After fourteen months of criticism ‘for doing nothing’, the ICO has come out guns blazing. With two announcements of their intent to fine in two days, they definitely mean business.
The ICO has said it plans to fine British Airways and Marriott International £188.39m and £99.2m respectively.
Their latest intent to fine Marriott International related to a data breach that resulted in about 339 million guests having their personal details exposed.
The vulnerability of the systems predates Marriott’s acquisition of Starwood; however, Marriott are responsible for not fully auditing their systems as part of their M&A process.
The ICO said that Marriott had failed to properly review Starwood’s data practices and should have done more to secure its systems.
“The GDPR makes it clear that organisations must be accountable for the personal data they hold,” said Information Commissioner Elizabeth Denham.
“This can include carrying out proper due diligence when making a corporate acquisition and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
Continually monitoring for risk
The large fines come as a wake-up call to all businesses, big and small; being a victim of crime is no defence, even if you are hacked by cyber-criminals, retrospective steps to fix the weaknesses will still not get you out of a fine – you need to constantly monitor your network for risks and make sure any risk and compliance gaps are fixed before anything goes wrong.
In reality, monitoring your own networks can be complex and overwhelming. So, how do you approach independently auditing and assessing a network that you have no real access to and at the same time ensuring that neither party violate GDPR compliance?
RiskView can fully support the requirements of mergers and acquisitions. By locating information risk and leakage, an organisation can review another organisation’s information security without accessing data, therefore not contravening the GDPR. This unique measure provides confidence for all elements of due diligence, i.e. supply chain audits, partner audits. Allowing you to ensure you are fulfilling all responsibilities when adopting new practices that involve moving or accessing sensitive information.
View More Articles
- 12th September 20192019 on track to be the “worst year on record” for data breach activity
- 10th September 2019Leaving the EU: Brexit and GDPR
- 9th September 2019Data Breaches: Did you know?
- 5th September 2019What should you do if your data has been breached?
- 3rd September 2019GDPR was just the beginning
- 14th August 2019The dangers of Subject Access Requests
- 12th August 2019Is GDPR now being taken more seriously?
- 5th August 2019The financial impact of Subject Access Requests
- 1st August 2019DDC AS Launches SmartRedact
- 31st July 2019Don’t be blindsided by your organisations handling of data