The U.K.’s data regulator on Friday fined hotel group Marriott International £18.4 million (U.S. $23.8 million) under the EU’s data protection rules for failing to keep millions of customers’ personal data secure. The fine is less than 20 percent of the original number the regulator proposed, the second time this month the Information Commissioner’s Office (ICO) drastically reduced a penalty for a violation of the General Data Protection Regulation (GDPR).
The Marriott fine is the second-highest the ICO has handed out under the GDPR following the £20 million (U.S. $26 million) penalty it hit British Airways with just two weeks ago. And like the BA fine (originally £183.39 million), Marriott’s penalty was heavily discounted from the £99.2 million figure the regulator had in mind when it issued its intention to fine notice in July last year.
