The Court of Appeal rules in favour of the Information Commissioner’s Office (ICO) vs DSG Retail
The recent Court of Appeal ruling in favour of the Information Commissioner’s Office (ICO) against DSG Retail Limited clarifies a critical point regarding data security responsibilities. The court confirmed that organisations are legally required to take appropriate security measures to protect personal data from unauthorised access, regardless of whether individuals can be identified from the data if it were to be exfiltrated by hackers.
This means that simply encrypting data isn’t enough. Organisations can still be held liable for breaches if they haven’t implemented robust security measures to prevent unauthorised access in the first place, even if the stolen data is unusable to identify individuals. The ICO originally fined DSG £500,000 following a 2020 cyber-attack affecting 14 million people’s data, and this ruling reinforces the ICO’s position. You can find more details on the ruling here: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2026/02/ico-wins-court-of-appeal-case-in-dsg-retail-ruling/
Understanding the implications of this ruling requires a strategic approach to resilience. Organisations should seek to blend a consultative approach around risk management adopting next-generation technological solutions to strengthen data security.
Take the next step to learn more about how Brookcourt can support your organisation to better safeguard against breaches to pro-actively ensure you can mitigate against threats to your sensitive data.
