The Information Commissioner's Office issued the Marriott final-fine determination yesterday (ICO Marriott monetary penalty notice, October 30). The fine: £18.4 million, reduced from the £99.2 million Notice of Intent issued in July 2019. The reduction has been substantial — approximately 81% — and reflects the regulator's accommodation of Marriott's representations, the cooperation level demonstrated by the company through the investigation, and the explicitly-noted COVID-economic-context. The British Airways case, on the same day, was issued at £20 million reduced from £183 million NoI — the same approximate proportion of reduction.
The structural reasoning in the monetary penalty notice is the part that is going to inform UK GDPR enforcement practice for several years. The ICO's analysis of "appropriate technical and organisational measures" under Article 32 is detailed and provides specific articulation of the regulatory expectation against the Marriott / Starwood circumstances. The combination of factors that the ICO weighted — the duration of the unauthorised access window (four years), the number of affected data subjects (339 million globally, with a substantial UK population), the sensitivity of the affected data categories (passport numbers, detailed travel patterns), the acquisition-integration root cause that the ICO assessed against the due-diligence expectations on the acquirer — produced the original NoI figure. The reductions on representation reflect the company's documented post-discovery remediation actions, the cooperation through the investigation, and the COVID-specific representations about the economic environment.
The reduced final figure is, on absolute terms, still substantial — £18.4 million is the largest UK GDPR-era fine to date and is approximately 37 times the pre-GDPR maximum. The deterrent effect of the figure, however, is more nuanced than the original NoI's would have produced. The customer-organisation conversations this morning have included some commentary that the substantial NoI-to-final reduction signals a regulator that is more accommodating than the original NoI implied, and the strategic implication for customer-organisation risk-modelling is therefore less acute. My counter-argument in the briefings is that the reduction reflects the specific COVID-economic-context as much as it reflects any structural shift in regulatory posture, and the customer-organisation planning basis should continue to use the upper-bound exposure rather than the expected-value exposure.
For the customer-portfolio strategic conversation, the Marriott final fine validates the programme work that has been the dominant theme for the past four years. The customer organisations that have invested substantively in attestable GDPR posture have a defensible position; the customer organisations whose programmes have been less mature would, in a comparable enforcement case, face exposure that is now quantifiable in the £15-50 million range for cases at the Marriott / BA scale. The cost-benefit framing is settled.
The wider regulatory landscape continues to develop. The European supervisory authorities will follow the ICO's reasoning with interest; the parallel cases in other jurisdictions are at various stages of investigation and decision. The post-Schrems-II environment continues to require customer-organisation transit-of-data work. The post-Brexit UK adequacy decision is the principal known unknown for early 2021. The aggregate regulatory environment is, four years after GDPR adoption, more mature, more demanding, and more quantifiable than it was at the start of the period. The customer-organisation programmes will continue to develop accordingly.