Overview  

Imagine hackers breach your organisations systems and extract millions of payment card numbers but they cannot actually identify any of the individuals behind those numbers. Has there been a personal data breach at all? That was the question at the heart of the case, DSG Retail Ltd v The Information Commissioner [2026] EWCA Civ 140, and the Court of Appeal's (CA) answer carries important consequences for every organisation that handles personal data.

The DSG cyber-attack

Between 2017 and 2018, DSG Retail Limited (DSG), operators of Dixons and Currys PC World, were the target of a large scale cyber-attack. Hackers gained access to point-of-sale terminals across its stores and over a nine month period extracted transaction data affecting more than 5.6 million payment cards.

The compromised data included 16-digit card numbers (known as Primary Account Numbers or PANs), card expiry dates and, in some cases cardholder names. That said, the majority of the affected cards were protected by chip-and-pin technology, which meant that in many cases the attackers did not obtain cardholder names or other personal information.

Following an investigation, the Information Commissioner's Office (ICO) found that DSG had breached its security obligations under the Data Protection Act 1998 (1998 Act). The regulator imposed a penalty of £500,000.

The legal question

Although the breach itself occurred before the GDPR came into force, the legal issue that reached the CA goes to the heart of modern data protection law. Does a controller's duty to implement appropriate technical and organisational measures (ATOMs) extend to protecting data against theft by third parties who cannot identify the individuals from the data set? Put another way, if the PAN data did not enable anyone, besides DSG to identify a living individual, could there truly have been a personal data breach or a breach of security obligations?

Journey through the tribunals

The First-tier Tribunal (FtT) agreed with the ICO's position finding that DSG had breached their duty to take ATOMs when protecting personal data. The FtT found that the card data constituted personal data because DSG itself could identify the cardholders by combining the PANs with other information already in its possession. In its reasoning, the FtT analysed the three‑limb definition of personal data:

1. "Data that identifies a living individual directly;
2. Data that identifies a living individual indirectly when combined with other information held (or reasonably likely to be held) by the data controller; and
3. Data that indirectly identifies a living individual where the additional information is, or is reasonably likely to be, in the possession of a third party."

The FtT concluded that the data was personal data and the security duty under Principle 7 of the 1998 Act (DPP7), requiring controllers to take ATOMs "against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data", applied. This duty continued to apply even when data "is unlawfully processed in isolation by a third party". The controller's obligation to implement ATOMs will remain whilst the data remains personal data "in the hands of the controller".

DSG did not accept this reasoning and appealed to the Upper Tribunal (UT). Its central argument was that the security duty under DPP7 is triggered when an organisation is protecting personal data against "unauthorised or unlawful processing ". Based on this, DSG argued that the stolen information would not amount to personal data in the hands of the attackers as they could not identify any living individual from it, hence there was no obligation to guard against that particular risk.

To assess whether information qualifies as personal data for this purpose, the UT held that the correct perspective is that of the third party receiving the data. The relevant question becomes whether that recipient could identify an individual using only the data available to them, and if so, an organisation will need to apply ATOMs under DPP7.

In its findings, the UT accepted DSG's arguments based on the following observations:

1. Information may remain personal data for a controller who retains the additional identifying material, but may not be personal data for a third party who lacks the means to re‑identify individuals.
2. Whether data enables direct or indirect identification depends on statutory duties and the nature of the processing.
3. If information leaves the controller's possession and cannot be linked to a living individual by the recipient, it may lose its "character" as "personal data" at the moment of disclosure.

The ICO subsequently appealed this decision in the CA.

The CA's verdict

The CA allowed the ICO's appeal and restored the FtT's original decision. In doing so, it revisited the definition of personal data under the 1998 Act and the Data Protection Directive (95/46/EC) (Directive). The CA noted that the definition captures two categories:

1. Data from which a living individual can be directly identified by anyone; and
2. Data from which an individual can be indirectly identified when combined with other information held by the data controller.

The CA emphasised that this second category reflects the deliberately "broad" scope of the concept of personal data, the key question being whether the controller can identify the individual even if nobody else can. As long as the controller continues to hold information to indirectly identify an individual it will remain personal data.

Turning to DPP7, the CA held the security duty applies to all information that qualifies as personal data, that is, all data relating to individuals who are identifiable to the controller. Nothing in the statutory language suggests that this duty should be reduced depending on whether a third party could identify those individuals.

The CA highlighted that this security duty arises out of the legal relationship between the data subject and the controller. Individuals entrust their personal data to controllers for specific purposes, and in return the law imposes duties on controllers, including the duty to keep that data safe. That obligation applies to all the personal data entrusted to the controller, not merely those elements that would remain identifiable if extracted by a malicious actor. "The law was never intended to let controllers pick and choose which bits they need to secure".  

Further, if a controller's security duty were limited there would be no obligation for a controller to take any measures against the risk of deliberate third party interference with data held by the controller, such as malicious encryption, deletion, alteration, or extraction, where the third party was unable to identify the individuals to whom such data relate.

The CA took notice of the fact that cyber-attacks such as hacking, ransomware, and data theft are now widespread features of modern life. It firmly rejected the suggestion that such attacks are harmless to data subjects merely because the attacker cannot identify the individuals concerned, and nor does such a situation diminish the controller's duty to protect personal data.

The takeaway is clear. If the data qualifies as "personal data" in the hands of the controller because the business itself can link it to identifiable individuals, then the full weight of the security obligation applies. The fact that those who gained unauthorised access may have walked away with what, to them, looked like meaningless strings of digits is irrelevant. As such, a security failure does not cease to be a personal data breach simply because the attackers could not identify individuals from the data.

Implications under the current regulatory regime

Although this case was decided under the 1998 Act, the CA's reasoning has clear relevance to the current data protection regime. The definition of "personal data" under the GDPR is materially similar to that in the Directive which underpinned the 1998 Act. The security obligation in Article 32 of the GDPR likewise requires controllers to implement ATOMs to ensure a level of security appropriate to the risk. This controller centric approach means organisations cannot limit protective measures based on what third parties might do with breached data.

This case no doubt examines a lot of interesting points around anonymisation. While there is now increasingly common consensus that personal data in one party's hands may not be considered personal data in the hands of another (which aligns with SRB decision (see our article here)), the message is simple: if it's personal data to you or your organisation, you must protect it as such (irrespective of the fact it might not be considered personal data in the hands of another).

Controllers should review their security arrangements in light of this decision to ensure they are taking appropriate measures to protect all personal data against the full spectrum of modern cyber threats.