Who has bewitched you?
Well Well Well, GDPR might be a new kid on the block, but its venom could be financially ‘life’ threatening. How could businesses be saved from its poisonous and deadly bite? In the next few weeks, we will explore and exploit the more prominent cases that are making headlines in July.
Case study #1 – July 2019
UK ICO intentions to penalise Marriott over £100m/$123m for a personal data breach under the GDPR 2018
On the 9th July, the UK’s Information Commissioner’s Office (“ICO”) announced that it would penalise Marriott International, Inc (“Marriott”) £99.2m under the GDP Regulation for personal data infringements which happened with their guest reservation database. The hotel systems were cyber-attacked back in 2014, and the ICO revealed the incident on November 2018 – that is two years after the purchase of Starwood (Starwood Hotels and Resorts Worldwide, LLC is a subsidiary of Marriott International) by Marriott. The breach includes personal data of over 350 million guest records. Furthermore, the ICO investigation estimated that there are about 30 million of information related to people from about 31 countries in the EEA and 7 million data for people living in the UK.
The ICO concluded that Marriott should have implemented extra due diligence or processes to ensure that Starwood tools and systems were secured before proceeding with its acquisition. Starwood hotels group systems were vulnerable. Marriott has co-operated with the ICO investigation and had since invested and improved the security of its operations. However, the ICO and Marriott are monitoring the outcome of the matter. Marriott was asked by the ICO for an additional depiction of the total amount of the penalty – so that the ICO could reach and implement their decisions.
The ICO and the other EEA authorities could empathise with Marriott and reduce the sanction or penalty. However, GDPR doesn’t make provisions for such leveraging. The GDPR law makes it clear that companies will be held accountable. In addition, companies could be fined up to €20 million or 4% of the total annual worldwide turnover. Nonetheless, because of the circumstances, Marriott could be pardon with a reduce penalty as the related EEA countries will also have the chance to comment on the ICO’s findings.
What must business takeaway from this case study?
Make sure your due processes are robust, – pay attention to ICT and all internal processes and tools. Finally consult with experts to help manage GDPR procedures during any types of change using management tools such as HR, Payroll, SharePoint, CRM or any other database.
Data Security is useful and imperative.
In conclusion businesses in the UK and EEA must remember that under the established GDPR 2018, a data protection supervisory authority can issue a maximum fine of up to €20million or 4% of the total annual worldwide turnover in the previous fiscal year of the relevant undertaking, for a critical case as that of Marriott defilement of the GDPR, or whichever figure is higher.
We offer a free consultation. Watch out for our 2019-2020 international payroll workshops dates in our next blogs. Contact us: www.vpef.co.uk/contact-us and Email: firstname.lastname@example.org