The UK Information Commissioner’s Office (“ICO”) announced on 30 October 2020 that it has decided to fine Marriott International, Inc. (“Marriott”) £18.4m under the General Data Protection Regulation (“GDPR”) for a personal data breach that occurred in relation to the Starwood guest reservation database system and affected up to 339 million guests, around 30 million of which were records relating to individuals in the European Economic Area (“EEA”) with 7 million relating to individuals in the UK.

The final amount, whilst being a substantial fine, is a significant reduction from the £99.2m the ICO announced it intended to issue in its second notice of intent in July 2019. However, the reduction comes as little surprise following the ICO’s recent reduction of its fine on British Airways from £183.39m to £20m.

Continue reading.