After fourteen months of criticism ‘for doing nothing’, the ICO has come out guns blazing. With two announcements of their intent to fine in two days, they definitely mean business.
The ICO has said it plans to fine British Airways and Marriott International £188.39m and £99.2m respectively.
Their latest intent to fine Marriott International related to a data breach that resulted in about 339 million guests having their personal details exposed.
The vulnerability of the systems predates Marriott’s acquisition of Starwood; however, Marriott are responsible for not fully auditing their systems as part of their M&A process.
The ICO said that Marriott had failed to properly review Starwood’s data practices and should have done more to secure its systems.
“The GDPR makes it clear that organisations must be accountable for the personal data they hold,” said Information Commissioner Elizabeth Denham.
“This can include carrying out proper due diligence when making a corporate acquisition and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
Continually monitoring for risk
The large fines come as a wake-up call to all businesses, big and small; being a victim of crime is no defence, even if you are hacked by cyber-criminals, retrospective steps to fix the weaknesses will still not get you out of a fine – you need to constantly monitor your network for risks and make sure any risk and compliance gaps are fixed before anything goes wrong.
In reality, monitoring your own networks can be complex and overwhelming. So, how do you approach independently auditing and assessing a network that you have no real access to and at the same time ensuring that neither party violate GDPR compliance?
RiskView can fully support the requirements of mergers and acquisitions. By locating information risk and leakage, an organisation can review another organisation’s information security without accessing data, therefore not contravening the GDPR. This unique measure provides confidence for all elements of due diligence, i.e. supply chain audits, partner audits. Allowing you to ensure you are fulfilling all responsibilities when adopting new practices that involve moving or accessing sensitive information.
View More Articles
- 22nd July 2019The Human Element of Data Security
- 15th July 2019Third Party Data Protection
- 10th July 2019Two Fines in Two Days – ICO Plans to Fine Marriot £99m
- 10th July 2019ICO Issues A Record Fine for BA
- 2nd July 2019Do You Have True Visibility of Your Data?
- 18th June 2019Reduce Your Exposure to a Data Breach
- 15th May 2019Organisations Relationship with Cybersecurity and their Workforce – In Scope
- 9th May 2019Subject Access Requests
- 1st May 2019Data Discovery
- 26th April 2019Defence In Depth