Summary
The UK Court of Appeal has issued an important judgment reinforcing that organisations must implement appropriate technical and organisational measures to protect personal data, regardless of whether unauthorised third parties can identify individuals from the information. The ruling follows a case involving the Information Commissioner’s Office (ICO) and DSG Retail (now Currys) after a 2017–2018 cyberattack exposing millions of customer records.
This judgment reinforces that organisations must ensure robust data protection practices for all personal data, including information that appears low‑risk or not immediately identifiable. Regulatory expectations around cyber‑resilience, governance, and data security remain stringent.
Key Points
- Organisations have a legal duty to ensure appropriate security controls for all personal data, irrespective of identifiability.
- The judgment was made under the Data Protection Act 1998, but the ICO notes it remains highly relevant under UK GDPR and the Data Protection Act 2018.
- The case will return to the First‑Tier Tribunal to reapply the clarified legal interpretation to the facts of the cyberattack.
This judgment reinforces that organisations must ensure robust data protection practices for all personal data, including information that appears low‑risk or not immediately identifiable. Regulatory expectations around cyber‑resilience, governance, and data security remain stringent.
Recommended Actions
- Review and update technical and organisational security controls.
- Reassess risk models to ensure identifiability is not used to justify weaker security measures.
- Align security practices with ICO expectations under UK GDPR Article 32.
- Ensure incident response and breach management plans reflect current regulatory expectations.