Out-Law Analysis | 06 Aug 2019 | 8:46 am | 5 min. read
Financial services firms should carry out a data protection audit to ensure that all uses of personal data, including the IT estate, are compliant with the General Data Protection Regulation (GDPR) upon the completion of mergers or acquisitions.
That is one of the central lessons businesses in the sector can take from a recent investigation carried out by the Information Commissioner's Office (ICO) into a data breach experienced by Marriott.
In November 2018, Marriott announced that it had discovered there had been unauthorised access to one of its databases since 2014 following a cybersecurity incident. The database in question had been added to Marriott's IT estate upon its acquisition of the Starwood business in 2016. The database contained details of approximately 339 million hotel guests. The ICO said it plans to serve the hotel business with a £99.2m fine.
Marriott has said it will raise an appeal against the fine should the regulator confirm its proposed action after listening to the company's representations.
The intention to fine is a clear warning to organisations regarding how they handle data acquired via an acquisition. This warning should be heeded by businesses in the financial services sector where M&As are common. The ICO said Marriott had "failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems".
If, as the ICO is indicating, a lack of due diligence forms the basis for its proposed regulatory action, it is a clear message that GDPR compliance and cybersecurity must form a central part of the due diligence process when seeking to acquire another organisation.
However, at due diligence stage, the buyer can only get a general sense of GDPR compliance based on the information provided, such as what measures have been put in place to achieve GDPR compliance. They are unable at that stage to make a full assessment of whether those measures are actually effective or being complied with. It is not until post completion that the buyer can truly look 'under the bonnet' from a GDPR compliance perspective.
Based on what the ICO is prepared to say about the Marriott incident so far, it is strongly indicating that a full GDPR compliance gap analysis must be done post-completion and as a matter of urgency. The ICO also hints at this expectation in its draft data sharing code of practice, which covers data sharing in mergers and acquisitions as a use case for data sharing. The draft code states that the buyer should consider the GDPR's governance and accountability requirements and ensure that appropriate security is in place post-completion.
A GDPR gap analysis exercise is not an insignificant exercise. It often involves detailed questionnaires, document reviews and employee interviews. The buyer would need to consider each GDPR requirement and whether the business it acquired had put in place measures to comply with that requirement. To the extent that they had done this, the buyer would then need to look for evidence that those measures were effective.
For example, under GDPR, the controller must ensure that personal data shall be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed". This means that the buyer will want to ensure, in the first instance, that the business acquired does not retain all personal data indefinitely, but that it has a data retention policy setting out how long personal data is retained and for what reason.
If such a policy exists, pre-completion, the buyer can only make an assessment of whether the retention periods look sensible. Post completion, the buyer will be better placed to understand whether those retention periods are appropriate or excessive. The buyer may also want align the retention periods with its own data retention procedures.
The next factor to consider is whether the data retention policy is effective – are employees aware of it, do they know their role in ensuring that it is complied with, has it led to consistent practices across the business? To the extent that the buyer identified that these measures were not effective, the buyer would then need to put in place remediation measures. This might include setting up employee training or procuring technology to reduce the reliance on human effort.
While a buyer may plan to do this in the medium to long term, the ICO is sending a clear message in its draft data sharing code and the Marriott statement of intention that it expects this exercise to be carried out as a matter of urgency post-completion.
In the case of Marriott and for British Airways too, which the ICO has outlined plans to fine more than £183m under the GDPR following a separate major data breach experienced by the airline, the ICO's notice of intent to fine followed a decision by the businesses to make market disclosures regarding the action they were facing. It seems that both Marriott and BA had decided that the ICO's plans to issue a fine represented an event that is material for disclosure to its investors.
For listed companies, of which many operate in the financial services sector, this could set a precedent for market disclosures of an ICO intention to fine going forward. This means that any institution in the sector that is listed will need to factor into its response strategy the possibility that the ICO could respond to their market disclosures by further publicising its intended enforcement action before making its final decision in the case and, crucially, before that organisation has had a chance to make representations in the hope of reducing the fine.
Further, even for non-listed financial services sector institutions, it is possible that obligations they face to notify the Financial Conduct Authority of major data breaches could also spur the ICO into releasing statements early in the enforcement process if the FCA itself goes public.
One of the main changes to data protection law introduced by the GDPR is the possibility of group litigation compensation claims for infringements of the GDPR. Essentially, all individuals affected by the incident are entitled to litigate their claims together under one claim. This enables a court to dispose of the claims more efficiently by hearing them all in one case.
British Airways is facing such a group claim in relation to its data breach. The law firm pursuing the group litigation against the airline claims to have spoken to thousands of potential claimants who have been affected by the data breach and continue to be contacted by new potential claimants each day through a chat-bot on its website. The law firm is suggesting that each claimant could get up to £1,000. If this claim of a £1,000 award per claimant were to materialise, this could equate to claim worth up to £500 million. As a result, it is entirely possible that British Airways' woes relating to this incident will not end with an ICO fine.
Kathryn Wynn is a data protection law expert at Pinsent Masons, the law firm behind Out-Law.