Milk, meat, fruits, breads … and data protection.

These are the new food groups for your M&A deal.

Just 24 hours after the notice of intent to fine British Airways 183 Million GBP, the UK ICO issued an intent to fine Marriott International 99 Million GBP for a data breach that affected 339 million individuals, 30 million of them in the EU.

The breach in question was essentially “acquired” by Marriott in an M&A deal.

Key takeaway is – data protection, meaning information security measures, but also data privacy compliance, should be one of the key areas being investigated in any merger or acquisition due diligence inquiry.

Per ICO Commissioner Elizabeth Denham: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

Read the full ICO notice.