The Information Commissioners Office (ICO) is the independent authority charged with upholding data protection rights in the UK. They have investigated this data breach and found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should have done more to make sure their IT systems were secure.
“The GDPR makes it clear that organisations must be accountable for the personal data they hold,” said Elizabeth Denham, the information commissioner. “This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but how it is protected.”
They have announced their intention to find Marriott International £99.2 million for infringements of GDPR following this breach, although Marriott does have the right to appeal this decision. However, the ICO does not give this money to victims of the data breach or award compensation. Therefore, to ensure you are properly compensated from the data breach, you need to make a data breach compensation claim.