The Marriott Hotel Fined £18.4 Million

By Myles Dacres

So, last week the ICO levied a fine of £18.4m on Marriott for a personal data breach affecting an estimated 339 million people over a 4-year period.  If you use the unorthodox method of evaluating monetary penalties of vP = n/F (the value of privacy is equal to the number of affected people divided by the value of the fine) that works out a measly £0.05 – five pence per individual.  Five pence!  Think about it: a fine of five pence for each compromised individual.  Is that the value of privacy these days?

The most important point raised by the Marriott breach is arguably that they appear to have introduced the cyber vulnerabilities when they acquired the Starwood Hotels group in 2016.  The Outsourced DPO has been banging on for years about the importance of undertaking due diligence in the areas of data and data protection compliance vulnerability during mergers and acquisitions.  And although DPP has completed some work here, we find the majority of people contemplating M&As don’t seem to consider that bringing other folks data, systems, people, and work methods into their own environment is something that should be subject to a detailed risk assessment. In many cases there is “no budget” for such a review but our fee for conducting such a review is miniscule compared to the costs of clean up, fines and compensation.

The Marriott situation is high profile involving a well-known brand, but compliance risk and vulnerability risks exist in mergers between social housing providers, charities, and other businesses.  For example, in taking on 10,000 new properties through a merger between two housing associations the last thing on people’s minds is usually the personal data relating to the 30,000 legacy data subjects and the data handling practices of the 350 merged employees.  Resources are channelled into assessing the property portfolio and financial position, but it seems very rare for merger due diligence to formally consider cyber maturity, lawfulness of processing etc..  Is it likely that the Marriott case study will change that?  Let’s hope so.

Contact Us

Send us a Message

Data Protection Project
GDPR Gap Analysis/Audit/Review
Outsourced Privacy Officer/DPO
Support Desk
SAR Support
Cyber Maturity Assessment
NIS Regulations
Information Governance Documentation
DataWise System

We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here

We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here

Data Protection People Limited – March 2021