In 2019, the ICO fined Marriott Hotels £99 million under the GDPR for not undertaking sufficient due diligence to secure its systems when it acquired Starwood Hotels Group. This resulted in 339 million unprotected guest records being exposed.
Elizabeth Denham, Information Commissioner stated: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.” Read more on this data breach in our blog post: The British Airways Data Breach “fine”.
The Marriott might have avoided this data breach if only they had performed the proper due diligence. So what exactly is due diligence according to the GDPR and how do you ensure it? Read further and I’ll explain in this post.
What is due diligence?
Two key elements are clear in the accountability: the responsibility of the controller in the compliance to the GDPR’s definition of due diligence and the ability to demonstrate compliance.
Due diligence requires the controller to have the ability to sufficiently guarantee compliance with industry standards where applicable in the context of processing, the availability of sufficient technical expertise, and the provision of the relevant documentation.
It is worth noting that companies have a legal duty to ensure the security of personal data “just like they would do with any other asset.” Companies can fulfil accountability obligations by assessing what personal data was acquired and how it is protected. There are security obligations within the GDPR that support the principle of “integrity and confidentiality.”
How do demonstrate due diligence?
To ensure compliance with GDPR and due diligence, there should be an identification of the data compliance and mitigation measures in place that includes information security. This may include reviewing tangible compliance with policies, testing information security measures and ensuring appropriate procedures and structures are in place for data capture and reporting.
Due diligence is something that should be practised with consistency to ensure that current practices are relevant and up-to-date.
To learn more on how to ensure due diligence and how to demonstrate compliance, download the webinar: Data Protection: What Constitutes ‘Evidence of Compliance?’
This webinar covers:
- Data protection due diligence. How much is enough?
- How do you know what you know?
- 6 essential Key Performance Indicators (KPIs)
- Data capture and reporting fundamentals
- Interactive Q&A with a seasoned & experienced Data Protection Expert