ICO v. DSG Retail - Data Protection Security Ruling

ICO News & Blogs

Filed February 19th, 2026

Detected February 19th, 2026

Summary

The UK's Information Commissioner's Office (ICO) has won a Court of Appeal case against DSG Retail Limited, reinstating a £500,000 fine for a 2020 data breach. The ruling clarifies that organisations must secure all personal data, regardless of whether individuals can be identified from exfiltrated data.

View original document View source feed page

What changed

The UK's Information Commissioner's Office (ICO) has secured a significant victory in the Court of Appeal concerning DSG Retail Limited. The CoA has reinstated the ICO's interpretation of data protection law, confirming that organisations have a legal responsibility to implement appropriate security measures to protect personal data from unauthorised access. This ruling clarifies that this duty exists irrespective of whether individuals can be identified from the data compromised during a cyber attack, reinforcing the ICO's original £500,000 fine issued in 2020 following a breach affecting approximately 14 million people.

This judgment provides crucial clarity for organisations regarding their data security obligations under current data protection regimes, including the UK GDPR. While the case will return to the First-tier Tribunal for application to the specific facts, the CoA's interpretation sets a strong precedent. Compliance officers should review their data security policies and procedures to ensure they adequately protect all personal data processed, considering the heightened risk and potential harm from cyber attacks, even when data appears anonymised or difficult to attribute to specific individuals. The ICO has indicated this decision strengthens their ability to take robust enforcement action in future cases.

What to do next

Review data security policies to ensure protection of all personal data, regardless of identifiability.
Assess current cybersecurity measures against the clarified legal standard for data protection.
Ensure incident response plans account for potential harm from data breaches, even if individual identification is challenging.

Penalties

£500,000 fine (reinstated)

Source document (simplified)

ICO wins Court of Appeal case in DSG Retail ruling

Date 19 February 2026
Type News We welcome the Court of Appeal’s (CoA) ruling that we have succeeded in our appeal against the decision of the Upper Tribunal on DSG Retail Limited (DSG).

In its judgment published today, the CoA supports our grounds for appeal, reinstating a clear interpretation of the legal responsibility on organisations to keep personal data secure.

In 2020, we fined DSG £500,000 after a cyber attack affected the personal data of at least 14 million people.

Following appeals by DSG to the First-tier Tribunal (FTT) and Upper Tribunal (UT), we appealed to the CoA in 2024 to seek clarification from the court on an important point of data protection law.

The CoA judgment confirms that DSG was required to take appropriate security measures to protect personal data from unauthorised access – regardless of whether people could be identified from the data exfiltrated by the hackers.

Binnie Goh, ICO General Counsel, said:

“Today’s judgment is a significant victory, bringing much-needed clarity for people affected by cyber attacks as well as industry.

“We welcome the CoA’s confirmation that organisations must protect all personal data they process, regardless of how it might be used or exploited by hackers. This recognises that even if hackers can’t identify people individually from stolen datasets, cyber attacks can and do still cause real harm.

“With the rising threat of cyber crime, this decision strengthens our ability to take robust action in the future and sends a clear message to all organisations: you have a protective duty to safeguard the personal data you hold.”
While this case is rooted in the Data Protection Act 1998, the legal interpretation of the security duty by the CoA offers an important guide to similar requirements in the current data protection regime.

Now the point of law has been clarified by the CoA, the case will return to the FTT at a later date to apply this interpretation to the facts of the DSG cyber attack.

Click to toggle details

Notes to editors

The Information Commissioner’s Office (ICO) is the UK’s independent regulator that exists to empower people through their information rights. The ICO regulates the whole economy, including government and the public sector.
The ICO has specific responsibilities set out in the Data Protection Act 2018, the United Kingdom General Data Protection Regulation, the Freedom of Information Act 2000, Environmental Information Regulations 2004, Privacy and Electronic Communications Regulations 2003 and a further five acts and regulations.
Civil monetary penalties (CMP) are paid directly into the Consolidated Fund. From 1 April 2022, HM Treasury has allowed the ICO to keep some funds to cover certain pre-agreed costs up to a maximum cap of £7.5m per financial year. The approach is explained in our Annual Report and Accounts and is externally audited by the National Audit Office.
The ICO can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.