On 9 July 2019, the Information Commissioner's Office (the UK data protection authority; ICO) published its intention to fine Marriott International, Inc. (Marriott) around £99 million (approximately 0.5% of its global annual turnover in 2018) for infringements of the General Data Protection Regulation (GDPR) related to a data breach notified to the ICO in November 2018. This would be one of the highest fines under the GDPR to date, second only to the £183.39 million fine for British Airways.
However, the essential aspect of this fine is how the ICO blames Marriott for failing to undertake proper due diligence when buying the Starwood hotels group (Starwood) in 2016, where the data breach originated. The ICO thus links the lack of such proper data protection due diligence by Marriott to the fine. This shows the great importance of carrying out proper data protection due diligence when making or preparing an acquisition.
Lack of proper due diligence
The data breach likely began when the systems of Starwood were compromised in 2014, which resulted in the exposure of personal data of approximately 339 million guests. Marriot subsequently acquired Starwood in 2016, but it failed to carry out a proper due diligence into the data protection practices, especially data security practices, of Starwood. Consequently, the data breach was not discovered until 2018. The ICO believes that Marriott should have done more to secure Starwood's systems upon the acquisition.
Importance of data protection due diligence
In its published intention to fine Marriott, the ICO explicitly states that organizations are accountable for the personal data they hold, which includes carrying out proper due diligence when acquiring another company. Organizations should also put in place proper accountability measures to assess what personal data has been acquired and how its protected, and implement or improve the measures to ensure the security and proper processing of the personal data. This statement of the ICO makes it even more clear that a lack of proper data protection due diligence can be considered as an important factor to establishing GDPR violations and on the imposed fine.
Continued data protection due diligence
As key takeaways, we recommend in any event to:
- Carrying out proper due diligence when preparing a potential acquisition. Such due diligence should see to all data protection related aspects, including what personal data are processed, how it is processed and secured, and whether relevant (accountability) requirements have been implemented by the target.
- Including appropriate representations, warranties and indemnities in the purchase agreement, depending on the outcomes of the due diligence.
- Further investigate the data protection practices of the acquired target upon the acquisition, make a data protection improvement plan, and implement all required (accountability) measures to ensure compliance with applicable data protection requirements.
- Starting as early as possible with assessing and improving the data protection practices of the target, to secure the investment (if you will act as the seller of the company, such as a private equity looking for an exit in a few years).