GDPR data breaches hit the headlines

Marriot International data breach

We have previously published a blog about the British Airways’ GDPR fine, which was one of the largest ones, but they are not the only well-known business to be hit by a fine. 

Marriott International was also subject to one of most substantial GDPR fines since the new GDPR laws were introduced in 2018. According to a BBC story, the fine relates to an incident that is thought to date back to 2014 but was only discovered in late 2018. During that time, millions of guests had their personal details exposed in a data breach.

The data breach included 30 million guest records that were held in a reservation system and occurred within a rival hotel group that was acquired by Marriott. Whilst the system has since been phased out and eradicated completely from the hotel chain, the ICO states that the fine still stands, as the rules relating to GDPR, and the personal details held by a company, are very clear. They also state that organisations should be accountable for the data they hold by carrying out proper due diligence and in the case of Marriott, at the point of acquisition, but also for any organisation looking to access or store any personal data they hold for their customers.

It seems clear that the ICO will make examples of organisations that do not toe the line – and the size of the BA and Marriott penalties (£183m and £99m respectively) – shows that the fines for those who do not comply are eye wateringly high.

Amazon has since received the highest fine so far being £635,786,213.49 which was announced in their July 2021 earnings report.  The full reasons behind the fine have yet to be disclosed, but we know the cause has to do with cookie consent. This is not the first time Amazon has been fined due to the way it collects and shares personal data via cookies. In late 2020, France fined Amazon just over £29 million after the tech giant allegedly failed to get cookie consent on its website.

WhatsApp have also been fined over £191 million after the messaging service failed to properly explain its data processing practices in its privacy notice.

What is clear is that unless companies abide by the rules, the ICO will continue to distribute fines. The GDPR and updated Data Protection Act were brought into force in 2018 and aimed to give the public more transparency as to how their data is being stored, used and accessed. Our team of experienced solicitors can help with GDPR by:-

  • Attending your offices in Sussex, Surrey or London to conduct a full data review to identify what data your business processes, stores and uses;
  • Review your practices and advise on the appropriate legal basis for processing the personal data you hold and use;
  • Assist you in recording the compliance steps taken to demonstrate you are GDPR compliant;
  • Provide practical solutions and advice on areas where changes are required and where further steps need to be undertaken; and
  • Ensure you have the following relevant documents:
    • Data Audit checklist;
    • Updated Data Protection Policy;
    • Privacy Notice;
    • Employee consent forms, if applicable; and
    • Guidance letter for you to send to your staff.

If you need any further help or guidance, please contact Heather Love at

Heather Love

Heather Love


Tel: +44 (0) 1483 411516

Office: Godalming Office