DSG v ICO: Court of Appeal clarifies scope of cyber security obligations under UK data protection law

In its latest judgment in DSG Retail Ltd v The Information Commissioner [2026] EWCA Civ 140 (“DSG v ICO”), the Court of Appeal has given some clarification to the scope and application of cyber security obligations under UK data protection law. The Court confirmed that whether data is "personal data", in the context of the security duties that apply to a controller under data protection law, must be assessed by reference to whether the individuals to whom the information relates are identifiable to that controller: whether a third party could identify the relevant individuals from the data in its possession is irrelevant.

Although the case was decided under the DPA, the Court linked its decision to the current UK GDPR regime, so the same reasoning is expected to apply to current incidents.

Background and first instance decision

The case concerned a cyber‑attack on DSG Retail Ltd’s in‑store payment systems, which took place between 2017 and 2018. Attackers accessed millions of transaction records. In many cases, the compromised data consisted only of card numbers and expiry dates, without cardholder names or other directly identifying information.

The ICO fined DSG £500,000, the then maximum monetary penalty available under the Data Protection Act 1998 (“DPA”), finding that the company had failed to put in place appropriate security measures. DSG challenged the penalty, arguing that much of the data accessed could not be used by attackers to identify individuals and therefore did not constitute “personal data” triggering the security obligation on DSG.

The Upper Tribunal agreed with DSG’s argument, holding that the question of whether personal data is involved is to be judged from the perspective of the data in the hands of the third party. The Tribunal concluded that if the attacker could not identify individuals solely from the data obtained, there was no breach of the statutory security obligation by DSG.

The Court of Appeal’s ruling

The Court of Appeal has now however disagreed with the Upper Tribunal. It allowed the ICO’s appeal and ultimately held that the concept of “personal data” (and the consequential security obligations) must be assessed from the perspective of the data controller, not the attacker. Data qualifies as “personal data” and triggers the obligation to protect it if the controller can identify the individual to whom it relates, whether directly or indirectly.

The Court emphasised that accepting DSG’s argument would undermine the protective purpose of data protection legislation by creating serious and surprising gaps in protection.  For example, an obligation on a controller to safeguard personal data in its possession should not cease because an attacker only compromises a subset of that data insufficient to identify the individuals in question.

Key takeaways for organisations

The decision in DSG v ICO makes it clear that, in the context of the security duties applicable to data controllers, controllers will not be able to avoid liability by arguing that data which is personal data in the controller's hands is not personal data in a third party's hands because the third party would not be able to identify individuals from the data in their possession.  If information is personal data in the controller’s hands, the controller must implement appropriate technical and organisational measures to protect it.

This, however, in context, is quite a narrow point relating to the application of broad security duties to a controller organisation. It does not extend, for example, to the assessment of risk of harm to data subjects occasioned by a data breach. The decision expressly cautions against focusing on what an attacker can do with isolated fragments and highlights real‑world “jigsaw” identification risks – where an attacker might locate, assemble and combine disparate items to elicit information about individuals.

The security duties under data protection legislation are aimed at preventing unauthorised processing in all its forms (including exfiltration, encryption (ransomware), alteration, or destruction of data) and is not confined to risks of identity theft or fraud. Finally, it is worth remembering that the ICO considers pseudonymisation to be a security measure that replaces or removes identifying information to reduce risk and aid compliance. While pseudonymised data remains personal data, it enhances security by de-coupling data from direct identifiers, making it a key technique for "data protection by design" and safeguarding against breaches.