The Court of Appeal’s latest ruling on the DSG Retail cyber-attack should be read as a decisive statement about responsibility in the digital age. By backing the Information Commissioner’s Office (ICO) and reaffirming that organisations must take appropriate security measures to protect all personal data, regardless of whether individuals can be directly identified from stolen datasets, the court has effectively closed a loophole that risked undermining the spirit of data protection altogether.
At the heart of the case is the 2020 ICO fine of £500,000 imposed on DSG after a cyber-attack compromised the personal data of at least 14 million people. What followed was a prolonged argument, in the form of legal dispute, about what ‘security’ truly means under data protection law. DSG’s appeals to the First-tier Tribunal and Upper Tribunal raised an important and troubling question: could organisations escape responsibility if the data stolen by hackers was not immediately identifiable as belonging to specific individuals?
The Court of Appeal’s answer is a firm and welcome no.
From the ICO’s perspective, ‘adequate’ security under data protection law is not a one-size-fits-all checklist. Organisations are expected to implement technical and organisational measures proportionate to the sensitivity of the data they hold, the scale of processing, and the evolving threat landscape. This typically includes measures such as encryption, access controls, regular patching and system updates, staff training, incident response planning, and ongoing risk assessments. Crucially, the ICO has consistently emphasised that adequate security is a continuous process rather than a static state: organisations must actively adapt safeguards as cyber threats change. Neglecting basic cyber hygiene would likely fall short of the legal standard, particularly where large volumes of personal data are involved.
This judgment restores a common-sense interpretation of legal duty: organisations are responsible for safeguarding the personal data they hold, full stop. While paragraph 30 of ICO v DSG Retail Ltd (2026 EWCA Civ 140) makes clear that truly anonymised data falls outside the scope of data protection law, the practical difficulty lies in what is labelled ‘anonymised’ in the first place. Many organisations claim anonymisation when what they have achieved is little more than superficial pseudonymisation. Removing obvious identifiers is not the same as rendering data incapable of identifying individuals. The court’s clarification is therefore significant. Even where datasets extracted by hackers may not immediately identify individuals, protection obligations still apply if re-identification remains realistically possible. With modern analytics and data-matching techniques, harm does not require instant identification; it can emerge later through correlation, aggregation, or external linkage. In that context, treating lightly de-identified datasets as legally or practically harmless could be dangerously complacent.
That said, the ruling acknowledges the lived reality of cyber-crime. As ICO General Counsel Binnie Goh rightly noted, cyber-attacks can cause real harm even when individuals are not immediately identifiable. Stolen data can be combined with other datasets or used for targeted scams. The emotional and financial consequences for affected individuals often last far longer than the breach itself. To suggest that the absence of instant identifiability reduces an organisation’s responsibility would be to ignore how modern cyber threats actually operate.
The broader implications extend well beyond this case. Although the dispute is rooted in the Data Protection Act 1998, the Court of Appeal’s interpretation provides a guide for the current data protection regulation. In practice, this means organisations cannot hide behind technical arguments about the usability of breached data. The duty to implement appropriate security measures is not conditional on how criminals might eventually use stolen information.
From an industry perspective, this ruling sends a necessary message. For too long, some organisations have treated cyber security as a compliance checkbox rather than a core operational obligation. Data protection is fundamentally about stewardship. Holding large volumes of personal data carries an inherent risk, and that risk must be matched by proportionate safeguards.
It may be argued that imposing such a strict interpretation of responsibility is unfair in an environment where cyber-attacks are increasingly sophisticated and sometimes unavoidable. But this argument misses the point. The legal duty has never been to ensure perfect security, nor is this the expectation from the regulator. The objective is to take appropriate and proportionate measures. The Court of Appeal is rejecting complacency. Importantly, the decision also strengthens regulatory clarity. The ICO’s appeal sought guidance on a key point of law, and the resulting judgment removes ambiguity that could have weakened enforcement.
As the case returns to the First-Tier Tribunal to apply this clarified interpretation to the facts of the DSG breach, the legal process is not yet over. But the ground rules are now firmly established that organisations cannot downplay breaches simply because the stolen data is not immediately traceable to named individuals. When companies collect and store personal information at scale, they assume a duty that extends beyond technical compliance to ethical responsibility. The Court of Appeal’s ruling recognises this reality. This ruling is a victory for the wider public, whose data is routinely entrusted to corporate systems that must be secured by security design from the outset.