The ICO v Marriott International: The importance of due diligence in mergers

David Edwards, head of the Harrison Drury regulatory team discusses the key due diligence steps required under the GDPR framework, highlighted by the recent ICO investigation of Marriott International and their merger with Starwood.

The Information Commissioner’s Office (ICO) has signalled its intention to fine Marriott International £99.2m for GDPR breaches following their merger with US hotel and leisure company, Starwood.

The importance of GDPR

GDPR is still a largely misunderstood area of regulation but, in the face of the ICO’s new powers, organisations are starting to realise the extent of their obligations and legal responsibility for the personal data they handle and use.

In this case the personal data breach wasn’t strictly due to Marriott International’s handling of data, it actually related to the past data practices and policies of Starwood and their failure to carry out the necessary due diligence check-ups prior to the merger. 

What happened?

In 2018, Marriott International merged with the US hotel and leisure company, Starwood, and therefore took responsibility for the organisation’s personal data obligations and responsibilities as a data controller and data processor.

From 2014-2018, Starwood suffered a data breach, resulting in the exposure of personal details of 339 million guests.

Crucially, this included guest records for 30 million Europeans. This brought the investigation of Starwood / Marriott International’s personal data practices, and the enforcement of GDPR obligations, within the ICO’s remit.

What has the ICO said about the breach?

The ICO stated that a £99.2m fine could be imposed due to the Marriott’s failures, prior to its merger with Starwood, to properly review Starwood’s data practices and should have done more to secure its systems.

Elizabeth Denham, Information Commissioner, stated organisations must be accountable for the personal data they hold: “This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

Therefore, despite this being a concern with the seller’s policies, the responsibility lies with the buyer, Marriott International, because they failed to carry out proper due diligence in relation to data practices.

What due diligence is required when organisations merge?

When merging with another company, solicitors on both sides often carry out various due diligence checks.

For example, where businesses process a high volume of data or “special category data”, GDPR checks (similar to a data gap analysis), should be carried out. This can highlight potential issues with a merger and whether there has been, or is likely to be, any complaints or investigations into personal data practices.

Additionally, the buyer and seller must be transparent with one another about their use of personal data and the lawful basis for processing the data. The privacy notice each organisation employs is a useful foundation, but further technical and organisational measures will need to be assessed and possibly, remediated in order to keep the data safe.

What can organisations learn?

In summary, reasonable steps must be taken by an organisation, and those at a senior management level, to avoid committing an offence.

When merging, or acquiring another business, please bear in mind the fact that complaints and investigations will pass from seller to buyer.

Harrison Drury can assist in GDPR considerations over business mergers and acquisitions. For more information, please contact David Edwards on 01772 258321.