only send information to you in this way with your consent. Please indicate whether you consent to us contacting you in this way for those purposes. You may withdraw your consent at any time by clicking the unsubscribe link in our emails.

    We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


    We have been receiving complaints over the last few weeks from people who have received unsolicited direct marketing calls from a company called The Protection People.  We should like to point out that we are Data Protection People and have nothing to do with those calls.

    We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link https://ico.org.uk/make-a-complaint/nuisance-calls-and-messages/spam-texts-and-nuisance-calls/.  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

    You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here https://www.tpsonline.org.uk/register.

    We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here https://ico.org.uk/action-weve-taken/enforcement/.

    Data Protection People Limited – March 2021