On October 30^th, 2020, The Information Commissioner’s Office (“ICO”) announced its fine of £18.4 million issued to Marriott International, Inc., (“Marriott”) for violations of the General Data Protection Regulation (“GDPR”). This is a significant decrease from the proposed fine of £99.2 million announced by the ICO in July 2019 (see our previous article here) against the background of Marriott’s security breach reported to have lasted some four years between 2014 to 2018, with the fine relating to the breach only from the point at which the GDPR came into force in May 2018. It is the second largest GDPR fine levied by the regulator thus far, behind that imposed on British Airways. To date, Marriott has not admitted liability for the breach, but the major international hotel operator has indicated that it does not plan to appeal the decision.