Identifiability in controllers' hands is key - Outcome of the DSG Retail appeal

The Court of Appeal’s February 2026 ruling in DSG Retail Ltd v Information Commissioner has confirmed the normal interpretation of the scope of controllers’ data security obligations under UK data protection law. Although the case was brought under the Data Protection Act 1998, the Court’s reasoning would equally apply to the position under the UK GDPR. 

Background: A long-running dispute
The case stems from a cyber attack on DSG Retail’s point-of-sale systems in 2017-18, during which approximately 5.6 million payment card records were compromised. Notably, in the majority of cases the attackers could only access the 16-digit card number (i.e. PAN) and expiry date, rather than any additional information such as cardholders’ names or other directly identifying information. 

In 2020, the ICO imposed the then maximum available fine of £500,000 on DSG for failures to implement appropriate technical and organisational measures. A protracted appeal journey has followed, centring on the question of whether a controller’s obligation to keep personal data secure depends on whether a third party can identify the relevant individuals from that data. 

While the First‑tier Tribunal broadly upheld the ICO’s findings in 2022, albeit with a reduction in the penalty (see our previous briefing), the Upper Tribunal in 2024 took a different view, concluding that data security obligations should be assessed from the perspective of whether the impacted data subjects were identifiable by the attacker, as opposed to by the controller. On that reasoning, if the stolen data did not allow the attacker to identify individuals, controllers would have no duty to put in place appropriate security measures to protect those individuals and thus there would be no grounds for ICO enforcement.

The Court of Appeal’s decision
Allowing the ICO’s appeal, the Court of Appeal rejected the Upper Tribunal’s conclusion, holding that the data security obligation turns on whether the information is personal data in the hands of the controller, and that the perspective of any third party is irrelevant. Therefore, if the information constitutes personal data in its hands, the controller must take appropriate steps to protect it from unauthorised access – even if, once exfiltrated, the affected individuals are not directly identifiable from the data. 

Accordingly, the fact that stolen data does not directly identify data subjects in the hands of, a third-party attacker does not dilute the controller’s security obligations. 

Impact on organisations
This common-sense reasoning aligns closely with the structure and purpose of Article 32 of the UK GDPR, such that personal data in the hands of an organisation must be protected in a manner that ensures a “level of security appropriate to the risk”. This reinforces the notion that security obligations must be preventative and risk-based, requiring ongoing assessment as risks evolve, rather than being assessed by reference to how data is actually exploited (or not exploited) during an incident. We consider this to the correct outcome, since, as LJ Warby stated in his judgement, “The interpretation adopted by the [Upper Tribunal], and supported by DSG, has consequences that would, in my view, be surprising in the light of the express purposes and overall scheme of the Directive.”

The ICO’s General Counsel, Binnie Goh, commented that the outcome “sends a clear message to all organisations: you have a protective duty to safeguard the personal data you hold”. Effective compliance with data security obligations will therefore hinge on controllers having a clear and comprehensive understanding of the personal data they hold. This should be supported by accurate and up-to-date records of processing activities (ROPAs), alongside strong governance practices such as regular review of security policies and incident response plans, and keeping staff training up-to-date.

While measures such as tokenisation, pseudonymisation and encryption where keys are held separately remain critical risk mitigation techniques within a robust security framework, they will not shield controllers from the duty to put additional measures in place to protect personal data from unauthorised access. 

Regardless of the eventual outcome on quantum (which will return to the First-tier Tribunal), the Court’s reasoning restores a controller accountability-focused understanding of GDPR data security obligations. Controllers will retain their discretion in relation to the prioritisation of certain controls, proportionality and resource allocation, but the duty to implement appropriate technical and organisational measures will apply to personal data in the controllers' hands.