The Court of Appeal has upheld the ICO’s appeal in the case of DSG Retail Limited v Information Commissioner’s Office [2026] EWCA Civ 140.
This case concerns a cyber attack in which the attackers exfiltrated large amounts of data, including payment card information, of which a large part was not connected to names or other details which would allow identification in the hands of the attacker. The decision falls under the Data Protection Act 1998 but is still useful from the point of view of how the courts will look at such an issue.
The Court of Appeal held that DSG Retail Limited (DSG) was required to take appropriate measures to ensure the security of the data even though in the hands of the hackers, the individuals were not identifiable from the data they had exfiltrated. For the purposes of assessing compliance with the data security principle the court looked to whether the data was personal data in the hands of the controller, not the attacker.
DSG has not yet indicated whether they will appeal.
The judgment can be found here.
