Marriott has been issued a £99m fine by European Regulators under the General Data Protection Regulation (GDPR).
It’s the second time in less than a week that the Information Commissioner's Office has issued a penalty into the hundreds of millions, going over the previous maximum potential fine of £500,000 (which has only been issued once previously, to Facebook for its role in the Cambridge Analytica data scandal).
British Airways was slapped with a record £183.4m penalty less than 24 hours before Marriott, feeling the effect of the GDPR that allows the ICO to impose a fine of 4% of annual revenues.
In BA’s case, its fine represented just 1.5% of its turnover in 2017 while Marriott’s represented about 3% of the hotel company’s $3.6bn revenue from 2018.
Marriott’s fine was the result of a data breach that lasted over four years – between 2014 when it began and then discovered in 2018 – and exposed in the region of 339 million guest records globally.
Marriott said it would appeal the decision. Chief executive Arne Sorenson added: "We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect.”
BA meanwhile is reeling from the fine it was issued on Monday (8 July) following a data breach that compromised 500,000 customers.
The airline, owned by IAG, says it was "surprised and disappointed" by the penalty.
Brands should be concerned
It should come as a stark warning to brands about how seriously the ICO is taking any data breach which exposes sensitive customer data.
ICO commissioner Elizabeth Denham said that when organisations fail to protect data from loss, damage or theft, it is “more than an inconvenience.”
"That's why the law is clear – when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights,” she cautioned.
The unprecedented level of the proposed fines will not only shock brand bosses and their IT departments but will also alarm marketers trying to show their brands can be trusted.
Rachel Aldighieri, managing director of the Data & Marketing Association (DMA) said: “The risks go beyond the potential fines regulators can issue too, the long-term effects on customer trust, share price and public perception could have more lasting damage.”
According to recent research from the DMA, over 82% of UK marketers think that their organisations are compliant with GDPR while 41% of consumers were confident that brands were handling their data correctly following changes to GDPR.
"For most businesses, data is its most valuable asset. So consumer trust in how they collect, store and use data is fundamental to building long-term relationships with customers and their willingness to share data," finsihed Aldighieri.